Close Menu
Blog
  Back
Posted by Andrew Ballantyne on 16th June 2021

Microsoft Cloud Products that support ISO27001 Policies & Procedures- Part 1

Having recently passed another ISO27001 audit with BSI, I thought it would be worth doing a 2-part blog series where I will share with you some of the key Microsoft Cloud products Circle Cloud use to help provide technical enforcement for our information security policies. I am sure that most Information Security Managers and Data Protection Officers would agree that bridging the gap between the rules that are written on paper and what staff actually do in real life can be a genuine challenge.  For example, can we always be sure that amongst the hundreds (if not thousands) of emails and documents that are exchanged on a daily basis within our organisations, that 100% of them have been given the appropriate classification? All it would take is one oversight for a piece of confidential or restricted information to end up in the wrong person’s inbox. And let’s face it, for even the most conscientious employees, mistakes happen!

Well, that’s where technology comes into it (particularly the Microsoft Cloud, in this case). Before getting into it, it’s worth noting that the success of technology when it comes to bolstering your organisation’s information security is dependent on how you approach it. I have known many businesses to implement information security technologies without having any policies or procedures in place, which is the equivalent of throwing the proverbial at the wall and hoping some of it sticks. In such instances, people can often be left disillusioned with the effectiveness of technology and its capabilities to solve information security challenges within their organisations. That’s because, with no underlying structure to provide context, things can become messy and underutilised, eventually falling out of use completely. It is for that reason that I have addressed this blog to those organisations with ISO27001 certification, simply because there will be a structure of basic policies and procedures in place by default.

 

Azure Information Protection

Related ISO27001 Controls: Information Classification (A8.2.1) and Labelling of Information (A8.2.2).

Even if you don’t have ISO27001 but you are an information security conscious organisation, it is highly likely that you will have an Information Classification Policy. Well, if that’s the case, Azure Information Protection is for you.

As I have mentioned in a previous blog, Azure Information Protection (AIP) is a Microsoft Cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content. It is part of the Microsoft Information Protection Solution and is dedicated to solving the problem of how to label your organisation’s information appropriately to avoid it falling into the wrong hands.

Azure Information Protection allows you to create labels with pre-set rules and enforce usage throughout your entire organisation. This means that any labels you create would become mandatory, requiring all staff to apply the most appropriate label to documents and emails.

Based on our experience, what we recommend is that you mirror the labels (and associated rules) from your organisation’s Information Classification Policy. For example, at Circle Cloud we have a label in our Policy titled ‘Restricted Internal’, which seeks to protect business-sensitive information that should only be circulated amongst Circle Cloud members of staff. We have therefore created the ‘Restricted Internal’ label in Azure Information Protection and configured it to ensure that only individuals with the Office 365 domain ‘@circlecloud.co.uk’ can access the document/email. This is a basic example, however the rules that can be applied in Azure Information Protection are extensive. You can set up labels that restrict printing from the document, copying from the document, and even screenshotting from the document, meaning that even the strictest labels from the Policy (the ones that seek to protect the most sensitive information) can be technically enforced. For a further breakdown of what restrictions can be applied to labels, click here to be taken to a previous blog.

Before I move on from Azure Information Protection, it is worth pointing out what makes it stand out from the other similar document protection products. To put simply, Azure Information Protection is not network based, it is document based. This means that the labels applied to documents and emails are embedded in the documents/emails themselves, meaning that the level of protection assigned to that document/email follows it indefinitely, no matter where in the world it lands.

 

Conditional Access & Multifactor Authentication

Related ISO Controls: Teleworking (A6.2.2)

There are a number of ISO27001 controls that Conditional Access can be used for, however teleworking/remote working is a great example, and one that is particularly relevant given the increase in remote workers we are likely to see after the COVID 19 pandemic. As I have mentioned in a previous blog, the rollout of a blanket MFA policy can often prove to be unpopular and, from our experience, is often the reason why companies end up pulling MFA out as quickly as they’ve put it in. Users tend not to like being asked to MFA every time they log into their device, which is where Conditional Access comes in.

