In this short article we examine the roles least privilege and application control have to play in ISO/IEC 27001 compliance.
ISO 27001 is an information security standard that defines how an IT system should be planned, implemented, monitored, reviewed, and improved.
It was first published in October 2005 by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and updated in 2013.
As ISO standards are widely recognized across a variety of business management disciplines - such as health and safety, and IT service management - complying with ISO/IEC 27001 protects against security breaches and can be used as a marketing tool to provide a clear message that IT security is taken seriously.
As a management standard, ISO/IEC 27001 doesn't define any technical controls, but ISO/IEC 27002 contains a list of controls, some or all of which may need to be adhered to depending on the outcome of a risk assessment as required by ISO 27001. Organizations cannot be ISO/IEC 27002 certified because it is not a management standard.