ISO 27001 and ERP#
ISO 27001 is the international standard for information security management systems. For organisations that handle sensitive data through ERP systems, ISO 27001 provides a framework for managing security systematically.
The ISO 27001 Framework#
Information Security Management System (ISMS)#
ISO 27001 requires organisations to establish, implement, maintain, and continually improve an ISMS.
Key components: - Leadership commitment - Risk assessment and treatment - Security policies and procedures - Competence and awareness - Performance evaluation - Continuous improvement
Annex A Controls#
ISO 27001 Annex A contains 93 controls organised into 4 themes:
Organisational controls: Policies, roles, responsibilities.
People controls: Awareness, employment terms, disciplinary process.
Physical controls: Physical security, equipment protection.
Technological controls: Access control, cryptography, logging.
ERP-Specific Control Considerations#
Access Control#
Principle of least privilege: Users have minimum access necessary.
Role-based access: Access assigned through defined roles.
Privileged access management: Enhanced controls for administrative access.
Regular access review: Periodic certification of access appropriateness.
Data Protection#
Classification: Data classified based on sensitivity.
Encryption: Encryption in transit and at rest.
Data masking: Sensitive data masked in non-production environments.
Backup: Regular backup with tested restoration.
Change Management#
Change control process: All changes follow defined process.
Testing: Changes tested in non-production environments.
Approval: Appropriate approval before implementation.
Documentation: All changes documented.
Logging and Monitoring#
Comprehensive logging: All significant events logged.
Log protection: Logs protected from tampering.
Regular review: Logs reviewed for anomalies.
Retention: Logs retained per requirements.
Incident Management#
Detection: Mechanisms to detect security incidents.
Response: Defined procedures for incident response.
Reporting: Clear reporting channels and escalation.
Learning: Post-incident review and improvement.
Cloud ERP and ISO 27001#
Shared Responsibility Model#
Cloud ERP operates under a shared responsibility model:
Vendor responsibility: Infrastructure security, platform security, physical security.
Customer responsibility: User access management, data classification, configuration.
Vendor Certification#
When evaluating cloud ERP vendors:
Certification scope: Does ISO 27001 certification cover the services you will use?
Certification currency: Is certification current?
Independent verification: Can you review the audit report?
Control mapping: Do vendor controls address your requirements?
Customer Responsibilities#
Even with certified vendors, customers have responsibilities:
User access management: Managing your users and their access.
Data classification: Classifying your data appropriately.
Configuration: Configuring the system securely.
Integration security: Securing integrations with other systems.
NZ/AU Considerations#
Certification Recognition#
ISO 27001 is recognised globally, including NZ and AU.
Regulatory Alignment#
ISO 27001 aligns with many regulatory requirements:
Privacy Acts: Security safeguards requirement.
Financial services: APRA CPS 234 (AU), RBNZ requirements (NZ).
Government: Security framework requirements.
Implementation Approach#
1. Gap Assessment#
Assess current ERP security against ISO 27001 requirements.
2. Risk Assessment#
Identify and assess information security risks.
3. Treatment Plan#
Develop plan to address identified gaps and risks.
4. Implementation#
Implement controls and document procedures.
5. Certification#
Engage certification body for audit.
Conclusion: ISO 27001 Provides Systematic Security#
ISO 27001 provides a systematic approach to ERP security. Whether your organisation seeks certification or simply uses the framework, ISO 27001 helps ensure comprehensive security coverage.