Links

ISO 27001 Compliance + DLP

The International Organization for Standardization (ISO) is a non-governmental organization that provides transnational standards across technology and engineering fields. ISO 27001 is a set of standards or ISMS (information security management system) to help orgs build out a coordinated and functional infosec program by assessing risk and identifying the types of controls critical to securing data in electronic systems.
There are currently two versions of ISO 27001

Version 2013

This version of ISO 27001 can no longer be used after October 31, 2025. It has limited data protection requirements that are outlined in a control supplement called ISO 27002.
These two requirements would be supported with Nightfall:
  • 11.2.6: Security of Equipment & Assets Off-Premises
  • Framing: data is the asset, and the cloud / SaaS is considered off-premises
  • Security controls need to be applied to off-site assets, which essentially means protecting data (the asset) on the cloud (the off-site / third-party data center). ISO requires the same technical controls as if it were on-site, meaning that Nightfall supports these ISO control sections:
    • 8.1.3 / 8.2.3: Acceptable use of information and systems - this is the appropriate handling (i.e., sharing / disclosure) of sensitive data, which is Nightfall’s main mission
    • 12.4.1 - 12.4.3: Monitoring of sensitive data use
    • 16.1.2 - 16.1.3: Information Security Event Reporting
    • 18.2.2 - 18.2.3: Compliance with policies and standards for information security
  • 13.2.1: Information Transfer Policies & Procedures
  • Communications must be secure, regardless of which system used. With Slack, Google Workspace, and other systems in development, Nightfall provides protection of comms over public internet to a variety of audiences, and is thus a control that supports this ISO requirement for confidentiality by taking into account the type, nature, amount and sensitivity or classification of the information being transferred.
Version 2022
This latest version of ISO 27001 will be required after October 31, 2025, and it adds the following new data protection requirements:
  • A.8.12: Data leakage prevention. A tool like Nightfall is now required if processing sensitive information, which is almost always the case. The requirement states that “data leakage prevention measures shall be applied to systems, networks, and any other devices that process, store or transmit sensitive information.”
  • In support of the above requirement, Nightfall also would be a control for:
    • A.8.10: Information deletion. Nightfall’s automated remediation such as deletion enabled this requirement, which states that “information stored on information systems, devices or in any other storage media shall be deleted when no longer required.”
    • A.8.11: Data masking. Nightfall’s data masking in protecting data is identified as a specific requirement. The requirement states “data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.”
    • A.8.16 Monitoring activities: networks, systems and applications shall be monitored for anomalous behavior and appropriate action taken to evaluate potential information security incidents.
  • A.8.28: Secure coding. Nightfall’s protection of secrets and keys, none of which should ever be disclosed in development, supports this ISO requirement, which states that “secure coding principles shall be applied to software development.”