Category: Technical Issues

ISO27001 Information Security

ISO 27001, also known as IEC 27001 is an information security standard and is published by the International Organization for Standardization  and the International Electrotechnical Commission.

Most organizations have some information security controls, but these may not be sufficiently comprehensive in their coverage. An information security management system (ISMS) can remedy this situation.

It specifies a management system and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

ISO 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis

The ISO 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process.

Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability and Risk Treatment Plan. This stage serves to familiarize the auditors with the organization and vice versa.

Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/ 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/ 27001.

Stage 3 is Ongoing and involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

For detailed information on ISO 27001 refer to https://www.itgovernance.co.uk/iso27001

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Stop Remote Desktop Access

Remote desktop / remote control desktop / remote desktop protocol means to take control of one computer from another one.

This can be very useful if say you need to work at home but access some services from your workplace or files off your work computer etc.  It’s also used extensively by IT support staff.

Within a company network it can be safe but if you open your firewall to allow remote access through the firewall then this can be a problem.

Microsoft’s implementation of remote access has vulnerabilities that the hackers know about and they scan IP addresses looking for anyone that has left that door in their firewall available (typically RDP is on TCP port 3389).

Security experts believe that this vulnerability is extensively used by ransomware spreaders who can then bypass the password check and gain access to your systems.

If you use remote access through your firewall – make sure you’re safe or turn it off permanently.

Can There Be Safe Remote Access?

This depends on exactly what you want to achieve but the general advice from many security experts is to use a Virtual Private Network or just don’t allow remote access from outside of your firewall.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature