ISO27001 compliance & MS Teams
Strong security is an essential part of modern business. As a cloud software company, our security is critical not just for us, but also for our customers, partners and suppliers. ISO27001 is the global standard for information security management. We first became ISO27001 certified back in 2016 and the process works in 3-yearly cycles with annual audits. This year we started the whole process again. But this time, we wanted to take our prior experience and adapt our approach to better fit how we now manage our company.
In the past few years MS Teams has become central to our business. We wanted to utilise the great power of Teams as the platform to help us maintain ISO27001 compliant information security across our business. Having recently successfully passed our audit with a clean bill of health (0 minor nonconformities), I thought I’d write-up a brief summary into how the process went and the benefits we found using Teams.
Our security ethos
We are guided by two principles: security-by-design and zero-trust. Zero trust is essentially the idea that all trust has to be earned. You don’t assume anything or anyone can be trusted. Starting at zero – suppliers, systems, processes and internal user authorisations are only approved if they pass an assessment based on trust, risk and requirement.
Security by design is a software development concept that we take beyond our software. We infuse the idea of security by design across our whole company – our systems, processes, policies and teams. One simple example of this idea is: minimised surface area. We made a conscious decision very early as a business that we were going to have everything in the cloud. All our systems and all our processes. By having 100% of our data and systems in the cloud, we simplify the requirements for us to have physical and on-premises security systems. The benefit of reducing surface area is that you can concentrate your resources to ensure that the exposed surface area you do have has the most advanced protections practically achievable. Why spend tens of thousands on the physical security provisions required to keep your company data center and servers relatively safe and secure when Microsoft spend tens of millions on making sure Azure is practically apocalypse proof?
How we used Microsoft Teams to become ISO27001 compliant
Microsoft Teams has played a central role in being able to manage our business data, systems and processes in the cloud. Not only does Teams act as a direct central store for many of our company files, it also acts as a central wiki, repo and signpost for our third party cloud hosted data too. Teams is also our primary channel for internal communications. In short, Teams is the lynchpin holding everything else we do as a business together.
MS Teams as an Information Security Management System (ISMS) platform
ISO27001 requires you to have a security steering group or management review team for information security. This is the group of people ultimately responsible for information security in your organisation – and it should ideally contain at least one person from the Company board with the executive powers to enact changes determined necessary by the group. To host this Security Management group, we have created a Private Team. This allows us to have private discussions and store both Confidential and Internal-Restricted documents and data relating to our security. It’s where we have our monthly security management meetings. And it’s the file store for our ISMS itself – in other words, the policies, procedure documentation, system designs, document templates, change logs, risk and audit reports, meeting minutes, planning docs, and everything else that goes into managing information security at IAM Cloud.
Microsoft 365 and Microsoft Teams as a secure data store
The Private Team and Private Channel concepts provide the granular permissions and secure boundaries required to enable a zero-trust model for managing our business data. Beyond that our Microsoft 365 tenant are also secured by multi-factor authentication, conditional access, and Azure information protection provided by Azure AD. And our devices are secured and managed by Microsoft Endpoint Manager (aka Intune). Collectively this makes Teams a highly-secure and robust environment for managing our communications, documents and other data.
Microsoft Teams as a policy library and training system
While we created a Private Team for our Security Management Review Team to allow us to freely discuss confidential issues around company security and store our management data, we also created a new company-wide Team to share our policies, processes and training materials with our whole company. Our policy and process library Team is a great way to have a simple central place where our employees can find all our training, policy and process materials. One of the ultimate aims of the ISO27001 standard is to embed a “culture” of information security across the company. Having a central MS Team where all the resources are properly structured and available for our employees, along with a communication channel to reach all our employees, is a great way to help disseminate important information. It also makes it a lot easier for new employees coming onboard to find everything they need to learn about working in our company.
Microsoft Teams & Cloud Drive Mapper as a collaborative productivity suite
We don’t have a dedicated CISO, but from a responsibility perspective the CISO’s responsibilities fall on my shoulders. It’s down to me to make sure we’re on top of the information security management process, and to make sure we comprehensively fill in any gaps. A key part of ISO27001 compliance is properly managing our Information Security Management System (ISMS). If you’re not familiar with ISO27001, the ISMS is essentially the full collection of documentation – policies, procedures, registers, audit logs, and associated evidence. From a practical point of view, this means about 200 active documents that have various cross-references and linkages between them that we need to keep on top of.
