ISO 27001 Compliance: How to Prepare Your SaaS

In an attempt to bypass all new emerging threats, numerous SaaS owners have gone for the leading security standard – ISO 27001. Many companies, though, are still contemplating ISO certification so we have created this article to clarify:
  • Why comply with the ISO 27001 standard
  • What ISO 27001 is and what it covers
  • What benefits of ISO 27001-compliance SaaS gets
  • How to prepare for ISO 27001 audits and certification
  • How Romexsoft can help SaaS become ISO compliant.
How prepare SaaS for ISO 27001 compliance

Today most SaaS users are very concerned about the security of the sensitive and personal data they provide when using this or that online service. The safety of personal data has become one of the core reasons for choosing SaaS solutions and their providers.

SaaS providers, in turn, prioritize security and aim to render the services that suit the strictest data protection needs. If you, among other SaaS companies, wish to justify the trust granted to you by your customers and gain a competitive advantage, you will appreciate the security standards compliance.

As a worldwide-recognized practice framework, an international standard on Information Security Management Systems, also known as ISO 27001, is the most reliable testimony that assures your customers of your best security practices and aids your company both financially and reputationally.

Why SaaS needs compliance

Awareness of the paramount importance of security, especially when exposing the business to a vast cloud environment, makes prospective customers of SaaS wary about who they render their sensitive data to. Hence, SaaS providers prioritize security when opting for standard compliance as it brings on:

Security risk management
No provider can completely and ultimately ensure a foolproof application though risks of something going askew are largely mitigated through compliance with an internationally recognized standard. Compliance is a way to ascertain the security criteria towards an app that were acknowledged and verified by a creditable independent organization.

Legal regulation compliance
It is imperative that a SaaS provider abides by the law concerned with service regional availability and/or customer/personal data collection and will experience neither monetary nor reputational penalties for overlooking vital requirements.

Optimal approaches and practices
Striving to convey the ultimately most progressive and best-quality services, you will appreciate access to the commonly approved practices. To your customers and business competitors alike, your company’s certified compliance implies adhering to the industry’s best approaches.

Enhanced public image
In an exceedingly competitive environment, the fact that the authorized impartial companies certify your security stance strengthens your standing. It is a possibility for a resource infusion that pays off exponentially in conveying your trustworthiness to prospective customers.

What ISO 27001 is and how it works

ISO/IEC 27001 goes by the full name of Information technology — Security techniques — Information security management systems — Requirements. Designed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it is a part of a set of dozen standards in the ISO/IEC 27000 family that primarily governs data security through requirements for an information security management system (ISMS).

ISO 27001 helps handle intellectual property and copyright, financial information, or data entrusted by third parties with these three fundamental aspects:

  • Confidentiality: only authorized persons can access information;
  • Integrity: exclusively authorized persons can change the data;
  • Availability: information is accessible to authorized persons at any time.

Whether you decide to follow the standard for the sake of its best practices or the credibility among customers it entails, certification to ISO/IEC 27001 is not mandatory. Should you still opt for certification, it is performed in a two-stage audit to confirm that your security controls comply with ISO 27001 requirements and that your processes are led by the recognized best practices.

Disaster Recovery (DR) infrastructure is also an indispensable component to ISO compliance, in addition to being vital to security of any organization. As the name itself suggests, DR refers to the system’s ability to return to the fully functional and accessible state, and thus recover from harmful events.

Organizations employ DR methods to regain the critical infrastructure availability after an incident. Companies with robust security get ready to face disaster incidents by thoroughly analyzing their environments and then drafting a Disaster Recovery Plan: a document which dictates the procedures to stick to in case of emergencies.

How ISO 27001 works

With ISO 27001, protection of the abovementioned three foci (confidentiality, integrity, and availability of data within an organization) is conducted through two risk management stages: diagnosing in risk assessment, and prevention in either risk mitigation or risk treatment with the help of implementing safeguards.

