Skip to content

How MDM Can Help You Achieve ISO 27001 Compliance

How MDM Can Help You Achieve ISO 27001 Compliance

ISO 27001 is a compliance standard that defines in general terms what a good information security management system (ISMS) should do. Such systems protect the security, availability, and confidentiality of an organization’s information assets through technical and organizational policies and procedures. Conformity with ISO 27001 means that an organization has systems in place and is following best practices to manage risks to its data.

Iru recently earned its own ISO 27001 certification, in part because we use Iru ourselves as our MDM solution. Your MDM solution should be able to help you do the same. Here’s how.

How MDM Enables Security Compliance

The management clauses of the ISO 27001 standard spell out in general terms the kinds of controls that an organization should have in place. Annex A of the standard is more specific, listing 93 controls that organizations should implement to demonstrate that they’re taking the appropriate steps to mitigate risks to information security. 

Those controls range from access control and physical security to cryptography and incident management but fall into four general categories: technical, organizational, physical, and people. Within those four categories, 12 Annex A controls can be directly addressed by an MDM solution like Iru.

Technological Controls

8.1: User endpoint devices

Information stored on, processed by, or accessible to users on endpoint devices should be protected. MDM can help by ensuring that company-issued laptops have encrypted hard drives.

8.7: Protection against malware

You need a way to ensure that information and other assets are protected against malware, and that protection should be supported by appropriate user training about best practices. MDM can help by deploying antimalware software; Iru EDR, which integrates with Iru's device management infrastructure, offers such protection. 

Kandji Avert LI_shadow

8.8: Technical vulnerabilities

Organizations should have some way of staying abreast of technical vulnerabilities that might impact their information systems, along with processes for evaluating their exposure and tools for defending against threats. Your MDM solution be able to patch such vulnerabilities on endpoints, whether they’re in the operating system or other software. (In Iru's case, the Managed OS and Auto Apps Library Items can help here.)

8.9: Configuration management

Here’s where MDM is a necessity: You need to implement and monitor the configurations—including security configurations—of hardware, software, and services to ensure they all conform to your security requirements. You also need some way to remediate them in case an end user or other unauthorized party changes them. Any good MDM solution should be able to help with this.

8.16: Monitoring activities

You need to be able to monitor networks, systems, and applications for anomalous behavior and then take appropriate action in response. With MDM, you should—at a minimum—be able to keep and retrieve logs pertaining to events on endpoints, including malware detection. 

8.19: Installation of software

Procedures and measures should be in place to install software securely. Your MDM solution should be able to install software from the App Store and other sources in a way that ensures its integrity and prevents the exploitation of vulnerabilities.

Kandji Custom Apps_shadow

Organizational Controls

5.9: Inventory of assets

The organization should identify its information and associated assets, in order to preserve their security and assign appropriate ownership. MDM can help with this by generating and exporting IT asset inventory reports.

Kandji Device list_shadow

5.11: Return of assets

The organization should have some kind of system to ensure that employees (and others) who have information assets in their possession (such as Mac computers or other Apple devices) should return those assets when their employment, contract, or agreement changes or ends. An MDM solution can let administrators lock such endpoints in those events.

5.17: Authentication information

As an IT manager, you need to be sure that you advise users to the right way to handle passwords and other elements of authentication. One way to do that: Deploy a password manager to endpoints via MDM. Another: Make sure users are following good passcode policies in accessing their devices; again, such policies may be enforceable via MDM.

8.24: Cryptography

You need to have the infrastructure in place to use cryptography effectively, to protect the confidentiality and authenticity of business information, including managing the keys. A good MDM solution will let you enable and configure options for FileVault, including the escrowing of a recovery key.

Kandji FileVault LI_shadowPhysical Controls

7.10: Storage media

Storage media should be managed through their life cycle, from acquisition and use through disposal. That means the organization should be able to ensure that it can control the disclosure, modification, removal, and destruction of information on such media. Some MDM solutions—including Iru—allow you to define rules that allow or block access to removable storage.

Kandji Access and Storage Access LI_shadow_sharp

People Controls

6.7: Remote working

You need systems in place to protect your organization’s information even when the people working with it are doing so remotely. MDM can help by configuring hard drive encryption on devices used by remote employees. 

Those are the key ISO 27001 controls that MDM can help with. There may be others, depending on how you’ve implemented MDM, how your organization operates, and what your particular MDM solution can do.

With cybercrime on the rise and new threats constantly emerging, such controls have never been more important. Paying attention to ISO 27001’s requirements can help you to be more aware of the risks and to proactively identify and address any weaknesses your organization might have. An MDM solution like Iru could be a key tool in doing that.

About Iru

Iru is the AI-powered platform for identity, endpoint, and compliance that empowers secure and productive global work. With Iru, IT and security teams replace a fragmented stack of point solutions with one integrated system, securing access, protecting devices, and proving compliance while delivering a better employee experience. Through advanced automation and Iru AI, we're bringing much-needed clarity to the way IT and security teams work today and tomorrow.

Kandji is now Iru. This article was originally published under the Kandji brand.



 

Recent Articles

Featured image: MiniRAT: A Go-based macOS RAT delivered via malicious npm package
Calvin So 13 min read

MiniRAT: A Go-based macOS RAT delivered via malicious npm package

A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.

Threat Intelligence
Featured image: Apple is about to enforce stricter TLS standards for MDM. Are you ready?
Arek Dreyer 7 min read

Apple is about to enforce stricter TLS standards for MDM. Are you ready?

Starting as early as the next major OS release, Apple devices will refuse to connect to any device management service, Mobile Device Management (MDM) server, enrollment endpoint, or app distribution infrastructure that does not meet tightened TLS standards. Non-compliant servers will simply stop working for enrollment, device management, app delivery, and software updates.

Educational
Featured image: How endpoint security shaped Bindplane's ISO 27001 journey
Iru Team 5 min read

How endpoint security shaped Bindplane's ISO 27001 journey

Getting ISO 27001 certified is one thing. Building a compliance program that actually holds up between audits, without consuming your engineering team, is another problem entirely.

Educational

See Iru in action

Discover why thousands of teams choose Iru

 By submitting this form I agree to Iru’s Privacy Policy and consent to be contacted by Iru about its products and services.

Stay up to date

Iru's weekly collection of articles, videos, and research to keep IT & Security teams ahead of the curve.