Securing Collaboration: How to Get ISO 27001-Ready

Concerned about potential data leaks? Watch our on-demand webinar “Preventing Data Leaks in Microsoft Teams (and Other Collaboration Systems)” for expert advice.


Read the other post in our Securing Collaboration series below:

ISO/IEC 27001 helps organizations prove that they have implemented best practices in their security and data protection programs. Although an ISO 27001 certification is not mandatory, working towards it can help you get ready to meet data governance requirements for your customers, partners, employees, and similar acts, laws, regulations, and standards. Most of these requirements share a common goal: the protection of information and assets.

The Microsoft 365 security center enables organizations to reduce security risks by providing them with the tools necessary to assess their current and historical security postures and to determine the appropriate set of actions to take to mitigate future risks. These tools consist of rich dashboards, reports, and interactive experiences like Microsoft Secure Score, each of which is designed to provide security administrators with the visibility, controls, and guidance they need to drive maximum security posture improvements.

ISO 27001 Standard Controls

ISO 27001:2013 details the requirements for an Information Security Management System, which is designed to help organizations implement a systematic and risk-based approach to ensure that information and systems are available to people who should have access and protected from people who shouldn’t. A fundamental part of this program is the implementation and standardization of risk assessments. Ideally, risk assessments should be part of Privacy and Security by Design or part of project management under ISO 27001 Annex 6.1.5 which reads, “Information Security shall be addressed in project management regardless of the type of the project.”

First, you should start and agree upon your risk assessment methodology. Tailor the rules of how to perform the risk management assessment and follow a standard that you can replicate across your organization (especially if you have a global presence). Don’t forget to define what your risk scoring mechanism (severity vs likelihood) and risk level threshold are.

iso 27001
AvePoint’s Enterprise Risk Management (ERM) system helps you automate Risks Analysis, associate recommendations and document appropriate Corrective and Preventive Actions (CAPA) once any non-conformities or other undesirable situations are identified from assessments.

Once you have defined the methodology, the next step is to apply it across all the assets your organization has. This is tricky as it also requires you to have an Asset Inventory in advance as ISO 27001 mandates in Annex A.8.1.1. In most cases, organizations may not know or fully understand the risks associated with each of the ISO controls. Some questions to help get you audit-ready are:

  • Is there an asset owner assigned to each asset?
  • Who maintains the asset inventory?
  • Is the asset inventory regularly reviewed?
  • What is the asset’s retention period?
  • What is the asset’s classification?
  • How often is the asset/information backed up?
The Inventory Manager allows organizations to centralize all of their assets (systems, services, processes, applications, etc.) into a single pane of glass and conduct automated Privacy, Risk, Security, and Data Protection Threshold and Impact Assessments with configurable calculators for risk-based decisions and controls.

With the Compliance Manager integration, Microsoft 365 compliance center provides you with visibility into your compliance posture against key regulations and standards like the GDPR, ISO 27001, NIST 800-53, and more on the homepage. You can then perform risk assessments, as we described above, to enhance your compliance and privacy controls.

If you’ve done the first two steps, by now you should’ve identified the gaps between the business expectations and actual situation of your information assets. Now it’s time to start planning your risk treatment/corrective and preventative action controls.

Applying security controls is one of your options to mitigate or minimize the risks, but you also have the option to:

  1. Transfer the risk to another party
  2. Avoid the risk by disabling the process or activity which is too risky (although the business may not be very happy about this)
  3. Accept the risk, which makes sense if the cost and effect of mitigating the risk is higher than the actual potential loss or damage. With the recent changes in data breach penalties such as the GDPR (up to 4% of global revenue or up to 20Mil euros), however, accepting the risk can be quite a questionable decision.

Annex 8.2.1 from ISO 27001 states that “Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”

The Microsoft 365 compliance center is a specialized workspace for compliance, privacy, and risk management professionals.

Many organizations have data classification policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced or left to the “business users/data owners” to implement. To help you label data more accurately, the Microsoft 365 Label Analytics preview can enable you to analyze and validate how sensitivity and retention labels are being used beyond your Office 365 workloads.

However, the biggest challenge with information or data classification is finding the easiest, most efficient, and accurate way to achieve this goal. Positioning this task to employees can sometimes be both time-consuming and imprecise. The challenge presented by a business user-driven “trust” system is that it’s difficult to predict the appropriateness and level of data being properly tagged.

Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented, either deliberately or inadvertently? Who do you trust: user or machine?

In addition, not every employee is familiar with how to appropriately classify data. Data changes frequently, and it’s often hard to solely rely on untrained personnel to make sure classification is done according to your company information classification policy. It’s not that you shouldn’t trust your employees, but it’s better to monitor and control how information is used throughout the organization.

How do you protect personally identifiable information (PII) and sensitive information while reducing risk across the enterprise? Does your organization have processes in place to classify and protect data in all of your assets? The term “we have a firewall” is no longer valid when adopting cloud collaboration solutions.

Unintentional employee action is the most common cause of data breaches worldwide. In order to protect your assets, organizations need to classify what you have and, based on the value, apply appropriate security controls. Not everything needs to be protected, but understanding what information you have, where is it, who has access, who it’s shared with, what the retention period is, etc. is all part of a best practices data governance process.

AvePoint itself received ISO 27001 certification and has been able to meet many of the ISO 27001 requirements using our own Enterprise Risk Management (ERM) solution. We’ve been able to do things like:

  • Automatically apply data classification to data at rest and any newly-created document based on sensitivity, document/information type and retention period
  • Identify non-conformities in the Incident Management Center
  • Automate third-party vendor risk assessments
  • Evaluate security into contracts using Impact Assessments

ISO 27001

Scan results to provide insight into your greatest areas of vulnerability. Scan your content against internal or external regulations to identify privacy or security issues in files, file properties, or even attributes like headers and footers. Begin to tag and classify your data so you can more easily find, and react to at-risk or sensitive data.

If you’re just beginning your ISO 27001 certification journey or are performing your periodic ISO 27001 review and need a centralized solution to help you with automating some of the ISO requirements, consider AvePoint’s compliance solutions and feel free to contact us for more information.


Want to keep up with the series? Be sure to subscribe to our blog!

Previous articleCollaboration Guide: When to Use Microsoft Teams, Yammer and SharePoint
Next articleBoosting Office 365 Adoption: What You NEED to Know
Dana S.
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en Twitter: http://www.twitter.com/danalouise

LEAVE A REPLY

Please enter your comment!
Please enter your name here