ISO 27001 focuses on establishing, implementing, maintaining, and improving an information security management system (ISMS). It is the best-known compliance standard within the ISO/IEC 27000 family of standards, which covers the overall safety of information assets. By maintaining compliance with ISO 27001 controls, an organization of any size in any business sector can help protect digital information such as intellectual property, financial information, employee details, and more.
ISO 27001 Compliance
ISO 27001 is divided into two different sets of clauses that promote information asset security:
- Clauses 1-10 broadly focus on creation and implementation of an information security management system.
- Annex A contains 114 controls specifically concerning application of a risk management process.
To be ISO 27001 compliant, an organization should address clauses 1-10 in addition to applicable Annex A controls. These controls are determined through Clause 6.1.2, which requires an organization to perform a risk assessment, and Clause 6.1.3, which mandates applying the necessary Annex A controls to treat the identified risks.
For example, Annex control A.17.1.2 concerns "Implementing information security continuity," which organizations using AWS RDS can address by requiring RDS instances to have multiple subnets.
While it's important to review all ISO 27001 clauses and controls for overall compliance, the following Annex A controls are the most relevant for organizations in the cloud.
A.6 Organization of information security
A.8 Asset management
A.9 Access control
A12 Operations security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.17 Information security aspects of business continuity management