How MDM Can Help You Achieve ISO 27001 Compliance

ISO 27001 is a compliance standard that defines in general terms what a good information security management system (ISMS) should do. Such systems protect the security, availability, and confidentiality of an organization’s information assets through technical and organizational policies and procedures. Conformity with ISO 27001 means that an organization has systems in place and is following best practices to manage risks to its data.

Kandji recently earned its own ISO 27001 certification, in part because we use Kandji ourselves as our MDM solution. Your MDM solution should be able to help you do the same. Here’s how.

How MDM Enables Security Compliance

The management clauses of the ISO 27001 standard spell out in general terms the kinds of controls that an organization should have in place. Annex A of the standard is more specific, listing 93 controls that organizations should implement to demonstrate that they’re taking the appropriate steps to mitigate risks to information security. 

Those controls range from access control and physical security to cryptography and incident management but fall into four general categories: technical, organizational, physical, and people. Within those four categories, 12 Annex A controls can be directly addressed by an MDM solution like Kandji.

Technological Controls

8.1: User endpoint devices

Information stored on, processed by, or accessible to users on endpoint devices should be protected. MDM can help by ensuring that company-issued laptops have encrypted hard drives.

8.7: Protection against malware

You need a way to ensure that information and other assets are protected against malware, and that protection should be supported by appropriate user training about best practices. MDM can help by deploying antimalware software; Kandji EDR, which integrates with Kandji’s device management infrastructure, offers such protection. 

8.8: Technical vulnerabilities

Organizations should have some way of staying abreast of technical vulnerabilities that might impact their information systems, along with processes for evaluating their exposure and tools for defending against threats. Your MDM solution be able to patch such vulnerabilities on endpoints, whether they’re in the operating system or other software. (In Kandji's case, the Managed OS and Auto Apps Library Items can help here.)

8.9: Configuration management

Here’s where MDM is a necessity: You need to implement and monitor the configurations—including security configurations—of hardware, software, and services to ensure they all conform to your security requirements. You also need some way to remediate them in case an end user or other unauthorized party changes them. Any good MDM solution should be able to help with this.

8.16: Monitoring activities

You need to be able to monitor networks, systems, and applications for anomalous behavior and then take appropriate action in response. With MDM, you should—at a minimum—be able to keep and retrieve logs pertaining to events on endpoints, including malware detection. 

8.19: Installation of software

Procedures and measures should be in place to install software securely. Your MDM solution should be able to install software from the App Store and other sources in a way that ensures its integrity and prevents the exploitation of vulnerabilities.

Organizational Controls

5.9: Inventory of assets

The organization should identify its information and associated assets, in order to preserve their security and assign appropriate ownership. MDM can help with this by generating and exporting IT asset inventory reports.

5.11: Return of assets

The organization should have some kind of system to ensure that employees (and others) who have information assets in their possession (such as Mac computers or other Apple devices) should return those assets when their employment, contract, or agreement changes or ends. An MDM solution can let administrators lock such endpoints in those events.

5.17: Authentication information

As an IT manager, you need to be sure that you advise users to the right way to handle passwords and other elements of authentication. One way to do that: Deploy a password manager to endpoints via MDM. Another: Make sure users are following good passcode policies in accessing their devices; again, such policies may be enforceable via MDM.

8.24: Cryptography

You need to have the infrastructure in place to use cryptography effectively, to protect the confidentiality and authenticity of business information, including managing the keys. A good MDM solution will let you enable and configure options for FileVault, including the escrowing of a recovery key.

Physical Controls

7.10: Storage media

Storage media should be managed through their life cycle, from acquisition and use through disposal. That means the organization should be able to ensure that it can control the disclosure, modification, removal, and destruction of information on such media. Some MDM solutions—including Kandji—allow you to define rules that allow or block access to removable storage.

People Controls

6.7: Remote working

You need systems in place to protect your organization’s information even when the people working with it are doing so remotely. MDM can help by configuring hard drive encryption on devices used by remote employees. 

Those are the key ISO 27001 controls that MDM can help with. There may be others, depending on how you’ve implemented MDM, how your organization operates, and what your particular MDM solution can do.

With cybercrime on the rise and new threats constantly emerging, such controls have never been more important. Paying attention to ISO 27001’s requirements can help you to be more aware of the risks and to proactively identify and address any weaknesses your organization might have. An MDM solution like Kandji could be a key tool in doing that.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.