ISO Framework

Concerning the structure, ISO 27001 is divided into two parts. The first part consists of 11 clauses (0 to 10), including the opening Introduction, Scope, Normative references, Terms and definitions. The second part, alias Annex A, supports the clauses and their requirements with a list of 114 control objectives and controls to be applied in the risk management process. Since Annex A is a selection of suggested risk assessment and risk treatment controls, it is you who decides on the best-matching protection protocol that would suit your individual security needs.

ISO 27001 for SaaS: benefits and leverages

Reputation
ISO 27001 is an unnegotiable plus to your credibility among customers who rely on the internationally recognized quality expectations towards the security control system. Adhering to the standard allows you to keep your system, business, personal, and customers’ data intact from unauthorized persons. Сustomer data breach is a major reputation threat to any company and may have the demise of an enterprise as its aftermath. Not only is ISO/IEC 27001 the most recognized and dependable standard, but it also overlaps the information security requirements of the SOC 2 audits.

Operational maturity
As your SaaS company evolves and expands, you might find it challenging to scale on your own. If that’s your case, you will certainly benefit from the foolproof approaches to the structure and operation that are set by other established industries and recommended to you by ISO 27001 playbooks.

Competitive advantage
Though some markets have legal or contractual requirements on the security certification, for the most part, it is an option that potentially gives you a competitive edge, and, as a result, increased demand and revenue growth. While the number of SaaS providers increases day by day, the way to keep up with the harsh competition is to manifest information security as your priority to your prospective customers for the reasons listed further:

  • ISO 27001 compliance is a major argument in favor of a SaaS vendor as the standard offers a reliable and robust security system
  • Certified SaaS companies handle customers’ data according to the basic principles of information confidentiality, integrity, and availability
  • The approaches to risk prevention and treatment established by the standard ensure that SaaS renders undisturbed uninterrupted services even in case of incidents
  • ISO 27001 is a legal requirement-abiding standard that makes sure the certified companies do not pose any legal risk to the customers.

Preparing SaaS for ISO 27001 compliance: key stages and actions

As a SaaS provider, you can opt for adhering to the ISO 27001 requirements without having to pass an officially recognized certification. On the other hand, upon fulfillment of the standard preconditions, you are entitled to an audit of your systems by an independent outside organization which will grant you a certificate if you’re fully compliant. This status, once gained, is to be continually maintained.

Applying the ISO 27001 calls for wholly different information management, according to a more formal structure. Your company will have to implement the requirements for data processing and storing, introduce new security-focused policies that express your principles and interior procedures subject to them, and produce evidence of your compliance on the regular basis.

Further, we will enlighten you on the key stages of a profound preparation for ISO compliance.

Software assets inventory and management

As information is mostly stored in SaaS platforms, your data management will be analyzed through all your SaaS assets, audited, and documented. It is essential to ensure that none of the company or customer data is at risk and you actually comply with the security regulations.

On your way towards certification, it is imperative that you compile an exhaustive assets register that includes not only any data ever accessed, processed, or stored, but also your organization’s hard-, software, paper copies, and office infrastructure. Within your company, separate SaaS may be exposed to different types of data thus they will possess varying security needs. These will necessarily have to be established and documented as well.

Admittedly, a seamlessly conducted initial step on your way to certification demands a scalable register which is impossible to build without a proper level of SaaS management.

Defining ISMS scope

You, as a SaaS provider, are held accountable for all the data entrusted to you by your customers, regardless of where it is stored, and by whom it is processed or accessed. Bearing this in mind, you can proceed to decide which data need protection which will stand for defining the scope of your ISMS, alias information security management system.

Even if you choose to not pass the certification, defining the scope still makes you more profoundly understand your own organization’s environment and how you deal with broadly recognized security requirements, especially centered around the most sensitive information. Better still, it is a crucial step if you are in for certified compliance since the independent auditor inspects the elements of the ISMS included in the scope. In addition, your ISMS scope will certainly need to be defined and stated prior to drafting any other security documents.

According to ISO 27001, in the scope definition you had better:

  • Consider internal and external issues defined in clause 4.1 of ISO/IEC 27001;
  • Regard the requirements defined in clause 4.2 of ISO/IEC 27001 – Understanding the needs and expectations of interested parties;
  • Take into account interfaces and dependencies between the ISMS scope and the outside world.

