ISO 27001 is a compliance standard that outlines the requirements for an Information Security Management System (ISMS). These systems protect the security, availability, and confidentiality of an organization’s information assets through technical and organizational policies and procedures. Complying with ISO 27001 means that an organization has systems in place and follows best practices to manage the risks associated with its data.
Recently, at Applivery, we obtained our own ISO 27001 certification using our MDM solution.
How MDM facilitates security compliance
The management clauses of the ISO 27001 standard broadly outline the controls an organization must implement to demonstrate that it is taking appropriate steps to mitigate information security risks. These controls range from access control and physical security to cryptography and incident management, and are categorized into four general areas: technical, organizational, physical, and personnel. Many of these controls can be directly addressed by an MDM solution like Applivery.
Technical controls
End-user devices
Information stored, processed, or accessible to users on end-user devices must be protected. MDM can help by ensuring that company-provided devices have encrypted hard drives.
Malware protection
It’s essential to ensure that information and other assets are protected against malware, and this protection should be supported by proper user training on best practices. MDM can assist by deploying anti-malware software.
Technical vulnerabilities
Organizations need to stay aware of technical vulnerabilities that could affect their information systems, with processes to assess their exposure and tools to defend against threats. MDM should be capable of patching these vulnerabilities on devices, whether in the operating system or other software.
Configuration management
MDM is essential for implementing and monitoring configurations, including security settings, for hardware, software, and services to ensure they comply with security requirements. Additionally, there must be a mechanism to remediate any unauthorized changes to configurations.
Software installation
Procedures and measures should be in place to install software securely, allowing installation from official stores and other sources in a manner that ensures integrity and prevents the exploitation of vulnerabilities.
Organizational controls
Asset inventory
The organization must identify its information and associated assets to preserve their security and assign appropriate ownership. MDM can help by generating and exporting IT asset inventory reports.
Asset return
The organization should have a system to ensure that employees (and others) who possess information assets, such as computers or other devices, return those assets when their employment, contract, or agreement changes or ends. Applivery also allows administrators to lock these devices in such events.
Authentication information
As an IT administrator, you must ensure that users handle passwords and other authentication elements correctly. One way to achieve this is by deploying a password manager on devices through MDM. Another is to ensure users follow good password policies when accessing their devices; again, these policies can be enforced via MDM.
Cryptography
You need the infrastructure to use cryptography effectively, protecting the confidentiality and authenticity of business information, including key management. A good MDM solution allows you to enable and configure options for FileVault and BitLocker, including scanning a recovery key.
Physical Controls
Storage media
Storage media must be managed throughout their lifecycle, from acquisition and use to disposal. The organization should control the disclosure, modification, deletion, and destruction of information on such media. Some MDM solutions, including Applivery, allow for defining rules that permit or block access to removable storage.
Personnel Controls
Remote work
It’s essential to have systems in place that protect the organization’s information even when employees work remotely. MDM can facilitate this by configuring hard drive encryption on devices used by remote employees, ensuring data is protected outside the company’s premises.
These are the key ISO 27001 controls that MDM can help implement. There may be others, depending on how you’ve implemented MDM, how your organization operates, and the specific capabilities of your MDM solution.
With the rise of cybercrime and the constant emergence of new threats, these controls are more important than ever. Paying attention to ISO 27001 requirements can help you become more aware of risks and proactively identify and address any weaknesses in your organization. An MDM solution like Applivery could be a key tool in achieving this.
Applivery is the device management and security platform for Apple devices that empowers safe and productive work on a global scale. With Applivery, devices are under company supervision, with all the appropriate applications, configurations, and security systems in place.
