We are a SaaS-based company and we are hosted on AWS cloud. Hence we use AWS Security groups which act as virtual firewalls. We have multiple security groups. One of the controls in ISO is that a Firewall review needs to be performed. The traditional approach is that the Firewall owner reviews the rules and provides sign-off off etc. However, since we have multiple security groups it becomes difficult to review each. We have implemented a CIS benchmark tailored for AWS. Deploy regular scans on AWS Security Groups, using parameters established by the CIS benchmark. The focus is on detecting potential misconfigurations, especially in the context of publicly open ports, ensuring a robust defence against unauthorized access. Weekly reports are generated and sent to the team.
My question is as part of an audit. Can this evidence suffice since we have automated the process of firewall review and not perform manual review?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Thank you for your question.
We answered it through Experta - you can find the answer here: https://experta.com/shared-post/9694e497-ecc8-4a61-8046-eb3ab248f12a
Comment as guest or Sign in
Jan 24, 2024