The savvy sysadmin's guide to surviving an ISO 27001 audit

What ISO 27001 auditors will be looking for from Unix sysadmins

audit gotcredit
flickr / GotCredit (Creative Commons BY or BY-SA)

If your Unix/Linux servers are to be involved in an ISO 27001 audit, there are a lot of things you should be doing ahead of time to ensure that they won't end up generating findings. While there are many things you can do to secure the systems you manage, the key to getting a Unix system to pass an ISO 27001 audit is knowing what the auditors are likely to ask and what they will need to see.

What is ISO 27001?

If you're new to the ISO 27001 standard, it might help to know that the standard sets a level of quality for information system security. That said, it's likely that many of the things you already do today to keep the servers you manage secure and usable will play into the overall system security posture that the auditors will be looking to confirm. If you're deficient in some way, there's a good chance that one deficiency will be that you aren't documenting your activities as well as the auditors might believe necessary. The standard incorporates many areas of focus, but maintaining records to prove that you've followed all the proper procedures is one that is easily overlooked in the busy day-to-day life of systems administrators.

The overall standard focuses on identifying and addressing risk in your organization -- risk as it relates to information and related assets. Certification can be quite valuable with respect to gaining and maintaining customer trust. In fact, an ever increasing number of organizations are looking for companies that they do business with to be certified. Certification can also help to keep your organization's big guys out of trouble as it helps to demonstrate that they're using due diligence in protecting the company's information assets, even if you're the one actually managing the safeguards.

The focus of ISO 27001 is on managing information system security in its many forms, not just system security, but also building security, printout security, staff security, etc. and staff awareness and education are very important to being successful.

While the standard is referred to as "ISO 27001", it is actually defined in a series of 27xxx documents, all related to information system security. The key documents, however, are 27001 (which discusses information security management system requirements and techniques) and 27002 (which provides a code of practice). Think of them as what you need to do and guidance on how to go about doing it. Organizations that want to be ISO 27001 certified will first look at what's required and then determine how they can best go about meeting those requirements. For keeping systems physically secure, for example, they might decide that all servers must be situated in data centers with very limited access. They'll write that requirement into one of their "controls". And if, when the auditors come, they see the data center door propped open or unlocked, you'll likely get what's called a "finding" -- something that counts against your chances of getting certified.

To continue reading this article register now

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.