ISO 27002

COMPLIANCE GUIDE
How Rapid7 Can Help You Achieve Compliance
with ISO 27002

A
CONTENTS
Introduction 2
Detailed Controls Mapping 3
About Rapid7 8

| rapid7.com ISO 27002 Compliance Guide 1

INTRODUCTION
If you’re looking for a comprehensive, global framework to
tailor your security program, then ISO 27002 may be right
for your organization. Compliance doesn’t equal security,
but standards such as ISO 27002 can be a helpful tool How Rapid7 Can Help
for demonstrating your security posture to internal and
external stakeholders. You can even opt to get certified by Rapid7 products and services can help organiza-
the International Organization for Standardization (ISO) to tions address controls recommended in ISO 27002
provide additional reassurance to customers and partners. as follows:
Like any best practices around security controls, you’ll get • InsightVM is a vulnerability management solu-
the most out of ISO 27002 if you read between the lines to tion that can help organizations identify and
understand the intent behind each guideline. We recom- classify their assets (8.1 and 8.2), audit password
mend you use the standard as a starting point and, where policies (9.2.4, 9.3.1, 9.4.3), identify and prioritize
possible, go beyond the minimum requirements to take vulnerabilities (12.6.1), and more.
your security program to the next level.
• Metasploit is a penetration testing solution
that can help organizations validate vulner-
What is ISO 27002? ability exploitability (12.6.1), audit the effective-
ness of network segmentation (13.1.3), conduct
ISO 27002 is an internationally recognized standard technical compliance tests (18.2.3), and more.
designed for organizations to use as a reference for • InsightAppSec is a web application security
implementing and managing information security controls. solution that can help organizations test the
The standard is intended to be used with ISO 27001, which security of web applications (14.2.3, 14.2.8, 14.2.9).
provides guidance for establishing and maintaining infor- • InsightIDR is an advanced SIEM solution that
mation security management systems. Many organizations can help organizations monitor user access
use ISO 27001 and 27002 in conjunction as a framework to the network (9.1.2, 9.2.3, 9.2.5), collect and
for showing compliance with regulations where detailed analyze events (12.4.1, 12.4.2, 12.4.3), assist in
requirements are not provided, for example Sarbanes-Oxley incident response (16.1.4, 16.1.7), and more.
Act (SOX) in the U.S. and the Data Protection Directive in
the EU. Published in October 2013, the latest version of ISO Rapid7 can provide Security Consulting Services
27002 covers 14 security controls areas (numbered from 5 to perform an assessment of an organization’s
to 18), with implementation guidance and requirements for current state of controls against the ISO 27002
each specific control. framework and identify gaps in their security
program. Rapid7 can also develop and review secu-
rity policies (5.1.1, 5.1.2), conduct penetration tests
(14.2.8, 14.2.9, 18.2.3), respond to security incidents
(16.1.5, 16.1.7), and more.

| rapid7.com ISO 27002 Compliance Guide 2

DETAILED CONTROLS
MAPPING
Below is a mapping of ISO 27002 controls to the Rapid7 products and services that can address at least part of the
requirements. Please refer to the ISO/IEC 27002:2013 document on www.iso.org for a complete description of each
control and detailed requirements.

Control Category Control Description Product/Service How Rapid7 Can Help

5. INFORMATION SECURITY POLICIES
5.1 Management direction for information security

5.1.1 Policies for Define, approve, and • Security • Rapid7 can help organizations build an effective
information policy communicate a set of Program Devel- security program taking into account their busi-
policies for information opment ness strategy, compliance requirements, and the
security. threat landscape.
5.1.2 Review of the Review policies at • Cyber • Rapid7 can perform an assessment of an organiza-
policies for informa- planned intervals or if Security tion’s current state of controls, policies, and proce-
tion security significant changes occur. Maturity dures, and identify tactical and strategic initiatives
Assessment for improving security.
8. ASSET MANAGEMENT
8.1 Responsibility for assets

8.1.1 Inventory of Identify organizational • InsightVM • InsightVM enables assets to be tagged with con-
assets assets and maintain an textual information, including assigning an asset
• InsightIDR
inventory of these assets. owner.
• InsightIDR automatically detects the primary user
of each asset.

