- Free Edition
- Quick links
- Active Directory management
- Active Directory reporting
- Active Directory delegation
- Active Directory permissions management and reporting
- Active Directory automation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- Microsoft 365 management and reporting
- Microsoft 365 management
- Microsoft 365 reports
- Microsoft 365 user management
- Microsoft 365 user provisioning
- Microsoft 365 license managementn
- Microsoft 365 license reports
- Microsoft 365 group reports
- Dynamic distribution group creation
- Dynamic distribution group reports
- Exchange management and reporting
- Active Directory integrations
- Popular products
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is an international standard for information security management systems (ISMS), jointly developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The updated 2022 version provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an ISMS.
Understanding ISO compliance is crucial for organizations seeking to systematically manage sensitive information, ensuring its confidentiality, integrity, and availability. ISO compliance standards like ISO/IEC 27001:2022 help organizations of all sizes and sectors identify security risks, implement appropriate controls, and demonstrate compliance with globally recognized best practices for information security governance, risk management, and ISO regulatory compliance.
What are the ISO/IEC 27001:2022 compliance requirements?
ISO 27001 compliance requirements mandate that organizations establish a robust ISMS by following a structured set of policies, procedures, and controls designed to manage information risks.
The key ISO compliance requirements include:
- Clearly identifying information assets, processes, and systems.
- Identifying and evaluating information security risks to determine appropriate controls.
- Applying controls to mitigate or manage identified risks based on risk acceptance criteria.
- Creating and maintaining a high-level policy that reflects management's commitment to information security.
- Defining the security responsibilities and ensuring that personnel are aware of them.
- Maintaining documented information to demonstrate compliance.
How to be ISO/IEC 27001:2022 compliant with ManageEngine ADManager Plus
Achieving ISO compliance requires a structured approach to managing information security risks and implementing effective controls. Our ISO compliance software, ManageEngine ADManager Plus, can significantly support compliance efforts by strengthening identity and access management, enforcing least privilege principles, and delivering audit-ready reports. Following an ISO 27001 compliance checklist approach ensures systematic implementation of required controls.
How ADManager Plus helps meet information security management requirements
Planning, operation, and performance evaluation
6.1.2: Information security risk assessment
Description
The organization shall define and apply an information security risk assessment process that:
- establishes and maintains information security risk criteria that include:
- the risk acceptance criteria; and
- criteria for performing information security risk assessments;
- ensures that repeated information security risk assessments produce consistent, valid, and comparable results;
- identifies the information security risks:
- apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system; and
- identify the risk owners;
- analyses the information security risks:
- assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
- assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
- determine the levels of risk;
- evaluates the information security risks:
- compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
- prioritize the analyzed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process.
How ADManager Plus helps
The Identity Risk Assessment report serves as a comprehensive ISO compliance report that provides insights into your Active Directory (AD) and Microsoft 365 environments. It:
- Analyzes potential risk factors that could lead to security attacks.
- Displays risk indicators with severity levels and exposure percentages.
- Provides remediation measures and risk scores.
- Supports regular ISO compliance reporting through periodic assessments.
- Exports in the following formats: XLS, CSV, HTML, and PDF.
6.1.3: Information security risk treatment
Description
The organization shall define and apply an information security risk treatment process to:
- select appropriate information security risk treatment options, taking account of the risk assessment results.
How ADManager Plus helps
Risk treatment
- Take on-the-fly actions to mitigate identified risks from the Identity Risk Assessment report.
- Implement appropriate measures based on risk assessment results.
- Strengthen security posture through immediate remediation.
8.2: Information security risk assessment
Description
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking into account of the criteria established in 6.1.2
- The organization shall retain documented information of the results of the information security risk assessments.
How ADManager Plus helps
Continuous risk monitoring
- Detailed risk assessment
- Documentation retention features
- Comprehensive audit trails
9.1: Monitoring, measurement, analysis, and evaluation
Description
The organization shall determine:
- what needs to be monitored and measured, including information security processes and controls;
- the methods for monitoring, measurement, analysis, and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
- when the monitoring and measuring shall be performed;
- who shall monitor and measure;
- when the results from monitoring and measurement shall be analyzed and evaluated;
- who shall analyze and evaluate these results. Documented information shall be available as evidence of the results. The organization shall evaluate the information security performance and the effectiveness of the information security management system.
How ADManager Plus helps
Monitoring and reporting
- Leverage over 200 preconfigured reports for detailed AD and Microsoft 365 insights.
- Monitor user logon times, expired passwords, disabled users, and more.
- Utilize automated scheduled report generation and email distribution.
- Export in multiple formats, including PDF, XLS, CSV, and HTML.
