Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker as an ISO 27001 Annex A Control

15 min. readlast update: 04.27.2023

View in Browser

Annex A.6 - Organization of Information Security

  • 6.1.2 Segregation of Duties  
    • ThreatLocker can help create a least-privileged environment using Application Allowlisting by restricting what applications can run, who can use them, and when. 
    • Ringfencing can restrict the function of applications down to only what is necessary for business.
    • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
  • 6.2.1 Mobile Device Policy
    • Utilizing Storage Control and setting up Remote Presence, you can prevent any device that is not running ThreatLocker from accessing data locations that you specify.  
    • ThreatLocker Storage Control can also prevent removable storage devices from accessing data.
    • Application Allowlisting limits what applications can be installed on mobile devices that are running ThreatLocker.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.   
  • 6.2.2 Teleworking
    • Utilizing Storage Control and setting up Remote Presence, you can prevent any device that is not running ThreatLocker from accessing data locations that you specify.  
    • ThreatLocker Storage Control can also prevent removable storage devices from accessing data.
    • Application Allowlisting limits what applications can be installed on mobile devices that are running ThreatLocker.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.   

Annex A.8 - Asset Management

  • 8.1.1 Inventory Of Assets
    • The Computers Page in the ThreatLocker portal will provide an inventory of all endpoints that have ThreatLocker installed. This will include a record of the OS version and build, the last time the device was online, and what IP address it checked in from.
  • 8.2.3 Handling of Assets
    •  ThreatLocker Storage Control enables you to limit access to CUI on system media to only authorized users.  
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.   
  • 8.3.1 Management of Removable Media
    • Utilizing Storage Control, you can control the use of removable media on system components, and prohibit the use of portable storage devices to only the exact devices you have specified. Storage Control can also be used to enforce encryption on removable media.
    • The Unified Audit provides a transactional history of file access in near-real time. By default, these non-editable logs are kept for 30 days, but that time can be extended based on an organization's needs.

Annex A.9 - Access Control

  • 9.1.2 Access to Networks and Network Services
    • Storage Control can be configured to only allow access to the specific files or folders needed for each application and/or user.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.    
  • 9.2.2 User Access Provisioning
    • Utilizing Storage Control you can allow and revoke access to specific files or folders by specific users.
    • Application Allowlisting provides the ability to allow applications only to specified groups and/or users so you can permit only what is necessary for an employee's job.
  • 9.2.3 Management of Privileged Access Rights
    •  Elevation Control enables you to limit or eliminate local administrator accounts and only allow elevated privileges for what is necessary, even down to a single file if that is all that needs elevated privileges.
    • Using Ringfencing you can put boundaries on the applications you have allowed with Elevation to only do what is needed and prohibit application hopping.  
    • Configuration Manager provides the ability to disable the local admin account.
  • 9.2.6 Removal or Adjustment of Access Rights
    • Utilizing Storage Control you can allow and revoke access to specific files or folders by specific users.
    • Application Control provides the ability to allow or applications only to specified groups and/or users so you can permit only what is necessary for an employee's job.
    • Adjustments to Storage Control or Application Allowlisting can only be performed by an administrator on your ThreatLocker account that has privileges to make those changes. 
    • Configuration Manager provides the ability to disable the local admin account, or change the password on the local admin account.
  • 9.4.1 Information Access Restriction
    • Application Allowlisting allows you to specify which users can use which applications, limiting file execution permissions.
    • With Storage Control you can limit file access to only specific programs or users or file types and can specify if file access is read-only or read and write.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use. 
  • 9.4.4 Use of Privileged Utility Programs
    • Application Allowlisting can block specific tools that aren't wanted in your environment, including PowerShell or Command Prompt commands, and limit which users can use those tools. No utility program will be able to execute unless you have created a policy to allow it.
  • 9.4.5 Access Control to Program Source Code
    • Utilizing Storage Control you can prohibit access to the location of your source code and permit only the necessary users to access it.
    • The Unified Audit will record all the users who access and attempted access to the location of your source code specified in your Storage Control Policy.

Annex A.11 - Physical & Environmental Security

  • 11.1.4 Protecting against External & Environmental Threats
    •  Application Allowlisting blocks by default; no applications, scripts, or libraries can run without being permitted.
    • Ringfencing places boundaries on applications to prevent them from interacting with the powerful built-in Windows tools, the registry, the internet, or files.
    • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.  
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.   
  • 11.2.6 Security of Equipment & Assets Off-Premises
    •  Storage Control can be used to limit access to data locations and enforce encryption on removable devices.
    • Configuration Manager can be used to enforce BitLocker on ThreatLocker protected devices.
    • Remote Presence will prevent a device without TL from accessing chosen data locations. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
  • 11.2.9 Clear Desk & Screen Policy
    • Storage Control can be utilized to prevent users from saving any documents on the PC's desktop.

