Hi guys! A friend of mine asked if it is feasible in 2021 to use laptops running Linux in ISO27001 (and 27002) certified companies.
In theory, it is possible, but in practice, I'm a bit lost; they need monitoring tools, device management, possibly centralized policy enforcing, but I'm curious about the best solution for Desktop, i.e. to make a remote wipe of a device, enforce policies that block USB ports, provision software, control access etc. etc
Looking for advice 😃
ubuntu and red hat have tools in the enterprise versions for this type of advanced admin task.
@StinkyTofu I will surely suggest it to my friend! but right now, I'm on a quest to find instruments that a small-medium business can afford 😆
Many orgs just take ISO27002 (the part with best practice recommendations) and try to implement it without adjusting it for their needs.
But ISO27001 is flexible enough to adapt it for certain situations as long as you can justify it.
So if your ITSec team would do a risk assesment (RA) of Linux on notebooks, it would come to the conclusion, that many measures, which were written with Windows in mind, are not necessary for Linux. With this RA running Linux would be compliant.
@Haydar wow, thank you, very useful! I'm pretty ignorant on the matter! a friend of mine asked, and not knowing much about windows, I was following his request step-by-step!
That maybe not in vain, some measures might still apply - depending on the outcome of the risk assessment.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.