Compliance in the Cloud: ISO 27001 Information Security Management Systems

Hello good people of the world! Today’s post is continuing the series on compliance in the cloud. In the last post, we looked at the FDA’s 21CFR11, which is the legal statute medical device, pharmaceutical, and biologic manufacturers must adhere to when using computer systems for electronic records and/or signatures as part of their manufacturing process for products sold in the United States.

But 21CFR11 is old (1997!) and vague, really only covering at a high-level the requirements for impacted computer systems. Industry has filled in the details, and the ISO standards are a good example of that.

ISO 27001 covers Information Security Management Systems and costs about US$130. Firms may reference ISO certification as evidence of 21CRF11 compliance, such as Microsoft’s statement here.

Below is a summary of the procedural and/or engineering controls required by the standard. You’ll see a lot of overlap with the CFRs, other industry guidance like GAMP5, and other regulations like MHRA’s data integrity expectations.

Management of Policies

1. Policies shall be defined, approved by management, and distributed to employees.
2. Policies shall be reviewed at a planned interval and must be revised when processes change.
3. Responsibilities shall be defined.
4. Duties shall be segregated to avoid conflicts of interest.
5. Communication with relevant authorities shall be maintained.
6. Communication with relevant special interest groups and forums shall be maintained.
7. Information security shall be addressed in all projects.

Human Resource Security

1. Background checks shall be employed.
2. Responsibilities related to information security shall be documented and understood.
3. Training relevant to job functions shall be mandated and documented.
4. A formal disciplinary process shall exist for employees who have committed an information security breach.
5. Responsibilities shall be managed appropriately upon employee termination.

Asset Management

1. An inventory of assets shall be maintained.
2. Each asset shall have an assigned owner.
3. Acceptable use of each asset shall be documented.
4. Distribution and return of assets shall be managed.

Information Classification

1. Information shall be classified in terms of legal requirements, regulatory requirements, confidentiality, etc.
2. Procedures shall exist for the labeling of information by classification.
3. Management of assets shall take into consideration the classification of information associated with the asset.

Media Management

1. Removable media shall be managed per procedure.
2. A procedure shall exist for the proper disposal of media.
3. Procedures shall exist for the physical transfer of media, including protecting against unauthorized transfer, and damage/corruption of media during transfer.

Access Control

1. A procedure shall exist for access control.
2. User access shall be limited to the networks, systems, and information required to perform their job duties.
3. A procedure shall exist for the registration and de-registration of users.
4. A procedure shall exist for the access provisioning of users to all applicable systems.
5. The allocation of privileged access rights shall be restricted and controlled.
6. Authentication information shall be controlled through a formalized process.
7. Asset owners shall review user access at planned intervals.
8. User access shall be removed at appropriate times, such as employee termination.

Cryptography

1. Procedures shall exist for the use of cryptographic controls to protect information.

Physical Security

1. Security perimeters shall be defined to protect areas containing sensitive information.
2. Secure areas shall employee physical entry controls.
3. Physical protection against external and environmental threats shall be established.
4. Procedures shall exist for working in secure areas.

Equipment

1. Equipment shall be protected from problems with supporting utilities.
2. Cabling shall be protected from interception, interference, and damage.
3. Equipment shall be maintained on planned intervals.

Operations Security

1. Operating procedures shall exist.
2. Change management procedures shall exist.
3. Resource use and process capacity shall be measured and understood.

Backup

1. Backup and restore procedures shall be documented and tested on planned intervals.

Logging

1. Event logs shall be employed, retained, and reviewed on planned intervals.
2. Logs shall be protected from tampering, unauthorized access, and loss.
3. Administration activities shall be logged and reviewed on planned intervals.
4. Clocks used by systems shall be synchronized to a single reference time source.

Development Processes

1. Software development procedures shall be documented.
2. Changes to systems in the development lifecycle shall be controlled.
3. Development environments shall be secured.
4. Security functionality shall be tested during development.
5. Acceptance testing shall be established for all new versions of software.
6. Test data shall be controlled.

Suppliers

1. Risks associated with supplier access shall be documented and mitigated.
2. Risks and mitigations shall be communicated and agreed upon with suppliers.
3. Suppliers shall be audited on planned intervals.
4. Changes to supplier relationships shall be controlled.

Incidents

1. Procedures shall exist for the management of incidents.
2. End users shall be required to report incidents.
3. Corrective and preventive actions shall be applied to the management of incidents.

Business Continuity

1. Procedures shall exist for the continuity of business processes during adverse events.
2. Business continuity procedures shall address information security concerns.

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Advertisement