Besides, if you’re going for the audit it is sensible to document the physical location of your SaaS company premises as well as your organizational units.

Preparing DevOps environment

Security controls

ISO 27001 compliance, proved initially, may be challenging to align if your company is scaling and continuous deployments by your DevOps teams may discord with the outlook of the compliance teams. It doesn’t pose many challenges though, to comply if DevOps teams work towards the security controls by using automation since it adds to the production security.

What’s more, many SaaS companies choose to cooperate with ISO auditors to come up with security controls that will support their deployment requirements and thus upgrade their security policies. Working with cloud platforms like Amazon Web Services (AWS) helps manage security controls, too. It can be explained by the shared security model that distributes security commitments between AWS (accountable for the hard-, and software of the cloud platform) and customers (responsible for keeping up security standards for data in the cloud).

ISO 27001-compliant and certified, AWS puts forward services that aid other SaaS providers fulfill the ISO 27001 expectations and requirements by creating and introducing security controls. In turn, the controls within the cloud environment allow for more efficient and secure deployments on the part of DevOps.

Fraud risks reduction

Conventionally, software development teams that are focused on producing code regardless of additional controls or checks frequently fail to meet the SoD requirements. Separation of duties (SoD) is a vital step toward ISO 27001 compliance which leads to minimized inside threats and fraud risks.

As per ISO 27001 guidelines, in order to comply, a company is to be divided into separate environments for development, testing, and operating. At the same time, the division or distribution of employees within and among those environments is by no means defined or regulated. This allows organizations to manage their workflows in individually optimal ways, granting access to unique experts in specified frameworks. What may come in handy for such cases is granular access controls that enable intentional duty distribution and environment access so that your company is safe from within as well.

Automation of the SDLC audit process

Although the cloud-based platforms open up numerous lucrative possibilities for the business, they come with their own liabilities. The threat exposure of the cloud environments is no hindrance to efficient operation on condition that you prevent financial and trust loss by paying attention to compliance.

Constant monitoring of your systems is a reasonable security demand, however cumbersome a task it may be. It is especially acute for companies with numerous servers within a virtualized cloud environment where security compliance may be overlooked. On top of that, some providers are reluctant to get ISO 27001 as they anticipate staying compliant will interfere with their fine-tuned DevOps’ production schedules.

These concerns are in part ungrounded as automation is what empowers you to maintain both developing perspectives and security postures. Automation can be leveraged to successfully handle development environments through monitoring and auditing information access and command executions. The pace of workflows won’t be hampered whereas compliance will be achieved if automated audits are introduced to the software development lifecycle (SDLC) and continuous integration/continuous delivery (CI/CD).

Maintenance of the compliance

Truth be told, ISO 27001 certification is no one-time deal that covers your financial and reputational ambitions once and for all. In fact, it is a project that needs ceaseless effort to be maintained since the certification is valid for three years within which an organization is supposed to undergo profound surveillance biannually. On the expiry of the three years, companies that wish to stay compliant re-apply for the certification.

As we can see, ISO 27001 is a long-term strategy that sets the overall direction of your growth as a company. Even more so as it calls for a well-established centralized system with well-honed management processes to be carried out successfully. An instance of this may be forming a “task force” of stakeholders from across your organization who would be a regularly meeting quorum with a set of issues to revisit and updates to consider.

How Romexsoft can help SaaS become/stay ISO compliant

Suppose you are interested in either getting or maintaining an ISO 27001 certification. We suggest you consider the following information on the services that Romexsoft offers to those aiming at becoming ISO-compliant as we will further shed some light on how our experience and expertise can simplify and speed up the painstaking process of certification.

Disaster recovery plan

The key business processes have data center and information systems infrastructure at their core. In case any disruption in the workload takes place, the company had better be prepared to promptly recover essential information for the sake of keeping vital business processes uninterrupted. Even the results of the unprecedented occurrences may be mitigated to support the enterprise on condition that a company has a Disaster Recovery Plan developed.

