Implementing zero trust with ISO 27001

Organizations have a problem with the value of information. Like all commodities, it’s only valuable if the person who has it can do something useful with it.

Unfortunately, personal and sensitive information is useful for organizations and cyber criminals alike but in different ways.

It’s essential for organizations to invest in cybersecurity defenses to ensure that the information retains its legitimate value – the reason it was collected – rather than being abused by scammers.

But what happens when you need to share your data with a third party that isn’t so vigilant?

That’s a problem many organizations have faced. Indeed, some of the largest hacks have been the result of poor internal practices.

The likes of Target, Quest Diagnostics, Marriott Hotels, and Choice Hotels all suffered highly publicized breaches because vendors didn’t hold up their end of the bargain.

It’s easy to blame third parties for data breaches, but that doesn’t necessarily get you off the hook.

The data processor – Target, Marriott, etc. – is usually responsible for the collection of data even if it isn’t the one conducting the processing, and will face reputational damage at the very least. It might also face regulatory or legal punishment.

This goes to show that data breaches rarely have one clear guilty party. Cybersecurity is a huge, complex field, and scammers often exploit one vulnerability to help them gain access to another part of the system.

Trust no one

One of the few effective ways of dealing with this problem is zero trust. This is an approach to cybersecurity that assumes that no one is trusted by default, either from inside or outside the network. To access any information resources, verification is required from everyone.

Designing a security system based on the premise that attacks can come from both outside and within the network is far more accurate than limiting your defenses to the perimeters.

Cyber criminals often find a way in and attack laterally. Malicious insiders are already within the system. Then there are all those personal devices that employees use without much thought to security.

These systems require techniques like micro-segmentation, least privileged access, and multifactor authentication. But most of all, they require a method to manage the system.

ISO 27001, the international standard that describes best practices for an ISMS (information security management system), is ideal for this process because it’s designed to work with your system. Zero trust can consist of monitoring all network communications, avoiding default configurations, tracking all devices, and implementing multifactor authentication.

How ISO 27001 fits in

With ISO 27001, the organization can consider these controls and others. Requirements like segregation of duties, a mobile device policy, acceptable use policies, management of removable media, access control, and segmentation must be considered.

But ISO 27001 does not require specific controls or limit the use of others. The controls, including any deemed necessary for a zero trust environment, can be chosen.

The Standard does, however, require something that is absolutely necessary for zero trust to work: enforcement. To ensure that a culture of constant surveillance is created, ISO 27001 requires support from management, communication, training, monitoring and measurement, and audit.

The threat landscape is changing. Hacking tools are not just for nation states like Russia, Iran, or North Korea. Sophisticated tools are available for sale.

State-owned companies in Vietnam are stealing intellectual property to jump-start local businesses with cheaper labor. The Internet of Things poses different challenges as every appliance gets connected to a network and becomes an attack surface.

It’s neither sufficient just to build strong boundaries nor to assume that the latest AI program will do the heavy lifting. Cybersecurity is an issue for everyone and unless managed properly with a culture of security, it will, sadly, fail.

ISO 27001 compliance starts with knowledge. Enable your staff to understand and comply with the Standard with our range of online ISO 27001 training courses.

Looking for more cybersecurity news and advice?

You can find more expert analysis and cybersecurity news by signing up for our newsletter.

Our weekly email contains our latest blogs, analysis of recent data breaches, and a collection of resources to help you bolster your organization’s cybersecurity practices.