Annex A.12 - Operational Procedures and Responsibilities

  • 12.2.1 Controls Against Malware
    • Application Allowlisting will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, providing protection against malicious code being run in your environment.
    • Ringfencing provides boundaries for your permitted applications preventing them from accessing Window's powerful built-in tools, your files, the internet, or the registry.
    • Storage Control can prevent the use of removable media, or allow only specific serial numbered devices.
    • Ringfencing places boundaries on applications to prevent them from interacting with the powerful built-in Windows tools, the registry, the internet, or files.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.    
  • 12.4.1 Event Logging
    • The Unified Audit provides a central location to view all actions made on the endpoints in your environment. The user and computer the action took place on or attempted to take place on will be recorded in near real-time in the Unified Audit. These audits are stored for 30 days, but that time can be extended if needed. 
  • 12.4.2 Protection of Log Information
    •  ThreatLocker protects the Unified Audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be altered or deleted by anyone unless those logs go past the specified retention time period, which is 30 days by default. 
  • 12.4.3 Administrator & Operator Logs
    • The Unified Audit will log all activity performed by any user and will label all actions performed with local admin privileges as such. All actions performed by the SYSTEM account will also be logged and labeled.
  • 12.4.4 Clock Synchronization
    •  ThreatLocker can assist in synchronizing the timestamps of logs. All audit logs will include a date/time stamp down to the second and will be set to the timezone of the organization. 
  • 12.5.1 Installation of Software on Operational Systems 
    • ThreatLocker can achieve this objective. Application Allowlisting provides the ability to control and monitor all software installed in your environment. No user can install software unless you have permitted it.
    • The Unified Audit will provide a log of all software that is installed or attempted to be installed.
  • 12.6.1 Management of Technical Vulnerabilities 
    • ThreatLocker can assist in remediating technical vulnerabilities. Application Allowlisting prohibits anything you haven't specifically permitted from running in your environment.
    • Ringfencing can be configured to eliminate the ability of applications to access the powerful built-in Windows tools that are commonly exploited.
    • Elevation Control enables you to eliminate local admin accounts, reducing the risk of abusing these privileged accounts.
    • Storage Control provides the capability to control access to your protected shares.
    • Remote Presence will ensure that no device without ThreatLocker can access your valuable shares.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.  
    • ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.  
  • 12.6.2 Restrictions on Software Installation
    • ThreatLocker can achieve this objective. Application Allowlisting provides the ability to control all software installed in your environment. No user can install and run software unless you have permitted it. Not even a web extension will be permitted unless you have set a policy to allow it.

Annex A.13 - Communications Security

  • 13.1.1 Network Controls
    •  Through Ringfencing you can restrict all network access to any application and only allow on an exception basis as you deem necessary.  
    •  Using Storage Control you can prevent unauthorized access to shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types.  
    • Remote Presence will ensure that no device without ThreatLocker can access any data locations that you have specified.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.    
  • 3.1.3 Segregation in Networks
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved departments or devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.     
    • Using Storage Control you can prevent unauthorized access to shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types. 
  • 13.2.1 Information Transfer Policies & Procedures
    • Using Storage Control you can prevent unauthorized information transfer via shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types. 
    • Storage Control can be used to enforce encryption on all removable storage media.
    • Configuration Manager can be used to enforce BitLocker encryption on ThreatLocker protected PCs.
    • The Unified Audit will log all activity that has an associated Storage Control policy, providing timestamped visibility of file access, moves, and deletes along with the user that performed the activity. You will see the location of the file, the name of the file, and who manipulated it. In the case of a move, you will see where it has been moved to.

Annex A.14 - System Acquisition, Development & Maintenance

  • 14.1.2 Securing Application Services on Public Networks
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use. 
    • Network connections or attempted connections will be logged in the Unified Audit.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.   
  • 14.1.3 Protecting Application Services Transactions
    • The Unified Audit provides ongoing monitoring of all actions on your endpoints in near real-time.
    • ThreatLocker utilizes HTTPS for secure internet communication.
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use. 
    • Network connections or attempted connections will be logged in the Unified Audit
  • 14.2.4 Restrictions on Changes to Software Packages
    •  Application Allowlisting provides the ability to control and monitor all software installed in your environment. No user can modify software unless you have permitted the modification.  

Annex A.16 - Information Security Incident Management

  • 16.1.4 Assessment of & Decision on Information Security Events
    • The Unified Audit keeps a near real-time log of events in your environment which can be used when assessing any potential security event.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.   
  • 16.1.7 Collection of Evidence
    • The Unified Audit keeps a near real-time log of events in your environment which can be used when collecting evidence. These logs are kept for 30 days, but this time can be extended.    
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.  

Annex A.18 - Compliance

  • 18.1.3 Protection of Records
    • ThreatLocker protects the Unified Audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be edited or deleted by anyone unless those logs go past the specified retention time period. 
    • Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Permit access to protected data locations to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.  
    • ThreatLocker Storage Control can be used to enforce encryption on removable storage devices.
    • Configuration Manager can be used to enforce BitLocker encryption on protected computers to assist in protecting sensitive data records.

Updated 4/27/2023

Was this article helpful?