Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ISO27001 assessment using AWS Config + Security Hub

0

Hi all, I want to do an ISO27001 (Annex A) assessment of the aws services running within an account to check their compliance against this standard. I guess enabling aws config and aws security hub would generally be the right move to do compliance checks. Unfortunately security hub doesnt support the ISO27001 framework.

So I'm not sure what would be the best way here.

Topics
AWS ComplianceManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS ComplianceAWS Security HubAWS ConfigSecurity, Identity, & ComplianceAWS Audit Manager
Language
English
asked 10 months ago653 views
2 Answers
6

You may leveraging AWS Audit Manager’s ISO/IEC 27001:2013 Annex A Framework:

  1. Enable AWS Audit Manager in your account.
  2. Use the ISO/IEC 27001:2013 Annex A framework to create an assessment.
  3. Audit Manager will: • Automatically collect evidence from AWS Config and Security Hub. • Use Config rules mapped to ISO controls (via the AuditManager_ConfigDataSourceMappings_ISO-IEC-270012013-Annex-A.zip file). • Include manual controls for procedural requirements.

https://docs.aws.amazon.com/audit-manager/latest/userguide/iso-27001-2013.html

EXPERT
answered 10 months ago
AWS
SUPPORT ENGINEER
reviewed 10 months ago
  • Tobias
    10 months ago

    Thanks for your reply.

    Regarding this setup I have a quick question, from the AWS documentation (see attached link and then in the "important" box) it is not 100% clear imho:

    • https://docs.aws.amazon.com/audit-manager/latest/userguide/iso-27001-2013.html
    • It says all frameworks in security hub should be enabled in order for audit manager to collect the necessary evidence. Enabling a framework in security hub has the consequence that aws config rules are created
    • Then there is also the demand to ensure all aws config rules (AuditManager_ConfigDataSourceMappings_ISO-IEC-270012013-Annex-A.zip) are enabled

    --> the question for me now is it enough if I enable all frameworks in security hub and therefore automatically enable all the necessary config rules or do I have to manually check if all config rules are indeed enabled by comparing it to the config rules in the above .zip file?

0

Hey,

Hope you're keeping well.

For ISO/IEC 27001:2013 Annex A, the most direct AWS-native approach is to use AWS Audit Manager with its prebuilt ISO27001 framework. Audit Manager automatically maps AWS Config rules and Security Hub findings to the relevant Annex A controls using the mapping file you referenced, and it also lets you add manual evidence for non-technical controls. This avoids the need to manually translate CIS or other frameworks. You can enable Audit Manager in the console, select the ISO27001 framework when creating an assessment, and ensure Config and Security Hub are active so evidence collection is continuous.

Thanks and regards,
Taz

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content