How Setyl helps organizations achieve ISO 27001 certification

Explore the key areas of ISO 27001 that Setyl can help you address to navigate your security audit.

Last updated

August 20, 2024

Setyl plays a significant role in helping organizations mitigate security and compliance risks, including achieving ISO 27001 and other security certifications.

From streamlining asset management processes, to strengthening information security controls and ensuring compliance with the standard's requirements, discover the 7 key areas that Setyl can help you successfully address to prepare for your audit.

About ISO 27001

ISO 27001 (officially ISO/IEC 27001) is an international standard for information security management systems (ISMS). It provides organizations with guidance on establishing a systematic approach to managing sensitive company information.

Implementing this framework helps you secure your data, reduce and respond to (cyber) risks, improve operational efficiency and save costs.

How Setyl helps you prepare for your ISO 27001 certification

Setyl can help you address several key components of ISO 27001, including:

Asset management: Identification and management of IT and other assets.
Access control: Ensuring only authorized individuals can access sensitive information.
Risk assessment: Identifying and managing risks to information security.
Compliance: Adhering to applicable legal and regulatory requirements.

Specifically, Setyl assists with the following areas of ISO 27001:

Asset management (clauses 8.1 and A.8): Tracking of hardware, software, SaaS and more assets.
Risk assessment and treatment (clauses 6.1 and A.12): Identifying risks and implementing controls.
Access control (clauses 9.1 and A.9): User management and access permissions for securing assets.
Change management (clauses 8.3 and A.12.1): Monitoring and documenting changes to asset configurations.
Documentation and evidence collection (clause 7.5): Ability to attach and manage relevant documentation to assets.
Monitoring and reporting (clauses 9.2 and 9.3): Compliance records and activity logs for audits and reviews.
Vendor management (clause A.15): Monitoring and managing third-party relationships and contracts.

Read on to dive further into each of these areas, and how the Setyl platform and our dedicated compliance features can support your audit preparation.

“My auditor was blown away when he saw what we are doing with Setyl. It's been a phenomenal tool for internal due diligence and I use it as my show and tell for my leadership team.”

Steven Rose

IT & Security Lead at Teamwork

Setyl and ISO 27001: How Setyl helps in detail

1. Asset inventory and management

ISO 27001 clauses 8.1 (Operational Planning and Control) and A.8 (Asset Management) require maintaining a detailed asset inventory.

Centralized asset repository: Setyl provides a comprehensive and centralized repository for tracking all IT and non-IT assets.
Automated discovery: Setyl's automated discovery functionalities and integrations help identify and catalog hardware, software, and SaaS assets across the organization.
Metadata management: Detailed asset metadata (ownership, location, configuration, etc.) help in maintaining accurate asset records.
Onboarding and offboarding: Employee onboarding and offboarding workflows ensure that assets are properly recovered and dealt with appropriately.

Representation of the Setyl IT asset and license management platform, showing a range of systems pointing into Setyl, and on the other end an inventory of hardware and software assets.

2. Risk assessment and treatment

ISO 27001 clauses 6.1 (Actions to Address Risks and Opportunities) and A.12 (Operations Security) involve identifying risks and implementing controls.

Asset criticality and risk ratings: Setyl allows you to identify assets by criticality and restrict access accordingly. Custom notes allow you to further record high-risk or critical asset statuses.
Asset discovery and classification: Discover and classify assets and applications, helping to identify potential critical assets and applications that may pose security risks.
Policy compliance: Ensure assets adhere to security policies and procedures, supporting risk mitigation. Keep a record of when employees take ownership of critical assets and sign off on acceptable use policies.
Maintenance scheduling and monitoring: Schedule and monitor maintenance activities, ensuring assets are regularly updated and patched. See a record of an asset’s maintenance history if a security incident occurs.

Setyl’s shadow IT detection functionality, showing a list of assets and apps which have been detected via an MDM or RMM integration and login or IAM integration respectively. — Setyl’s shadow IT detection functionality

3. Access control and security

ISO 27001 clauses 9.1 (Monitoring, Measurement, Analysis, and Evaluation) and A.9 (Access Control) emphasize controlled access to information assets.

User access management: Setyl provides features for tracking and managing user access to various assets, ensuring that only authorized personnel have access to edit or view assets.
Audit trails: Maintain detailed audit logs of access and changes to assets, crucial for demonstrating compliance and investigating security incidents.

Setyl’s user permission management feature, showing a list of users, their status (active, onboarding etc.) and their role within the ITAM platform. — Setyl’s user permission management feature

4. Configuration and change management

ISO 27001 clauses 8.3 (Change Management) and A.12.1 (Operational Procedures and Responsibilities) require controlled changes to information systems.

Configuration tracking: Document asset configurations to ensure they meet security requirements.
Change history: Maintain a record of changes made to assets, which helps in auditing and ensuring compliance with change management procedures.

Setyl’s activity log overview, showing different tasks logged on different dates and times, including the unassignment of licenses and IT asset description updates. — Setyl’s activity log overview

5. Documentation and evidence collection

ISO 27001 clause 7.5 (Documented Information) involves maintaining and controlling documentation for compliance.

Asset documentation: Setyl allows attachment of relevant documents, policies, and procedures to asset or vendor records.
Compliance records: Store records and evidence required for ISO 27001 audits and compliance verification.

Setyl as a comprehensive information asset register, showing a list of hardware and software assets, alongside related information such as admins, assignees, locations and statuses. — Setyl as a comprehensive information asset register

6. Monitoring and reporting

ISO 27001 clauses 9.2 (Internal Audit) and 9.3 (Management Review) require regular monitoring, reviewing, and auditing of the ISMS.

Status and activity logs: Setyl provides visibility into asset status and usage, helping to detect and respond to security incidents.
Custom audit reminders: Set custom reminders to ensure internal audits are carried out regularly, and log completion dates and audit administrators.
Archiving: Logical archiving ensures records are never deleted from Setyl. Changes to an asset can be viewed from the beginning of an asset’s lifecycle until the end.

Setyl’s Compliance Overview feature for applications and vendors, showing a list of vendors and checkmarks under whether they meet ISO 27001 and SOC 2 requirements. — Setyl’s Compliance Overview feature for applications and vendors

7. Vendor and contract management

ISO 27001 clause A.15 (Supplier Relationships) covers managing third-party risks and supplier agreements.

SaaS and vendor management: Setyl tracks SaaS subscriptions and vendor relationships, ensuring compliance with third-party security requirements. Vendor onboarding audits ensure vendors are in compliance with your policies and procedures, and keeps a record of the audit.
Contract compliance: Manage contracts and service agreements, ensuring they include the necessary security provisions. Attach appropriate contracts to assets or vendors.

“Having managed the ISO 27001 for the organization in the past, I know that Setyl will make audits so much easier.

"I can quickly locate any asset, see its history and access all related documents — even for assets we’ve disposed of. We’re also recording all vendor information into the platform. It brings so much visibility and efficiency. I no longer have to hunt for spreadsheets, worry about whether they’ve been updated, or scramble to piece together evidence."

Adam Gleed

Head of Information Security at Nourish

Read the full case study

For more information on how Setyl can help your organization prepare for an ISO 27001 audit and other IT safeguarding measures, speak to one of our specialists.