Last Updated on October 28, 2019
Recently I joined a vCISO call with one of our SaaS clients. They are considering ISO 27001 certification and immediately presented us with the question: “Do we need AlienVault (now called AT&T Cybersecurity) to be ISO 27001 certified?”
Nothing like going from zero to 60 in 9 words :>)
It was both a very easy and very challenging question to answer. Before diving in, it’s important to note the question was specific to AlienVault because the client knew that we use it as part of our ISO 27001 certified ISMS, and also with a number of our ISO 27001 certified clients. However, my thoughts to follow are applicable to any good Security Information and Event Management (SIEM) solution.
My short answer was “no.”
Unfortunately, anyone who knows me knows that brevity isn’t my forte, and not surprisingly a (much) longer answer and conversation followed.
More explanation was needed because ISO 27001 tells you what you need to accomplish, but not exactly how you need to accomplish it. So, a SIEM is only a “requirement” if you determine it is.
Typically a SIEM would be a “requirement” if it is the only way, or the most effective way, to ensure that you have the logging information you need to ensure that you can detect and respond to a security incident in a timely manner. (A SIEM is also a great tool to demonstrate compliance.)
ISO 27001 Annex A includes four logging specific controls that are SIEM related, and which virtually all organizations will need to address to achieve ISO 27001 compliance:
- 12.4.1 Event logging:
- Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
- 12.4.2 Protection of log information:
- Logging facilities and log information shall be protected against tampering and unauthorized access.
- 12.4.3 Administrator and operator logs:
- System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
- 12.4.4 Clock synchronization:
- The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.
In a small environment with a minimum of applications, it is easy to meet all four requirements without implementing centralized log monitoring and/or a SIEM.
…a good SIEM like AlienVault will likewise provide demonstrable value in meeting several dozen ISO 27001 requirements…
But a SIEM becomes increasingly valuable as the complexity of the environment grows. Despite the fact that we are a relatively small organization, Pivot Point Security deployed AlienVault as it became nearly impossible to ensure that we had the visibility into the logs we needed to monitor and retain across disparate locations/systems/applications (e.g., Azure Active Directory, Office 365, Amazon EC2, approximately 70 mobile devices/laptops, about 10 servers in our colocation facility, etc.). Hence, AlienVault was a requirement to ensure that we were ISO 27001 compliant, not an ISO 27001 requirement per se.
Moreover, while the above four controls are somewhat SIEM specific, a good SIEM like AlienVault will likewise provide demonstrable value in meeting several dozen ISO 27001 requirements related to Asset Management, Incident Response, User Access Management, Physical Security, Technical Vulnerability Management, Legal & Compliance, etc.
I’ll try to follow up with some additional blog content that speaks to the way we use AlienVault to help us maintain our ISO 27001 certification… maybe in fewer words but no promises.