MS Teams is a phenomenal tool, but for document management and productivity purposes, I don’t think any user experience has come close yet to beating the Windows Desktop and File Explorer (or the Mac equivalents). The ability to quickly ctrl-c ctrl-v to duplicate docs from templates, shift file and folders around seamlessly, and easily open several documents at the same time saves a bunch of time and frustration. Even just the ability to create desktop shortcuts to jump right into a folder or doc you know you’re going to be working on for the next week or so is a really nice feature of the Windows UI that doesn’t come natively with Teams. Fortunately, we created Cloud Drive Mapper with this exact kind of problem in mind. By using our own CDM tool, I can map a drive to our Security Management ‘Team’ allowing quick and easy access to our ISMS right from the Desktop, while still benefiting from all the collaboration and security features within Microsoft 365 and Teams. CDM+Teams together makes managing the c.200 documents for ISO27001 a piece of cake, whereas trying to do it all in the Teams UI would likely get quite grating.
IDx & Teams as an automated group management and permissions system
While we don’t exactly categorize ourselves as a “cybersecurity company”, a lot of our software brings stronger security to both us internally and our customers. One of the most important pillars of the ISO27001 standard – especially to a cloud-centric company like us – is “access control”. User and group provisioning and deprovisioning is a key part of access control, and our product IDx (The Identity Exchange) sits at the heart of our provisioning and deprovisioning, much as it does for hundreds of our other customers.
IDx takes a source system – could be an HR/MIS system, DB or your AD, and automates downstream provisioning & deprovisioning processes based on user and group attributes. So for example if you are in a ‘security management’ team in your HR system, IDx could automatically provision you into the Security Management MS Team. If you leave the company and your HR profile is set to leaver, IDx could automatically remove you from the Teams you’re a member of, revoke your O365 licence and much else.
For us, IDx is a luxury. But as a company of under 50 people, we could cope with these processes manually. But for larger organizations, having IDx managing the group memberships of all the MS Teams is a major time saver and helps to ensure that access controls are applied and revoked correctly and promptly, with an effortless audit trail created by IDx notifications. Microsoft Teams is a fantastic space for secure, group-membership based collaboration – IDx enables centralized Teams management with no manual or duplicate effort at any scale or complexity.
Microsoft Teams as the host of our certification audit
Since we’re a remote company, our audits are conducted online. Microsoft Teams was the perfect environment for us to engage with the external auditors as they undertook an inspection of our processes and policies. We created all-day meetings between our auditors and Management Review Team which people could easily step in and out of as required. We could easily pull in our employees to allow our auditors to interview our employees to ensure adhered to our processes as part of their working practices. What was particularly nice with running the audits in Teams is that everything – our processes, policies, documentation and people – is all in one place. It really showcases the seamless integration and organisation of information security in our business. Everything is just right there, at hand, in the right place – accessible by the right people.
Microsoft Teams & ISO27001 – A Conclusion
I’m not a trained information security specialist. That’s probably evident from this blog post. But I suspect that most businesses out there – particularly small to mid-sized businesses and other organizations probably don’t have a full-time CISO either. Back in 2016 I jumped into the deep-end of the ISO27001 process, and one of the most challenging parts of the process I found was figuring out how everything pieced together. We had information spread out across different systems, and it made grasping the unfamiliar concepts and processes even harder. The ISMS and associated management processes were detached from our everyday work IT environments too – and if I’m honest that meant it was easy to neglect.
Microsoft Teams provides a fantastic, pretty much unique, environment to centralize, simplify and integrate ISO27001-standard information security management into the heart of our business. I’d strongly recommend it to others thinking of hosting their ISMS there.
This approach is part of our ethos of Secure By Design, which I’ve written a short overview about here. Security doesn’t always need to be a deeply technical field, and there are many steps you can take to increase your security without breaking the bank, or requiring years of cyber or information security training. You just need to think about security in terms of its fundamentals. Our use of Microsoft Teams is an example of that.
If you’re thinking about undertaking ISO27001 certification, or thinking of moving your ISMS to Teams, and want some candid answers to your questions – feel free to drop me a message. You can catch up with me on Twitter or email me at firstname.lastname@example.org