8.1.2 Ownership of Assign an asset owner • InsightVM • InsightVM enables assets to be tagged with con-
assets for assets maintained in textual information, including assigning an asset
• InsightIDR
the inventory. owner.
• InsightIDR automatically detects the primary user
of each asset.
8.2 Information classification
8.2.1 Classification of Classify information and • InsightVM • InsightVM enables assets to be tagged with con-
information assets in terms of value, textual information, including classifying an asset’s
• InsightIDR
criticality and sensitivity. criticality.
• InsightIDR enables assets to be tagged as critical.
8.3 Media handling

8.3.1 Management of Implement procedures • InsightVM • InsightVM can measure part of this control by
removable media to manage the use of providing the ability to audit whether autoplay is
removable media. allowed on devices.

| rapid7.com ISO 27002 Compliance Guide 3

9. ACCESS CONTROL
9.1 Business requirements of access control

9.1.2 Access to Limit user access to the • InsightIDR • InsightIDR provides ability to monitor configurable
networks and network and monitor use network zones and access policies, and alerts on
network services of network services. violation of these policies.
9.2 User access management

9.2.3 Management Restrict and control • InsightIDR • InsightIDR monitors use of administrative
of privileged access allocation and use of accounts, and alerts on new admin accounts and
rights privileged access rights. account privilege escalation.
9.2.4 Management of Control allocation • InsightVM • InsightVM automatically scans the entire network
secret authentication of passwords and to identify systems that are configured with
• InsightIDR
information change default vendor default credentials.
passwords.
• InsightIDR automatically detects accounts that are
shared between multiple users.
9.2.5 Review of user Review user access rights • InsightIDR • InsightIDR provides visibility of all user accounts,
access rights at regular intervals and including local, domain, and cloud services
after any changes. accounts.
9.3 User responsibilities

9.3.1 Use of secret Ensure users are • InsightVM • InsightVM provides fully customizable policy scan-
authentication following the ning to audit passwords for minimum complexity
• InsightIDR
information organization’s password and length.
policies.
• InsightIDR automatically detects user credentials
that may have been compromised in third-party
breaches.
9.4 System and application access control

9.4.1 Information Restrict access to • InsightIDR • InsightIDR can partially help with this control by
access restriction information and monitoring access to key applications, and alerting
applications based on on unauthorized or suspicious usage.
access control policy.
9.4.2 Secure log-on Control access to • InsightVM • InsightVM can measure part of this control by
procedures systems and applications providing the ability to audit account lockout
• InsightIDR
by a secure log-on configurations, including maximum failed log-on
procedure. attempts.
• InsightIDR automatically detects unauthorized
access, and alerts on brute force attempts and
unusual authentication activity.
9.4.3 Password Password management • InsightVM • InsightVM provides ability to audit password
management system systems should ensure policy configurations, including complexity, expiry,
• Metasploit
quality passwords. re-use and encryption.
• Metasploit tests password quality with online
brute-force attacks, offline password cracking, and
credentials re-use.

| rapid7.com ISO 27002 Compliance Guide 4

12. OPERATIONS SECURITY
12.2 Protection from malware

12.2.1 Controls against Implement detection and • InsightVM • InsightVM scans every Windows workstation to
malware prevention controls to check that:
• InsightIDR
protect against malware.
• URL filtering and website reputation scanning
are enabled;
• E-mail clients are configured to block certain
attachments;
• Anti-malware software is installed, enabled and
up-to-date.
• InsightIDR detects known malicious processes on
endpoints, and identifies unauthorized software
that is rare or unique.
12.4 Logging and monitoring

12.4.1 Event logging Record user activities, • InsightIDR • InsightIDR collects logs, correlates events by user,
exceptions, faults, and machine and IP, and analyzes for anomalies and
information security suspicious activities.
events.
12.4.2 Protection of Protect log information • InsightIDR • InsightIDR saves logs from various sources in a
log information against tampering and secure, offsite location, and alerts on event log
unauthorized access. files being deleted.
12.4.3 Administrator Log and review system • InsightIDR • InsightIDR provides visibility of all administra-
and operator logs administrator and tor activities, including local, domain and cloud
operator activities service admin accounts.
regularly.
12.6 Technical vulnerability management

12.6.1 Management Evaluate the • InsightVM • InsightVM automatically scans the entire network
of technical organization’s exposure for vulnerabilities and prioritizes for remediation
• Metasploit
vulnerabilities to vulnerabilities and based on risk.
address associated risks. • InsightIDR
• Metasploit automatically tests the exploitability
• Managed of vulnerabilities to demonstrate exposure for
Services prioritization.
• InsightIDR correlates vulnerability data with event
logs to provide additional user context to inci-
dents.
• Rapid7 can provide a fully-managed, cloud-based
vulnerability management service operated on a
monthly or quarterly basis.
13. COMMUNICATIONS SECURITY
13.1 Network security management

