The International Organization for Standardization (ISO) 27001 standard defines requirements that an organization’s information security management system must meet for the organization to receive third-party certification for its information security practices.
Officially titled “ISO/IEC 27001”, the standard has been in place since 2005 and requires organizations to address much more than just secure file transfer. But with data access and exchange being such a critical component of ISO 270001 compliance, we thought it would be helpful to discuss how to set up ISO 27001-compliant file transfer through the lens of Cerberus FTP Server.
First, let’s begin with some background on the ISO 27001 standard.
What is an Information Security Management System (ISMS)?
An information security management system refers to the combination of controls, processes and policies an organization uses to protect itself from cybersecurity threats. In this case, “system” doesn’t refer exclusively to software or hardware but rather a more holistic view of an organization’s process for identifying and mitigating cybersecurity risks.
What Organizations Need to be ISO 27001 Compliant?
Any organization that stores or transfers sensitive data should consider ISO 27001 certification, including those within industries that deal with high levels of regulated data, such as IT, financial services, health care, government, defense and infrastructure.
It’s not uncommon for purchasers to request ISO 27001 in RFPs, and achieving certification can make your offerings more attractive to buyers who require higher levels of information security.
How Does ISO 27001 Apply to File Transfer?
Specific ISO 27001-compliant file transfer requirements appear in ISO 27001 Annex A, which we have broken out below.
ISO 27001 Annex A.9 – Access Control
Annex A.9 requires organizations to ensure that only authorized users can access information and data. Cerberus FTP Server supports this requirement through features such as:
- A native User Manager that integrates with Active Directory FTP Security Groups or LDAP to ensure that only authorized users can view directories and files.
- IP connection safeguards ensure servers only accept connection requests from authorized IP addresses.
- Support for client certificate verification and SSH public key authentication to prevent spoofing or imposter attacks
ISO 27001 Annex A.10 – Cryptography
Annex A.10 requires an organization to safeguard its data’s confidentiality, authenticity and integrity through cryptography. Cerberus FTP Server enables ISO 27001-compliant transfer through:
- FIPS 140-2 verified cryptography
- Support for file transfers via OpenSSL 3/TLS 1.3, which allows administrators to deploy advanced key exchange, cipher and mac algorithms to protect data in motion
- File integrity checking to ensure all data arrives accurately
ISO 27001 Annex A.12 – Operations Security
Several subheadings in this section address a number of cybersecurity practices supported by Cerberus FTP Server:
- Annex A.12.2 requires organizations to protect their information against malware, which Cerberus FTP server supports via its automated network scanning and rogue transfer detection & shutdown features.
- Annex A.12.3 addresses protection against data loss. Cerberus FTP Server offers discounts for backup and recovery licenses, as well as server replication, to help you easily stand up backup and failover environments.
- Annex A.12.4 asks organizations to log and monitor all security events to trace any potential access issues when required. Cerberus FTP Server’s Report Manager helps administrators audit and report all data activity by client, user, file, directory, and more to support ISO 27001-compliant file transfer.
ISO 27001 Annex A.13 – Communications Security
This Annex outlines network and file transfer security requirements. Cerberus FTP Server supports these standards through:
- Network Security Tools: Cerberus FTP Server’s Enterprise Plus edition comes with automated network scanning and rogue transfer detection & shutdown features
- Information Transfer Security: In many ways, Cerberus FTP Server is the best ISO 27001-compliant file transfer solution for Annex A.13.2 compliance because it offers transfer via a number of different protocols and security options that give administrators significant flexibility to comply with this requirement
We hope you’ve found the above ISO 27001-compliant file transfer guide helpful. The standard is quite wide-ranging, so if you have questions about a particular requirement, our sales team will happily address them.