Get & stay audit-ready for ISO/IEC 27001 compliance

BREAKING NEWS: Runecast Analyzer 4.6 introduces automated compliance auditing for ISO/IEC 27001, plus adds DISA STIG Viewer export, as well as an update of the VMware Security Configuration Guide (SCG) for vSphere 7.

ISO/IEC 27001 – What it is, Requirements, Some Challenges

What is ISO/IEC 27001

Anyone working in IT will have undoubtedly encountered ISO/IEC 27001 by now. First published jointly in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it has been updated several times since. The ISO/IEC 27001 is designed to be an international standard to assist organizations in knowing how best to manage information security.

Why is ISO 27001 important

Also known as ISO 27001 (without ‘IEC’), the standards are internationally agreed upon by security experts. Such consensus-based standardization provides a more commonly understood framework for identifying security risks that can lead to information misuse or full data breaches. Thus, ISO 27001 has become an essential formula for managing the security of an organization’s informational assets, including (but not limited to) customer data, financial data, or intellectual property.

According to the ISO website, “it isn't just the large companies that are under threat. The research conducted by PricewaterhouseCoopers (PwC) on behalf of the UK Department for Business, Innovation and Skills highlighted that small businesses were experiencing incident levels previously only seen in larger organizations, with 87% of small organizations reporting a security breach in the last year.”

What are ISO 27001 requirements (in a nutshell)

Complying with ISO 27001 standards requires the design and implementation of coherent and comprehensive information security controls to address any risks deemed unacceptable. Additionally, it means adopting overarching security measures to ensure that those controls continue to meet the organization’s requirements as they evolve over time. Finally, it requires regular, systematic auditing of information security risks within the organization, accounting for threats/vulnerabilities and potential impacts.

A few ISO 27001 challenges for IT admins

On top of the ongoing issues that IT admins manage daily, ISO 27001 poses the following additional challenges to deal with:

  • Certification is a multi-level process
  • Covers much more than just IT
  • Audits required more frequently in the beginning, then at least annually
  • Certification auditor decides which controls get tested
  • Organizations managing to comply in every way often lack a way to prove such


How to make ISO 27001 compliance simple: Runecast Analyzer

This standard has become the number one most used compliance standard as an information security management system (ISMS) in the Runecast customer base. Some organizations choose to implement the standard in order to benefit from a comprehensive set of ‘best practices’, while others have found benefit in certification to reassure shareholders and customers that the organization is receiving the highest level of attention to information security risk mitigation.

A common pain point (for any who may have somehow managed to keep up with compliance manually) has been a lack of confirmation or assurance that the standards have been and continue to be met.

Runecast Analyzer 4.6 introduces the most comprehensive ISO/IEC 27001 automated compliance checklists available for VMware and AWS hybrid-cloud infrastructure, and as well provides historical reporting that goes back a whole year.

In this way, Runecast Analyzer continues to help IT admins mitigate risk, reduce maintenance costs, and greatly reduce any and all costs associated with unexpected events, such as security breaches or system outages and their inevitable impact on business reputation.

What else you can find in new Runecast Analyzer 4.6

DISA STIG Viewer export

Runecast Analyzer 4.6 adds the ability to export DISA STIG Viewer findings. STIG Viewer is the official audit tool for Department of Defense (DoD) partners and is part of their entry criteria.

SCG 7.0 update

Runecast Analyzer 4.6 provides a new update of the Security Configuration Guide (SCG) to add support for vSphere 7. As these were published recently by VMware, this is a standard update for Runecast Analyzer. Make sure to get the latest definition update to unlock VMware SCG 7.0 checks in Runecast.

Get a free 14-day trial of Runecast

Try Runecast Analyzer’s secure, on-premises cloud transparency in your VMware, AWS & Kubernetes environment free for 14 days.

Download Free Trial
About the Author | Jason Mashak

Jason heads the communications team at Runecast. Previously he served in roles that included sales, business development, and marketing in the security industry for both B2C and B2B firms. For numerous reasons, he very much prefers working for smaller companies. He has a Master’s in Education and enjoys playing guitar and time with his family. Find him on Twitter: @jasonmashak.

Never miss new blog post!