13.1.3 Segregation in Segregate groups of • Metasploit • Metasploit automates the task of testing whether
networks information services, network segmentation is operational and effec-
• InsightIDR
users and systems on tive.
networks.
• InsightIDR provides ability to monitor configurable
network zones and access policies, and alerts on
violation of these policies.

| rapid7.com ISO 27002 Compliance Guide 5

13.2 Information transfer policies and procedures

13.2.1 Information Protect the transfer of • InsightIDR • InsightIDR can partially help with this control by
transfer policies and information through all providing visibility into usage of cloud-based com-
procedures types of communication munications or storage services.
facilities.
14. SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
14.2 Security in development and support process

14.2.3 Technical Review and test business • InsightAppSec • InsightAppSec can be used to dynamically scan
review of critical applications when applications when operating platforms change to
applications after operating platforms identify vulnerabilities.
operating platform change.
changes
14.2.8 System security Conduct testing of • InsightAppSec • InsightAppSec integrates with continuous integra-
testing security functionality tion tools to identify vulnerabilities within the
• Penetration
during development. development lifecycle.
Testing Services
• Rapid7 can perform manual penetration testing on
web and mobile applications to identify security
weaknesses.
14.2.9 System Conduct acceptance • InsightAppSec • InsightAppSec can be used to dynamically scan
acceptance testing testing for new new applications, upgrades and new versions to
• Penetration
information systems, identify vulnerabilities.
upgrades and new Testing Services
versions. • Rapid7 can perform manual penetration testing on
web and mobile applications to identify security
weaknesses.
16. INFORMATION SECURITY INCIDENT MANAGEMENT
16.1 Management of information security incidents and improvements

16.1.1 Responsibilities Establish responsibilities • Incident • Rapid7 can perform an assessment of the organi-
and procedures and procedures for Response zation’s current preparedness and help develop an
response to security Program Devel- incident response plan.
incidents. opment
16.1.4 Assessment Assess events to decide • InsightIDR • InsightIDR uses behavioral analytics to detect
of and decision on if they are to be classified security incidents and speeds up assessment of
information security as security incidents. security events by providing instant user context
events and incident investigation tools.
16.1.5 Response to Respond to security • Incident • Rapid7 can help organizations with all stages of
information security incidents according to Response incident response from analysis and detection to
incidents documented procedures. Services containment and remediation.
16.1.7 Collection of Define and apply • InsightIDR • InsightIDR provides ability to map findings to an
evidence procedures for interactive timeline and produce a final report for
• Incident
identification and communication.
collection of evidence. Response
Services • Rapid7 can help organizations develop an incident
response plan and define evidence collection and
documentation processes.

| rapid7.com ISO 27002 Compliance Guide 6

18. COMPLIANCE
18.2 Information security reviews

18.2.1 Independent Review approach to • Cyber Secu- • Rapid7 can perform an assessment of an organiza-
review of information managing information rity Maturity tion’s current state of controls, policies and proce-
security security at planned Assessment dures, and identify tactical and strategic initiatives
intervals. for improving security.
18.2.3 Technical Review compliance with • InsightVM • InsightVM provides auditing and reporting
compliance review policies and standards capabilities for assessing compliance with security
• Metasploit
regularly. policies and standards.
• Penetration
testing services • Metasploit allows organizations to simulate real-
world attacks and test effectiveness of security
controls.
• Rapid7 can perform penetration tests on network
infrastructure and applications to test the security
of information systems.

| rapid7.com ISO 27002 Compliance Guide 7

ABOUT RAPID7
Rapid7 (NASDAQ:RPD) is trusted by IT and security professionals around the world to manage risk, simplify modern IT complex-
ity, and drive innovation. Rapid7 analytics transform today’s vast amounts of security and IT data into the answers needed
to securely develop and operate sophisticated IT networks and applications. Rapid7 research, technology, and services drive
vulnerability management, penetration testing, application security, incident detection and response, and log management for
thousands of organizations around the globe. To learn more about Rapid7 or join our threat research, visit www.rapid7.com.

| rapid7.com ISO 27002 Compliance Guide 8