Back to Blog
8 min readGovernance & Compliance

ISO 27001 Controls Made Practical

#ISO 27001#GRC#Compliance

ISO 27001 Annex A controls can feel abstract. Let's make them concrete.

A.5.15 Access Control

Requirement: Rules to control physical and logical access to information. Practical Implementation:

  • SSO (Single Sign-On): Enforce Okta or Azure AD for all apps.
  • MFA: Mandatory for all remote access.
  • JML Process: Automated Joiner, Mover, Leaver scripts that revoke access within 24 hours of termination.

A.8.1 User Endpoint Devices

Requirement: Information stored on, processed by or accessible via user endpoint devices shall be protected. Practical Implementation:

  • MDM (Mobile Device Management): Intune or Jamf.
  • Disk Encryption: BitLocker or FileVault enforced by policy.
  • Screen Lock: Auto-lock after 5 minutes.

A.5.7 Threat Intelligence

Requirement: Information relating to information security threats shall be collected and analyzed. Practical Implementation:

  • Subscribing to CISA alerts.
  • Automating the ingestion of these alerts into a Slack channel (like my Regulatory Monitoring project!).

Compliance vs Security

Compliance is proving you do security. Security is actually doing it. Good controls satisfy both.