The main point of the Plan is to define and describe a recovery strategy for a company’s key IT services as soon as possible after a harmful incident. The practical value is realized through a full IT infrastructure recovery within the established RTO (recovery time objective) and RPO (recovery point objective). The means by which it is achieved may vary, but typically these are step-by-step instructions of technology solutions to make amends after a security breach threat.

Disaster recovery exercise

Having a backup plan, or in our case, a Disaster Recovery Plan, is good, but being confident that it will work out in the most critical moment is better. Unfortunately, only having compiled a Disaster Recovery Plan is rarely enough to guarantee security. What we suggest doing to approach it is regularly practicing your Plan in exercises of recovery after a disaster.

What you get through the Disaster Recovery Exercise is ensuring that your Disaster Recovery Plan is applicable and functional at any given point of your business’s operation. In addition, this is the way to test out the recovery time objective (RTO) set in the plan; to put it plainly, upon exercise you will know for sure how much time is needed to take appropriate measures to prevent business losses and recover the vital processes after a security compromise.

A full-scale run-through is acknowledged as the most beneficial exercise in the long-term perspective though it causes much procedural and financial inconvenience due to requested business downtime. The most life-like outage which includes all processes, backup systems, or workarounds, is needed to check how effective your Disaster Recovery Plan is and thus best prepare for the incidents that may turn up on your way. Complicated and costly as the full-scale run-through may seem, it is still an effective precaution that is best carried out annually at the least with extra actions taken in the interim.

Network segregation

Among the major security categories of ISO, there is network security management, which postulates the aim of ensuring data protection within networks and maintaining information processing facilities.

Straightforward and uncomplicated management of networks surely appears alluring, but it also brings on the chaotic organization of multiple equipment items linked to one network which results in poor performance and system breakdown when under attack or in error. By contrast, one way of sensible managing network security is network segregation, otherwise known as network segmentation. Its gist is splitting a network into segments, or subnetworks.

In brief, a device, process, or system which separates network zones to isolate assets can be referred to as a segmentation control, such as internal firewalls (they filter traffic between two separate network nodes) or access control lists, aka ACLs (as object-tagged permissions they dictate access to particular persons and actions).

Network segmentation enables you to:

  • improve performance: the fewer hosts per subnetwork, the less signaling traffic, and the more bandwidth frees up for data communication;
  • strengthen security: the less signaling traffic flows through network segments, the more difficult it is for an attacker to work out the overall structure, and the less likely are failures to spread across segments;
  • implement a Policy of Least Privilege: the stronger the network segmentation, the easier it is to control access to sensitive data and crucial systems, especially if there is a threat to the user’s access data side;
  • decrease damage from attacks: the better the segmentation, the sooner you will be able to localize and contain the security breach while disconnecting the attacker’s access, and the less damage is caused to your systems.

DMZ as a part of network segmentation

As a rule, services with external access are probable targets for cyber attacks, therefore they are deployed exclusively behind firewalls. They are a type of gateway by which a demilitarized zone (DMZ) functions. Network security systems apply DMZs to isolate public networks from private ones by providing controlled exposure of internal services to untrusted external networks while the latter are restricted in access to the former.

A common example of DMZs is how companies’ private networks or LANs nowadays access untrusted Internet resources and get their services. Functioning as a buffer, a demilitarized zone ensures robust security for the internal networks via the limited entry to confidential information from without.

Organizations benefit from leveraging DMZs as they:

  • permit access control
  • The public internet gives businesses the possibility to deliver to their end customers services that are outside the inner network of the organization. Such a reach-out is made secure through network segmentation, DMZ in particular. One way of utilizing the zone is buffering unauthorized outside access to a local network, e.g. with a firewall; another one refers to centralizing the traffic flow to more easily monitor and control it, e.g. with a proxy server.

