Close Menu
Blog
  Back
Posted by Andrew Ballantyne on 23rd July 2021

Microsoft Cloud Products that support ISO27001 Policies & Procedures- Part 2

Having recently passed another ISO27001 audit with BSI, I thought it would be worth doing a 2-part blog series where I will share with you some of the key Microsoft Cloud products Circle Cloud use to help provide technical enforcement for our information security policies. I am sure that most Information Security Managers and Data Protection Officers would agree that bridging the gap between the rules that are written on paper and what staff actually do in real life can be a genuine challenge. 

Well, that’s where technology comes into it (particularly the Microsoft Cloud, in this case). Before getting into it, it’s worth noting that the success of technology when it comes to bolstering your organisation’s information security is dependent on how you approach it. I have known many businesses to implement information security technologies without having any policies or procedures in place, which is the equivalent of throwing the proverbial at the wall and hoping some of it sticks. In such instances, people can often be left disillusioned with the effectiveness of technology and its capabilities to solve information security challenges within their organisations. That’s because, with no underlying structure to provide context, things can become messy and underutilised, eventually falling out of use completely. It is for that reason that I have addressed this blog to those organisations with ISO27001 certification, simply because there will be a structure of basic policies and procedures in place by default.

 

Windows Autopilot & Single Sign on

Related ISO27001 Controls: A7 (Human Resource Security)

I have been less specific with the related clause in this instance. I have bracketed the benefits offered by Windows Autopilot and Single Sign on under Human Resources Security because how useful the two products are when it comes to employee onboarding and offboarding. However, what’s worth noting here is that the scope of what can be achieved is more far reaching. Onboarding new users efficiently requires, as a preliminary step, to have role-based access clearly defined within the organisation. For example, you wouldn’t want your salesperson having access to any financial management applications. A simple role matrix is therefore a great place to start, charting job titles against required applications.

Once you have this, the management of onboarding and offboarding according to role can be made so much simpler using Windows Autopilot and Single Sign on. In order to explain how this is so, I will give an overview of each…

Windows Autopilot: IT Departments spend significant time building and customising images that will later be deployed to devices. Windows Autopilot introduces a new approach that benefits both the user and the IT Manager.

Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state that can apply settings and policies and install the apps relevant to the job role. The only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated, making start-up easy, manageable, and less prone to issues or mistakes.

New devices can simply be shipped from the supplier directly to the user who only has to complete a couple of initial sign-in tasks and then wait while the relevant the preconfigured Windows image and settings is downloaded and setup for them.

Single Sign on: Single sign-on (SSO) adds security and convenience by allowing your users sign-on to their business applications using their Office 365 credentials. It does so by authenticating all logins to business applications via Azure Active Directory. With single sign-on, a user doesn't have to sign into every application they use. The user logs in once and that credential is used for other apps too.

This isn’t just useful for onboarding, however. One of the real benefits to Single Sign on is the ability to remove a user’s access to all their business applications once they leave. This saves time on offboarding, as the apps that have been grouped by job role can just as easily be removed as they are given. Gone are the days when IT Managers (and DPOs) are required to manually revoke app access on a case by case basis. With SSO, it’s a simple allow access and revoke access that is managed centrally and distributed according to role.

 

Microsoft Intune (Part of Endpoint Manager)

Related ISO27001 Controls: Mobile Device Policy (A6.2.1)

Although the ISO27001 standard stipulates the inclusion of certain polices, what actually goes into those policies is largely up to the organisation. Therefore, when it comes to Mobile Device Management, the standard isn’t there to determine whether you should or shouldn’t implement a Bring Your Own Device policy. That choice is for your key decision makers. After all, it’s your organisation and you are encouraged to manage it as you see fit. Such policy decisions are therefore yours to make, providing that you’ve taken into consideration the standard’s ‘implementation guidance’ and demonstrated that you’ve taken into consideration the risks associated to your choices.

So, whether it’s BYOD or not, Microsoft Intune is there to accommodate. It is a cloud-based mobile device management (MDM) and mobile application management (MAM) platform for your apps and devices. It is now directly part of the Microsoft Endpoint Management suite of applications, which we have covered in a separate blog post. If you would like to see a video from one of our webinars that looks at Intune in a more detail, Click Here.

Microsoft Intune lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, MacOS, and Windows 10 devices – while also integrating with other services. In Intune, devices can be managed using an approach that's right for your organisation. For company-owned devices, you may want full control on the devices, including settings, features, and security. With this approach, devices and users of these devices enrol in Intune. Once enrolled, they receive your organisation’s pre-set rules and settings through policies configured in Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.

For personal devices or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. With this approach, users can be given options. For example, users can enrol their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then they can use app protection policies that require multi-factor authentication (MFA) to use these apps.

 

Concluding Remarks

No matter where you’re at on your ISO27001 journey- whether you’re just starting out, or whether you have a more advanced system- there are Microsoft Cloud technologies available that can help you improve the enforcement of your policies. I have only managed to cover a few in this 2 part blog series, however there are many others that can bolster other areas of your ISMS. For example, Data Loss Prevention can be a great tool to technically enforce your data retention policies by forcing retention labels to all digital information assets. This is something I will be covering in a future blog post.

For now though, I hope you found this piece useful. If you have any questions around how the Microsoft Cloud can help support your information security policies and procedures, please do not hesitate to get in touch.

If you havent read Part 1 yet, Click here.