- The user-friendly interface eliminates complex PowerShell scripts.
How ADManager Plus helps meet information security controls
Organizational controls (5.x)
Description
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on busi-ness and information security requirements.
How ADManager Plus helps
Granular access management
- Manage group memberships and folder permissions.
- Run access certification campaigns to review and validate existing access rights.
- Ensure access remains necessary and appropriate.
Description
The full life cycle of identities shall be managed.
How ADManager Plus helps
Complete identity life cycle automation
- Automate user provisioning with predefined templates.
- Ensure consistent access rights from day one.
- Manage user attributes and group memberships.
- Automated deprovisioning upon user departure.
- Integrate with third-party applications.
Description
Access rights to information and other associated assets shall be provisioned, reviewed, modified, and removed in accordance with the organization’s topic-specific policy on and rules for access control
How ADManager Plus helps
Policy-based access management
- Template- and workflow-based provisioning and deprovisioning
- Robust reporting for regular access rights reviews
- Easy modification and revocation of access rights
- Access certification campaigns for periodic validatio
Description
The organization shall assess information security events and decide if they are to be categorized as information security incidents.
How ADManager Plus helps
Security event intelligence
- Track and report critical AD changes (i.e., failed logins or lockouts).
- Identity risk assessment highlights suspicious activities.
- Provide immediate remediation actions.
- Feed data into SIEM systems for comprehensive analysis with integration.
Description
The organization shall assess information security events and decide if they are to be categorized as information security incidents.
How ADManager Plus helps
Rapid incident response
- Perform quick actions like disabling compromised accounts or resetting passwords.
- Modify group memberships to isolate affected entities.
- Use historical data for post-incident analysis.
- Leverage comprehensive report trails for forensic investigation.
Description
The organization shall plan how to maintain information security at an appropriate level during disruption.
How ADManager Plus helps
Business continuity support
- Automation reduces manual errors during disruptions.
- The web-based interface enables remote AD management.
- The solution offers quick provisioning and deprovisioning for secure recovery.
- It has backup and recovery capabilities for configurations.
Description
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
How ADManager Plus helps
ICT infrastructure support
- Simplify critical AD management.
- Identify vulnerabilities and take immediate actions.
- Automate access management.
- Support effective backup and recovery strategies.
Description
Compliance with the organization’s information security policy, top-ic-specific policies, rules, and standards shall be regularly reviewed.
How ADManager Plus helps
Comprehensive compliance monitoring
- Extensive compliance reports on accounts, groups, and permissions
- Regular auditing and verification capabilities
- Customizable reports for specific requirements
- Access certification campaigns for compliance proof
People Controls (6.x)
Description
The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
How ADManager Plus helps
Event investigation support
- Identity risk assessment enables security team investigations.
- Audit capabilities track changes and suspicious activities.
- Validation tools confirm or deny reported incidents.
Technological Controls (8.x)
Description
Backup copies of information, software, and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
How ADManager Plus helps
AD backup management
- Perform comprehensive AD backups.
- Maintain the AD environment so it's ready for backup and recovery.
- Support disaster recovery procedures.
Benefits of using ADManager Plus to comply with ISO/IEC 27001:2022
- Identity Risk Assessment report: ADManager Plus offers a specialized ISO compliance reporting tool that identifies risk indicators across your AD and Microsoft 365 environments. It assigns severity levels, calculates a risk exposure percentage, and suggests remediation measures. This ISO 27001 compliance report evaluates your organization's security posture, allowing you to prioritize risk treatment strategies.
- Automated workflows: By creating rule-based automation for account cleanup or deprovisioning, the platform helps enforce the outcomes of risk treatment policies effectively, supporting ISO regulatory compliance requirements.
- Over 200 preconfigured security reports: ADManager Plus provides more than 200 out-of-the-box schedulable and exportable reports that monitor user logon activity, GPO changes, inactive accounts, permission changes, and more—ensuring transparency and measurable outcomes. These comprehensive ISO compliance reports enable continuous monitoring required by ISO compliance standards.
- Role-based access control: Define granular roles and delegate specific AD tasks to technicians, enforcing segregation of duties and minimizing insider threats.
- Access certification campaigns: Keep a check on access permissions granted to users with periodic access certification campaigns, maintaining ISO compliance through proper access governance.
Compliance reporting excellence
Transform your ISO 27001 compliance reporting with:
- Automated report generation: Schedule and distribute reports automatically.
- Multiple export formats: Export to PDF, XLS, CSV, or HTML for various stakeholder needs.
- Real-time risk scoring: Understand your security posture at a glance.
- Customizable dashboards: Tailor views to specific ISO compliance requirements.
