Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mappings to ISO 27001:2022 #753

Open
1 task
cristiklein opened this issue Dec 11, 2023 · 4 comments
Open
1 task

Mappings to ISO 27001:2022 #753

cristiklein opened this issue Dec 11, 2023 · 4 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@cristiklein
Copy link
Collaborator

cristiklein commented Dec 11, 2023
edited by Ajarmar
Loading

ISO 27001:2022 didn't just add controls, but they came up with completely new controls. It can be seen as a backwards-incompatible change of ISO 27001. Let's map it.

Prerequisites

The following acceptance criteria assumes knowledge with the following concepts and tools:

Acceptance criteria

  • There is a page at https://elastisys.io/compliantkubernetes/ciso-guide/controls/iso-27001-2022/, which is similar to the ISO 27001:2013 one.
  • Said page maps all applicable (as determined by the author) ISO 27001:2022 controls to Compliant Kubernetes features using the mkdocs-ciso-plugin. The tag prefix should be ISO 27001:2022.
  • Controls which are not applicable to Compliant Kubernetes are listed in a table at the end, which includes "justification for exclusion", similar to this page. For example, Compliant Kubernetes does not provide any story to A 6.4 Disciplinary Process. Please look at each control and write a good justification for exclusion along the lines of "This control requires a disciplinary process, which is outside the scope of Compliant Kubernetes." Please group controls which have a similar justification for exclusion.
  • The page was approved by our CISO (@HansOlofEdblom), Field CTO (@llarsson), Security Engineering (@OlleLarsson) and PO (@cristiklein).

Additional context

Ask @cristiklein , @HansOlofEdblom or @OlleLarsson

Downstream tasks
@cristiklein cristiklein added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 11, 2023
@simonekman simonekman mentioned this issue Jan 17, 2024
Closed
@OlleLarsson
Copy link
Contributor

Would be good to have been done before the iso re-audit. "Before may"

@cristiklein
Copy link
Collaborator Author

The German TSO's information security policy is based on ISO 27001:2022. Also, we passed our ISO 27001:2022 recertification and no finding was related to the documentation of Compliant Kubernetes. Hence, the current value of "4" is correct.

@Ajarmar
Copy link
Contributor

Ajarmar commented Sep 23, 2024

@cristiklein @lucianvlad @OlleLarsson Please update this roadmap item with acceptance criteria. Thanks!

@cristiklein
Copy link
Collaborator Author

@elastisys/product-team I updated the acceptance criteria. PTAL.

@OlleLarsson OlleLarsson removed their assignment Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cristiklein @OlleLarsson @Ajarmar