A Failure to Enforce Unique Employee Logins for ISO 27001 Compliance

IS0 27001 unique user login

The legal and law enforcement sector is risking compliance and security issues by failing to provide and enforce unique employee logins.

Our latest report ‘Legal and Law Enforcement: Information Access Compliance‘ found that despite requirements by regulation global standard ISO 27001, 31% of employees in the US and UK legal and law enforcement sectors do not have a unique user login for their employer’s network and 24% do not require a login for access at all.

Furthermore only 33% of workers are prevented from concurrent logins on multiple machines, which not only puts information at risk but also narrows the options for investigation should something go wrong.

IS0 27001 & Users Network Access

Pertinent information such as case files, identity profiles and confidential statements can potentially and unknowingly become compromised if there isn’t strong network access controls and monitoring in place. Naturally in order to best manage access to each individual user’s requirement, you need to be able to identify individual users, for which unique logins are an absolute must.

Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.

Read the full reseach and guidance on how to mitigate the risk of network access security breaches for ISO 27001, FISMA, DPA and Lexcel compliance

Going beyond IS0 27001 compliance

The research results revealed in this report show that legal firms and law enforcement agencies across the UK and the US have significant areas for improvement. Our guide goes into more detail on how to comply to IS0 27001 and other regulations (FISMA, DPA and Lexcel) around user access security.

However it is important to note that meeting a set standard does not mean ‘job done’. Although the IS0 27001 standard offers a lot of good guidance, there is always more that can be achieved. Security is not black or white, it is a process of mitigating risk to the most achievable degree, and often compliance is the minimum requirement, not the end goal.

See Legal and Law Enforcement: Information Access Compliance for more information on how to make your organisation secure and compliant for ISO 27001 regulations.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.