 

 
Recent Posts

Some of our happy clients...

Mark Arundale
Managing Director- Sine Consulting

We moved to Circle Cloud just over a year ago because our IT was costing us productivity. There was a lot of downtime and unpredictability, which made running our business harder than it needed to be. Circle Cloud have made things so much more straightforward. Their IT Management Plans are perfect for our needs as a small business. The service is so clear and well designed, we have regular reviews and now have a more proactive and professional provider

Beverly Goodall
Managing Director- Abacus Bean

As the owner of an accountancy practice, there’s so much to think about. I need to stay focussed on our own products and services and making sure our customers are looked after. That’s why working with Circle Cloud has been perfect. They’ve taken away any concerns I’ve had around information security. The initial 30 day onboarding process made such a big difference, and the support we’ve had since has been excellent.

Andy Craddock
Managing Director- Accurate Data Services

In our industry it is critical to be constantly focussed on information security. At Accurate Data Services Ltd we always deal with extremely sensitive data, so remaining one step ahead of IS risk is our top priority.  We wanted to work with Circle Cloud because there IS infrastructure design continuously ticks all of the right boxes, can be delivered quickly and is scaleable.  It really is a comfort to everyone in the business that Circle Cloud are there, constantly having our back and making sure that our IS systems are always best in class.

Tony Crocker
Managing Director- IWC Wills & Probate

Circle Cloud’s IT Managed Service has been brilliant for us. It really is focussed on the security side of things. That matters a lot. When you think about all the emails and information that get shared on a daily basis, there is always that worry that something important might slip through. But Circle Cloud have put everything in place to make sure we’re safe.

Mark Pendlebury
IT Manager- Cosatto Limited

Working with Circle Cloud to implement the transition of our ERP system and SQL server into Azure has been a great choice. They have shown great knowledge of the platform and it's possibilities and have worked closely with us to ensure key project milestones and testing phases were met resulting in a successful and on time go live. Furthermore, they have also offered great advice and help on licensing to ensure costs are kept to a minimum.

Deborah Hugill
IT Director- Nigel Wright Ltd

We needed to modernise our server infrastructure in order to enhance resilience, as well as improve accessibility for our European workforce.  This is why we decided to move to the cloud, however we needed a supplier that could help us on our journey. We found the perfect technology partner in Circle Cloud, who specialise specifically in the Microsoft Cloud. They moved all our applications and files to Microsoft Azure which has proven extremely robust, ticking all the boxes we needed it to.

Urfan Durrani
IT Director- Protec International

As a business we had various challenges from moving a legacy on premise exchange system into hosted Office365 environment. Our Office365 system offers the users almost guaranteed uptime, accessible from any place and device, whilst its management facilities make it easier to monitor and control. The commitment to quality and care by Circle Cloud, provided the management team with assurances.

Craig Kippling
Director- Studio Anyo

We needed a telephone system that offered the functionality of a PBX solution. Circle Cloud were the perfect partner to guide us. They demonstrated how Microsoft Teams itself could be used as our full, business-wide telephone solution. They scoped our requirements and migrated our group to Microsoft Business Voice, which bolts seamlessly onto Microsoft Teams.  Our decentralised workforce can now make and receive business calls from anywhere using mobile apps and laptop headsets. This has proven invaluable over the last year and will assist in our future growth. 

Rebecca Pendlebury
Customer Care Manager- Scamp & Dude

As our Customer Care team grew we soon realised we needed to open up forms of contact for our customers. We also needed a system that was flexible and easy to use. As we already used Teams, it felt natural to incorporate Teams Voice and we couldn’t be happier with the result. As a result of Circle Cloud’s recommendations, implementation and training, we now have a happy team and customers.

Ian Burns
IT Services Manager- Waterton Academy

Circle Cloud’s offer of Office 365 security audits catered for every aspect of the brief, however it excelled in the way it was delivered to us as a customer. The added value area of mapping out detailed next steps alongside flagged areas was highly valued and demonstrated their unique ethos of being able to provide an external sound board/advisory presence and where needed, action change by their internal staff as a commissioned service. Based on the experience we had from Circle Cloud, including value for money, the accuracy and attentiveness from staff, we have now adopted the company as our external consultant for Microsoft cloud technologies.

John Painter
IT Systems & Development Manager- Denbury Homes

In November 2021 Circle Cloud were engaged after a shortlisting process, for a time sensitive tenant to tenant domain migration following a business separation- each tenant being wholly separate to the other. Several companies were contacted and their tools assessed, but none could provide a ‘one stop shop’. The expectation was that end users would see no visible difference with regards to experience or content, with the exception of a new temporary password and new MFA registration process. Circle Cloud were able to achieve this within the tight deadline. Denbury Homes are happy to recommend Circle Cloud for Office 365 and Azure Cloud to Cloud migrations, as well as On Premise to Cloud migrations.

Circle Cloud Limited
Company

Circle Cloud Ltd.
Fusion Hive
North Shore Road
TS18 2NB

  0191 672 7012
  info@circlecloud.co.uk
Products
Company
Social
Accreditation
  • ISO/IEC 27001
    Cert Number: IS 697 097
  • Cyber Essentials Certified
Site by Calm Digital Limited
© 2024 Circle Cloud Ltd.
Drop us a message...
Open Menu Open Menu
Contact Us
Open Menu Open Menu
CONTACT US