International Organization for Standardization (ISO) 27001 Security Policy

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) created a worldwide standard for measuring and evaluating Information Security Management Systems (ISMS) within organizations. ISO 27001 has undergone an update in its now-released ISO 27001:2022 version, providing similar controls from the ISO-27001 2017 version, whilst demonstrating merged and new controls for ISMS operations. ISO-27001 is the best-known standard in the ISO family and has been adopted by numerous organizations of varying sizes across all industries and markets on a global scale. Control obligations are supported through LogRhythm AI Engine (AIE) rules, Alarms, Reports, and Investigations with the aim of helping your organization obtain ISO/IEC 27001 Certification.  ISO Standard 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS within the context of the organization’s overall business risks. These published guidelines cover many areas surrounding access control, audit and accountability, incident response, and system and information integrity. 

The collection, management, and analysis of log data are integral to meeting many ISO 27001 guidelines. LogRhythm also understands that organizations may be at different points of compliance maturity, so the Compliance Automation Suite: ISO 27001 is flexible to allow organizations to realize value at any point along that maturity scale. The Management Clauses, which are focused on policy and entity-level controls, served as high-level guidelines in developing this module. However, the Compliance Research Team focused on the control requirements, which are traditionally the requirements used to attest for certification. The use of LogRhythm supports some of the standard’s recommendations and decreases the cost of meeting others. IT environments consist of heterogeneous devices, systems, and applications - all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. This module and reporting package works out of the box with some level of customization available. Utilizing the Compliance Automation Suite: ISO-27001 assists in building and maintaining a sound compliance program.

This guide is divided into the following sections: