19

My company has an ISO 27001 certification. They provided me a new laptop with Windows 8 OS in it. I asked if I can have a Linux/Ubuntu OS installed, they said that it is not possible due to the ISO 27001 standards.

Is it true or do the technical people of the company not know how to install Linux/Ubuntu?

Vivek Aditya
  • 293
  • 3
  • 8

3 Answers3

23

One of ISO 27001 requirements is management of access control to company's IT resources.

If you just install Ubuntu on your laptop, all the access control will be managed by you directly, instead of your company. So when, for example, your manager will want to fire you, then your IT department won't be able to block your local laptop account in a convenient moment.

Of course Linux can be connected to central authentication systems (AD, IPA, CAS etc.), but first your IT department needs to build required competences (a single employee knowing how to do that is not enough since all ISO standards require written, repeatable and verifiable processes).

On the other hand, knowledge on how to connect Windows to AD, and deploy a central authentication, is more or less common in IT, so probably your company already has ISO processes for it. Therefore, they allow you to use only Windows.

Ismael Miguel
  • 141
  • 2
  • 8
Tomasz Klim
  • 1,466
  • 12
  • 13
  • 2
    What's the precise requirement you're referring to here? I'm curious because I work for an ISO 27001 company that allows self installs, and we pass the audit each year. – paj28 Jul 04 '15 at 20:20
  • It's defined exactly in ISO/IEC 27002, which is a kind of technical extension to 27001. However both of them are paid, and I currently don't have access to full texts. As for self installs, I didn't claim they aren't possible - company just have to have built required processes. – Tomasz Klim Jul 04 '15 at 20:30
9

The ISO 27001 is* about documenting what you do, how you do it, and what controls you have in place to audit that things are the way they are supposed to be. That means that the typical laptop installs is very, very standardized with known templates (how you do it). The PCs are likely to be installed in an Active Directory with GPO enforced and monitoring in place (AV, firewall, etc.) for audit purposes.

All of the above means that they won't install your favorite distro or even software on your laptop, even if they know how to do it.

*this is in the context of software installs and in very few words, there are entire book dedicated to the subject.

schroeder
  • 123,438
  • 55
  • 284
  • 319
KidCartouche
  • 91
  • 2
4

This depends entirely on your company's policies and standards. ISO 27001 is a system for managing security, but it has few hard requirements for what the policies and standards actually say.

I work for an ISO 27001 company that allows technical staff to do self installs of an alternative OS. There are certain technical requirements (company hardware, disk encryption, etc.) but once met the self install is treated just like a corporate install. I expect this arrangement is a pretty rare case. Some companies allow BYOD (bring your own device) although typically BYO devices have restricted access.

paj28
  • 32,736
  • 8
  • 92
  • 130