In this article, you will discover:
- What is ISO 27001 and File Integrity Monitoring (FIM)
- File Integrity Monitoring requirements in ISO 27001
What is ISO 27001?
ISO 27001 is the globally recognized standard for information security management systems (ISMS), providing companies of any size and from all sectors with a systematic and structured approach to managing and protecting sensitive information.
It employs a Plan-Do-Check-Act (PDCA) cycle and provides a framework for organizations to:
- Identify and assess information security risks
- Implement control to mitigate risks
- Monitor and review the effectiveness of of those controls on an ongoing basis
A more comprehensive explanation of ISO 27001 can be found in this article.
Who Needs ISO 27001?
ISO 27001 can benefit organizations of all sizes that handle sensitive information including businesses, agencies and nonprofits. Your company will also need the certification if you’re selling services or softwares to international organizations and businesses that are ISO 27001 compliant or have sensitive data.
What is File Integrity Monitoring?
File Integrity Monitoring (FIM), or File Integrity Management, is a security process designed to oversee and assess the integrity of critical assets, such as file systems, directories, databases, network devices, the operating system (OS) and software applications.
FIM tools employ two verification methods to check the integrity of critical files: reactive or forensic auditing (helps companies suffering from a breach understand what happened); and proactive or rules-based monitoring (detects an unauthorized or malicious change before it can lead to a breach). In both approaches, the FIM tool compares the current state of a file with a baseline and creates an alert if any alterations to the file violate the company’s predetermined security policies.
Why is File Integrity Monitoring Important?
In recent years, cybercriminals have become more adept at using malware and other tactics to manipulate vital system components. The rapid rise in remote work due to COVID-19 and the proliferation of IoT devices have also significantly expanded the attack surface for cybercriminals. FIM plays a vital role in safeguarding sensitive assets like files, data, applications, and devices by regularly scanning, monitoring, and verifying their integrity. This helps speed up the detection of potential security issues and improves the accuracy of incident responses.
File Integrity Monitoring for ISO 27001
File Integrity Monitoring (FIM) systems can play a crucial role in fulfilling the organizational and technical security controls required by ISO 27001, as detailed in its Annex A.
ISO 27001 requires that organizations monitor the integrity of sensitive information and detect unauthorized modifications, a key function of FIM.
To be specific:
ISO 27001:2022 Annex A Access Control (formerly Annex A.9 in 2013 version) mandates the implementation of controls to monitor and regulate user access to critical systems and data.
- FIM effectively meets this requirement by tracking user logon and logoff activities, issuing alerts for suspicious or unauthorized actions.
Annex A 8.15 specifies ten crucial events to be logged for maintaining information security levels, such as data access attempts, system modifications, file access requests, and so on.
- FIM identifies and records changes to critical system and application data, ensuring detection of any attempts to tamper with log data processing.
Control 8.16 serves as a dual-purpose measure for detecting and correcting anomalies to optimize risk management.
- File Integrity Monitoring monitors access to critical platforms and configuration files, providing real-time alerting for configuration changes.
Annex 8.17 emphasizes the importance of synchronized system clocks across an organization’s information systems to ensure seamless business operations and effective incident management.
- File Integrity Monitoring aids in this aspect by detecting changes and access to critical system configuration files, which may indicate attempts to disrupt clock synchronization.
Annex A 8.26 outlines information security measures for applications throughout their lifecycle.
- FIM detects changes to critical system and application files, signaling potential risks such as malware installation or disabling of protective mechanisms like two-factor authentication.