As a high-level definition, Conditional Access restricts access to an organisation’s platforms and data by enforcing standards that must be met by a device or network before accessing information. It does this by using ‘IF-THEN’ statements that must be technically configured within your Office 365 tenant. On a basic level, here is how this works for using conditional access to apply MFA for remote workers:

IF: a user is not logging in from [insert IP address],

THEN: enforce multifactor authentication.

By using Conditional Access to gatekeep when are where MFA is used, the application of MFA becomes more contextual and less onerous. In the above scenario, only workers logging onto a device outside of a trusted IP (in this case, your remote workers) will be required to MFA, meaning that office workers can proceed with standard log-in procedures, whilst those working externally and therefore most at risk, are forced to adhere to that extra layer of security.

Of course, there will be many things in your Remote Working/Teleworking policies that cannot be enforced technically, such as finding a quiet place to work with good WiFi access and in a location where information cannot be seen. For such stipulations, there will always be an element of uncertainty around whether our staff are following the stipulations set out. However, by using the kind of technical enforcements mentioned above, we are given some degree of peace of mind from knowing that if our company devices end up in the wrong hands, there are further measures that protect that all-important company data.

If you want to understand Conditional Access in more technical detail, Click Here to see our recent webinar recording.

 

Final Remarks and what Comes Next

Before I go, I think it is necessary to reiterate a point I made at the beginning of this blog. When attempting to use technology to improve our information security measures, be it for ISO27001 or otherwise, it is important (in my opinion) that we don’t start with the technology and work backwards. There is always the urge to implement a piece of technology that we find impressive, without considering where it fits into the bigger picture. Having been faced with the dilemma of using technology to enforce and improve information security practices myself, I would advise that the best place to start is always at the policy and procedure level. Robust information security within any organisation is like anything else: it requires a system of work that is built of policies, procedures and best practices that all work together towards a common goal. So, before you think about applying that piece of technology you’re interested in- be it Microsoft or otherwise- ask yourself where it fits in to your existing structure (if you have one). If you can’t answer that question, then perhaps it’s not the one for you.

Click here for part 2, where I will look at how Windows Autopilot and Single Sign-on Can help with Employee Onboarding and Offboarding. I will also be looking at how Microsoft Intune can help with getting to grips with some key elements of your Mobile Device Policy.

 
Recent Posts

Some of our happy clients...

Mark Arundale
Managing Director- Sine Consulting

We moved to Circle Cloud just over a year ago because our IT was costing us productivity. There was a lot of downtime and unpredictability, which made running our business harder than it needed to be. Circle Cloud have made things so much more straightforward. Their IT Management Plans are perfect for our needs as a small business. The service is so clear and well designed, we have regular reviews and now have a more proactive and professional provider

Beverly Goodall
Managing Director- Abacus Bean

As the owner of an accountancy practice, there’s so much to think about. I need to stay focussed on our own products and services and making sure our customers are looked after. That’s why working with Circle Cloud has been perfect. They’ve taken away any concerns I’ve had around information security. The initial 30 day onboarding process made such a big difference, and the support we’ve had since has been excellent.

Andy Craddock
Managing Director- Accurate Data Services

In our industry it is critical to be constantly focussed on information security. At Accurate Data Services Ltd we always deal with extremely sensitive data, so remaining one step ahead of IS risk is our top priority.  We wanted to work with Circle Cloud because there IS infrastructure design continuously ticks all of the right boxes, can be delivered quickly and is scaleable.  It really is a comfort to everyone in the business that Circle Cloud are there, constantly having our back and making sure that our IS systems are always best in class.

Tony Crocker
Managing Director- IWC Wills & Probate

Circle Cloud’s IT Managed Service has been brilliant for us. It really is focussed on the security side of things. That matters a lot. When you think about all the emails and information that get shared on a daily basis, there is always that worry that something important might slip through. But Circle Cloud have put everything in place to make sure we’re safe.

