Please note that this post, first published over a year ago, may now be out of date.
Your customers are asking for audit certificates. The shareholders want evidence that the company takes information security seriously. Or the insurers are talking about raising premiums. Whatever your reason, your SaaS business is seriously considering getting compliant with ISO 27001, and you want to know how to manage the time and effort it’ll take.
I’m going to cover how you can leverage a number of key AWS services to short-cut your journey to getting ISO 27001 compliant.
Managing your AWS estate
A general requirement on most security compliance journeys is having a good separation of concerns. This theme cuts through many areas of the standard from data protection, access control, secure software development to malware prevention. Addressing this one theme can hugely simplify your policies and speed up your compliance efforts. Luckily AWS provides a great mechanism for doing this and that’s using multiple AWS accounts.
If you are already using multiple accounts you probably consolidated your AWS bill so that you receive a single invoice each month with a breakdown of cost per environment / account. It’s possible to achieve a similar consolidated outcome with other aspects such as security, networking, backup and disaster recovery. Achieving this is critical to making light work of your ISO 27001 project.
If you’re still working with a single AWS account then it’s just a matter of time before the need for multiple accounts arises. Laying the foundations for centralised management will not only help you with compliance, but also save you time and money in the long run.
These foundational services used to centrally manage multiple accounts are often referred to as a landing zone. The AWS designed method to implement a landing zone is through a service called AWS Control Tower.
Safeguarding information
The ISO 27000 series of standards are high level: the standards describe the approach to take and the safeguarding outcomes you need to achieve. It’s done this way so that any business can comply, whether you’re in manufacturing, retail, finance or software.
These safeguards are referred to as controls. The ISO 27002 standard (part of the ISO 27000 series) defines 93 controls that cover areas such as technology, people & the organisation, and physical security.
Although every SaaS business is different, it’s likely that around 40 controls will relate directly to your AWS estate. Implementing a landing zone can address over half of those, which will get you 20% of the way to your ISO certification quickly.
Without a landing zone
It’s possible to achieve the same level of control without implementing a landing zone. This would involve your engineering team developing a bespoke solution for each control and effectively reinventing the wheel on off-the shelf AWS services that can be readily adopted.
We have seen a handful of cases across the hundreds of organisations that we’ve worked with where developing your own solution makes sense. These cases tend to involve large organisations with complex multi-cloud strategies, thousands of staff, and where the pay-off would be worth the significant investment required.
On AWS, the best way to accelerate your ISO 27001 compliance is to adopt a multi-account strategy under the umbrella of a landing zone. Building that gets you around 20% of the way towards the security measures you need to pass an ISO 27001 audit. It’s far quicker and cheaper than designing and making your own. This will help you focus on the other, organisation specific controls that are hard to delegate.
Are you ready for ISO 27001? Do you have an effective information security management system that delivers the right technical controls in your AWS environment?
Our whitepaper looks at the tasks involved and makes some recommendations. Or for a quick expert check and report of your infrastructure against the reference controls of ISO 27002, see our AWS Readiness Assessment.
Book your assessment now or book a free chat with us to discuss this further.
This blog is written exclusively by The Scale Factory team. We do not accept external contributions.