  • avert network reconnaissance
  • Serving as an additional security layer between the outside and an organization’s local area network, a demilitarized zone also wards off the perpetrators’ reconnaissance work done to track down vulnerable hosts and sensitive data. The services placed into a DMZ sub-network are publicly revealed yet the internal firewall isolates it from the private network to block reconnaissance even if the DMZ is threatened.

  • block Internet Protocol (IP) spoofing
  • A common type of cyberattack is IP address spoofing whereby an attacker disguises as a trusted device to connect to the network with any kind of malicious intent. In such cases, a demilitarized zone comes in handy as it checks the IP address legitimacy to prevent spoofing as well as allots space for traffic flow so that outside services are accessed separately from the LAN.

Protection from malware

Some time ago, the most common signature-based intrusion detection approach sufficed to enable programs to recognize and stop threats or failing software. However, nowadays malware and ransomware not only spread but also mutate with the speed of light so relying on monitoring traffic so as to patterns that match defined attack signatures is scarcely enough.

To strike a balance between the desired performance and enhanced security, providers had to eventually come up with a solution that has the best of both worlds: a tool that examines files to diagnose if they are safe to run on the one hand, and, on the other, does it so promptly that users get the app’s smooth uninterrupted operation.

As of now, the anti-malware tool in question is security layers implementation that most effectively impedes exploitation of the system’s flaws, which are impossible to prevent or eliminate altogether. The said security layers could incorporate:

  • Security awareness
  • Monitoring and event manager
  • E-mail, web, and network protection
  • Backups
  • Updated soft- and hardware
  • Information security policies.

Protection from DDoS and injection

Designed upon microservices and APIs, and what’s more, deployed through differently administered operating environments, modern applications, and websites are increasingly difficult to protect. To be added to this quest is even more various, unforeseeable, and hardly detectable ways attackers devise to hit the system’s vulnerabilities.

DDoS, that is distributed denial-of-service attack, is a malicious non-intrusive attempt to make a publicly accessible website unavailable by overwhelming the server with superfluous traffic. The progressive frequency doesn’t, however, make Denials of Service less of a threat as the latter don’t require admin access to run an app or a website and disguise as normal traffic thus complicating its detection, not to mention the DDoS posing a major threat to businesses and organizations alike since even the minimal downtime brings about service disruption and financial ramifications.

Our experienced and certified experts ensure your SaaS security with multiple protection and mitigation techniques while shielding your enterprise from a list of common DDoS-associated consequences in:

  • App or website availability: apps are out of users’ reach during attacks lasting up to days
  • Financial impact: revenue is lost while expenses on IT infrastructure provisioning go up
  • Information security: DDoS attacks aim at and result in data breaches
  • Brand’s reputation: your company’s competitive standing and credibility are impaired.

DevOps separation of duties (SoD)

The shared responsibility principle is the premise for the duties separation whereby the key functions of the system are divided among more than one individual or department. The point of DevOps segregation is that no single person is granted enough responsibility or privilege to carry out or control a vital system process on their own.

Simply put, inasmuch as a coder or a developer team who produces the code is unable to approve or deploy it autonomously, the possibility of faulty, unauthorized, or malicious code release and control is kept to a minimum. Hypothetically, no employee or a team is supposed to be in charge of one type of process function.

Undoubtedly, the approach of separation of duties is executed primarily for easier and more effective error, misuse, and fraud risk mitigation and treatment. Split and distributed, critical functions are much better governable, diagnosed, and controlled. This is an especially acute need for conflicting duties which, when separated, significantly decrease the chance of information unsanctioned, unintended exploitation, or leak.

Our experts, with the use of such an AWS service as AWS Organizations, will help implement the SoD in your cloud environment. AWS also promotes the least privileges principle so we suggest conducting fine-grained tuning of your AWS IAM configurations to meet this principle which is a particular case of SoD.

Looking for help with ISO 27001 for SaaS?

Contact Our Experts Today

    Ivan Shulak Sr. Delivery Manager, Senior Application Architect at Romexsoft | AWS Certified Solutions ArchitectOracle Certified Professional, Java SE 8 Programmer | Keen on Java Application Development and Cloud Application Development.
    Share The Post