Mark Pendlebury
IT Manager- Cosatto Limited

Working with Circle Cloud to implement the transition of our ERP system and SQL server into Azure has been a great choice. They have shown great knowledge of the platform and it's possibilities and have worked closely with us to ensure key project milestones and testing phases were met resulting in a successful and on time go live. Furthermore, they have also offered great advice and help on licensing to ensure costs are kept to a minimum.

Deborah Hugill
IT Director- Nigel Wright Ltd

We needed to modernise our server infrastructure in order to enhance resilience, as well as improve accessibility for our European workforce.  This is why we decided to move to the cloud, however we needed a supplier that could help us on our journey. We found the perfect technology partner in Circle Cloud, who specialise specifically in the Microsoft Cloud. They moved all our applications and files to Microsoft Azure which has proven extremely robust, ticking all the boxes we needed it to.

Urfan Durrani
IT Director- Protec International

As a business we had various challenges from moving a legacy on premise exchange system into hosted Office365 environment. Our Office365 system offers the users almost guaranteed uptime, accessible from any place and device, whilst its management facilities make it easier to monitor and control. The commitment to quality and care by Circle Cloud, provided the management team with assurances.

Craig Kippling
Director- Studio Anyo

We needed a telephone system that offered the functionality of a PBX solution. Circle Cloud were the perfect partner to guide us. They demonstrated how Microsoft Teams itself could be used as our full, business-wide telephone solution. They scoped our requirements and migrated our group to Microsoft Business Voice, which bolts seamlessly onto Microsoft Teams.  Our decentralised workforce can now make and receive business calls from anywhere using mobile apps and laptop headsets. This has proven invaluable over the last year and will assist in our future growth. 

Rebecca Pendlebury
Customer Care Manager- Scamp & Dude

As our Customer Care team grew we soon realised we needed to open up forms of contact for our customers. We also needed a system that was flexible and easy to use. As we already used Teams, it felt natural to incorporate Teams Voice and we couldn’t be happier with the result. As a result of Circle Cloud’s recommendations, implementation and training, we now have a happy team and customers.

Ian Burns
IT Services Manager- Waterton Academy

Circle Cloud’s offer of Office 365 security audits catered for every aspect of the brief, however it excelled in the way it was delivered to us as a customer. The added value area of mapping out detailed next steps alongside flagged areas was highly valued and demonstrated their unique ethos of being able to provide an external sound board/advisory presence and where needed, action change by their internal staff as a commissioned service. Based on the experience we had from Circle Cloud, including value for money, the accuracy and attentiveness from staff, we have now adopted the company as our external consultant for Microsoft cloud technologies.

John Painter
IT Systems & Development Manager- Denbury Homes

In November 2021 Circle Cloud were engaged after a shortlisting process, for a time sensitive tenant to tenant domain migration following a business separation- each tenant being wholly separate to the other. Several companies were contacted and their tools assessed, but none could provide a ‘one stop shop’. The expectation was that end users would see no visible difference with regards to experience or content, with the exception of a new temporary password and new MFA registration process. Circle Cloud were able to achieve this within the tight deadline. Denbury Homes are happy to recommend Circle Cloud for Office 365 and Azure Cloud to Cloud migrations, as well as On Premise to Cloud migrations.

Circle Cloud Limited
Company

Circle Cloud Ltd.
Fusion Hive
North Shore Road
TS18 2NB

  0191 672 7012
  info@circlecloud.co.uk
Products
Company
Social
Accreditation
  • ISO/IEC 27001
    Cert Number: IS 697 097
  • Cyber Essentials Certified
Site by Calm Digital Limited
© 2024 Circle Cloud Ltd.
Drop us a message...
Open Menu Open Menu
Contact Us
Open Menu Open Menu
CONTACT US