After being inspired by Alexander Fields about the CIS framework and Microsoft 365, I took a deep dive into mapping ISO 27001 to a zero-trust modern workplace. I’ll try to show you how Microsoft 365 Business can help you with your ISO 27001 adventure.
The ISO 27001 Framework has many CIS controls included. You can check out the mapping of CIS controls to ISO 27001 right here:
I’ve created the ultimate Visio flow to help our customers transform their organizations into a modern zero-trust company. It’ll help you understand that by implementing Microsoft 365, you’re also applying controls of the ISO 27001 framework.
To transform into a modern zero-trust organization, you’ll have to implement controls to secure your identities, devices, data, infrastructure, networks, and applications.
The first and most important step will be migrating your E-mail/Identity to Office365. Keep in mind though, you’ll have to configure a baseline security policy. You’ll need to configure Microsoft Defender for Office365, anti-spam and malware policies, Disable POP/IMAP and configure SPF and DMARC. But don’t forget your identity as well, you’ll need to make sure your identity is safe. You can achieve this by implementing MFA password less.
When configuring these security controls, you can also cross off some of the ISO 27001 controls, for example: A.13.2.3, A.9.4.2, A.9.4.3…
After your Identity and your email are migrated to Exchange Online, you can begin migrating your devices. Of course, you need to apply your security controls just like you did with your Exchange Online environment. You’ll have to think about using Conditional Access, implementing admin-less, AppLocker, and so on.
And when migrating your devices into Azure Ad you will realize there are many ISO 27001 controls you can cross. Just think about asset inventory, security policies, access control policies, etc. When configuring these security controls a lot of ISO 27001 controls can be checked off like: A.6.2.1, A.6.2.2, A.9.1.1, A9.1.2, and a lot more.
When your identity/email and devices are migrated to the cloud, migrating your Data to Microsoft 365 will be your next step to start sharing files instead of emailing attachments to start collaborating.
- Personal files will need to be migrated first to OneDrive
- Team files need to be migrated to Teams
- Everyone’s files need to be migrated to SharePoint
- Archive / Delete inactive files
But just migrating your data isn’t enough. It’s the same story as with your devices and identity, you’ll need to apply baseline security again. Do you allow your data to be shared with anonymous users? Do you need sensitivity or retention labels? You’ll need to setup some governance to make sure your data will be safe and protected. When doing so you, again, check some ISO controls like: A.8.2.1, A.8.2.2, A.8.3.2, A.9.4.1, A.12.3.1, etc.
This will be probably one of the last steps you need to take in migrating to a modern zero-trust company. Migrate/archive/delete as much of your legacy apps as you can. Start creating your own low-code/no-code apps with Power Apps/Power Automate.
Check your Microsoft 365 business license, Cloud App discovery is included! It will gather data about all the apps you are using in your company. Even the ones you did not know about. My opinion? Go upgrade your Microsoft license to get all MCAS functionalities.
Security! A lot of security improvements can be made, so you can cross off even more ISO 27001 controls. To mention a few:
- Windows update for business
- Microsoft Defender for endpoints
- Azure Identity Protection
- Additional Device monitoring
As I am working for an MSP company, I have an important opinion about implementing baseline security for all our customers. It’s your duty to secure your own company and all of the companies you are working for. Only migrating to Microsoft 365 is not enough, you will need to help your customers to setup a zero-trust workplace. A security baseline must be included in your default service.
Do you want to know more about implementing ISO 27001 controls while migrating to Microsoft365, please contact me.