ISO 27001 controls

Problem to solve

Refer epic for more details &16620 (closed)

The compliance centre does not currently provide all the controls that are required to cover all of the ISO 27001 checks. Therefore we can not provide a template for this standard.

Background

ISO 27001 is an internationally recognized standard that provides a framework for implementing and managing an Information Security Management System (ISMS). It focuses on protecting the confidentiality, integrity, and availability of information within an organization through a risk-based approach that encompasses people, processes, and technology.

ISO 27001 is important for compliance for the following reasons:

  • Helps organizations meet legal and regulatory requirements related to information security and data protection.
  • Enhances customer trust, provides a competitive advantage, and offers a structured approach to risk management.
  • Certification demonstrates a commitment to data security, can lead to cost savings through improved processes and incident prevention, and is globally recognized.

Proposal

Add all controls required to be able to provide this standard as a template.

ISO 27001 Possible

5.3: Segregation of Duties
  • Check to ensure that there is a segregation of duties between a person that kicks off a deployment vs a person that approves the deployment
  • Check to ensure that an auditor role is set up
  • Check to ensure that a Code Owners file is set up.

5.7: Threat Intelligence
  • Check to see if customers have the right license to access the Vulnerability Report

5.8: Information security in project management
  • Check to ensure that code changes in GitLab are atteched to an issue.
  • Check that default templates are set for a project

5.13: Labelling of Information
  • Check that every project has labels set up
  • Check that every issue and MR has at least 1 label

5.15: Access Control
  • Check that SAML is enabled
  • Check that a Code Owners file is set up

5.16: Identity Management
  • Check that SAML is enabled.

5.18: Access Rights
  • Check users that have not been in active in GitLab for more than 60 days
  • Check that someone accesses a project only after requesting access from the Administrator.

Annex A 8.28: Secure Coding
  • Check that SAST is enabled

Add all controls required to be able to provide this standard as a template.

All controls can be found here https://docs.google.com/spreadsheets/d/1Wdksot38os84xk9XtuERYc3Ako6GmLprtjFlqE1NP2E/edit?gid=602090111#gid=602090111

  • merge_request_prevent_author_approval
  • merge_request_prevent_committers_approval
  • deployment_prevent_author_approval
  • role_auditor_configured
  • file_code_owners_exists
  • minimum_approvals_required_2
  • merge_request_has_issue
  • labels_configured
  • labels_configured_merge_request
  • labels_configured_issues
  • auth_saml_enabled
  • file_code_owners_exists
  • auth_saml_enabled
  • user_active_days_60
  • scanner_sast_running

Related links

  1. https://about.gitlab.com/blog/2023/09/06/how-gitlab-can-support-your-iso-compliance-journey/
  2. http://www.klaushaller.net/?page_id=552
  3. https://secureframe.com/hub/iso-27001/controls
  4. https://github.com/6mile/DevSecOps-Playbook/blob/main/README.md
Edited by Nate Rosandich