Ensuring SaaS Security in ISO Compliance

Adaptive Shield Team

The International Organization for Standardization (ISO) sets standards across various industries. As an internationally recognized standards organization, its two information technology security standards – ISO 27000:2018 and ISO 27001:2013 – can be used to help build out a strong security posture.

SaaS security is critical to ISO compliance in the modern business world. However, with all the non-stop developments in the organization’s SaaS stack, from updating and modifying configurations to discovering SaaS-to-SaaS access and securing devices etc., it can become overly burdensome for a security team to handle. SSPM solutions come to answer this pain by providing proactive, deep, continuous and automated monitoring & management capabilities. (SSPM solutions can also offer security checks per compliance framework so the security team can easily see where their posture is compliant or needs remediation.)

This blog will take a deep dive into understanding the ISO compliance standards, with its two recent yet different versions, and how SSPM can help security teams ensure ISO compliance.

What is the difference between ISO 27000:2018 and ISO 27001:2013?

Simply put: ISO 27000:2018 gives you goals to accomplish while ISO 27001:2013 outlines the steps you have to take to achieve those outcomes.

ISO 27000 sets out the following fundamental principles of your security program:

ISO 27001 focuses on best practices and establishing an Information Security Management System (ISMS) that consists of policies and procedures. It includes five processes for achieving these security fundamentals:

The 10 ISO 27001:2013 Clauses

A lot of this sounds fairly vague, and it is. ISO takes a risk-based approach to establishing an ISMS, but that doesn’t mean you’re on your own.

The first three clauses give you the basic terminology and scoping. It’s clauses four through ten that start to get into some more detail. These are:

Again, this is fairly high-level, even though ISO gives detailed definitions within the clauses. The real work of getting ISO compliant is found in Annex A which lists 114 controls aligned to ten clauses.

Where SaaS Security Fits into ISO Compliance

The problem with understanding the importance of SaaS security within the ISO context is that ISO never specifically mentions SaaS apps. Since it acts as a risk-based framework, you need to start by identifying the risks that SaaS apps pose, then put the controls around them.

Going into all the controls listed in ISO 27001 would be too long for this post. However, you can get a general sense of how SaaS security – and SaaS Security Posture Management (SSPM) – fits into your ISO compliance plans with a few examples.

Access Control

Under Access Control, you need to ensure that all users are assigned the appropriate access needed to complete their job functions.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

Example

Permission drifts occur when a user has certain permissions as part of a group membership, but then gets assigned a specific permission that is more privileged than what the group has. Over time many users get extra permissions. This undermines the idea of provisioning using groups.

SSPM Can Help

SSPM gives you a way to govern users’ cloud access by:

Operations Security

Operations security is the process of ensuring correct and secure operations for all information processing facilities. In cloud environments, managing operations security becomes more difficult because you often lack visibility.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

Example

OAuth is an extremely common action that users take, but implementation mistakes can lead to attacks. You need to make sure that you have the appropriate documented operating procedures for onboarding new applications that use OAuth. Further, cybercriminals can use misconfigurations, like the sending OAuth application phishing emails, as part of their ransomware attacks.

SSPM Can Help

SSPM gives you the ability to run continuous security checks for all SaaS apps in use, in addition to the SaaS-to-SaaS access, so that you can:

Compliance

This requirement focuses on avoiding legal, statutory, regulatory, or contractual obligations.

Ensuring SaaS security under this requirement can be challenging because you need to make sure that you meet the following sub-requirements:

Example

Default configurations can lead to PII leaks as seen in the 2021 Power Apps portal issue that Microsoft fixed. Knowing what default configurations create a compliance violation and monitoring to ensure that you fix issues is key to compliance.

SSPM Can Help

SSPM can help you get compliant by:

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.