The CrowdStrike Outage: A Case for Reinforcing Incident Response with ISO 27001

In July 2024, a botched software update by CrowdStrike led to a significant global IT outage, affecting numerous organisations, including airlines, healthcare systems, and media outlets. Although not a security breach, the incident highlighted vulnerabilities and the critical importance of robust supplier management and incident response protocols. As businesses grapple with the fallout, leveraging established frameworks like ISO 27001 becomes essential to fortify your defences against similar disruptions in the future.

ISO 27001 provides a comprehensive foundation for information security management, emphasising proactive measures and continual improvement. This article explores how businesses can use ISO 27001 to enhance security postures, manage supplier relationships effectively, and ensure robust incident response capabilities.

Understanding the CrowdStrike Incident

On July 19, 2024, a significant IT outage occurred globally due to a faulty software update by CrowdStrike. The incident began in Australia and quickly spread across Asia, Europe, and the Americas. The update, which was intended for CrowdStrike’s Falcon sensor product, caused a severe disruption by creating a “boot loop” issue in Windows devices, rendering them unable to complete their startup process. As a result, millions of devices, including those in critical sectors such as transportation, healthcare, and finance, were affected​.

CrowdStrike responded swiftly by retracting the update and deploying a fix. However, the resolution process was complex and required physical access to affected machines, which further prolonged the downtime for many organisations.

Overview of ISO 27001

ISO 27001 is an internationally recognised information security management system (ISMS) standard. It provides a systematic approach to managing sensitive information and ensuring its security through comprehensive risk management processes. These processes involve people, processes, and IT systems and focus on identifying and mitigating security risks. Key components of ISO 27001 include the development of information security policies, conducting risk assessments, implementing security controls, and fostering continuous improvement through regular monitoring and reviews.

Systematic Risk Management

Implementing ISO 27001 offers a structured framework for identifying and managing information security risks. This approach ensures that all potential threats are considered and addressed, reducing the likelihood of incidents like the CrowdStrike outage. As Jamil Ahmed, Distinguished Engineer at Solace, explained, “The reason the outage was so widespread is due to how ubiquitous the Windows operating system is across various industries. However, diversification of the backend server side, often a flavour of Linux, delivers a silver lining – the screens may be ‘blue’, but the backend should be fine.”

Compliance and Legal Requirements

ISO 27001 helps organisations comply with regulatory standards and avoid legal complications. Many industries are subject to stringent regulations, and ISO 27001 aligns businesses with these requirements. This is particularly relevant for data protection regulations like GDPR. By adhering to ISO 27001, organisations can enhance their security posture and proactively implement security measures. This proactive approach is essential in a digital world where software underpins nearly every aspect of life, from transportation to banking and healthcare.

Enhanced Incident Response and Recovery

Effective incident response and recovery are critical aspects of ISO 27001. The standard requires organisations to have well-defined incident management procedures, enabling them to respond swiftly and effectively to security incidents. This readiness reduces the impact of such incidents, minimising downtime and ensuring a quicker recovery.

Jamie Beckland, Chief Product Officer at APIContext, emphasises the importance of proactive planning: “Sometimes systems go down. Mature organisations consider this possibility in advance and create SLAs to minimise the disruption to business operations. SLAs are crucial to managing suppliers effectively because they document performance expectations and define accountability for service quality.”

Beckland further notes, “In concrete terms, they define penalties for vendor failures, but their soft power is in their ability to create a culture of high availability and quality software. One best practice that’s often overlooked is how a service interruption will be detected or determined. Many teams rely on the vendor to tell them when a system is down, but mature teams use a neutral third party to validate the vendor’s self-reported data. Because implementation configurations vary, system interruptions may not be apparent to the vendor across their entire customer base, even when your application is affected.”

This supplier management and incident detection approach aligns well with ISO 27001’s emphasis on comprehensive risk management and continuous monitoring. By implementing such practices, organisations can enhance their ability to detect and respond to incidents quickly, even when they originate from trusted vendors.

Andras Cser, VP Principal Analyst at Forrester, highlighted the challenges and necessary steps for recovery: “Recovery options for affected machines are manual and thus limited. Administrators must follow CrowdStrike guidance via official channels to work around this issue if impacted.” This underscores the importance of having clear communication channels and procedures for incidents, as outlined in ISO 27001.

Business Continuity Planning

ISO 27001 emphasises the importance of business continuity planning. Ensuring critical systems have redundancy and failover mechanisms is vital for maintaining operations during incidents. This approach not only aids immediate recovery but also protects the organisation’s reputation and client relationships. Investing in robust business continuity plans safeguards organisations against disruptions and ensures a swift return to normalcy. As Neatsun Ziv, CEO at OX Security, noted, “Choosing a vendor who can protect your server as a distinct and valuable portion of the network separate from endpoints is crucial.”

Building Trust with Stakeholders

Implementing ISO 27001 builds trust with stakeholders by demonstrating a commitment to information security. Customers, partners, and regulators are more likely to trust an organisation that follows internationally recognised standards for protecting sensitive information. This trust is crucial for maintaining strong business relationships and ensuring long-term success. Additionally, ISO 27001 promotes a culture of continuous improvement, with regular audits and updates to the information security management system (ISMS) to effectively address new and emerging threats.

Continuous Improvement

ISO 27001 fosters a culture of continuous improvement in information security practices. Regular audits, reviews, and updates ensure that security measures evolve to address new and emerging threats. This dynamic approach keeps the organisation’s security posture strong over time. In the context of the CrowdStrike incident, leveraging ISO 27001 can help businesses better manage and mitigate the risks associated with updates and change management in information security. By adopting this standard, organisations can improve their resilience against similar disruptions, ensuring they are better prepared to handle incidents and maintain business continuity.

The CrowdStrike incident is a stark reminder of the interconnectedness and vulnerabilities within our digital infrastructure. Leveraging ISO 27001 can significantly enhance an organisation’s ability to manage and mitigate the risks associated with updates and change management in information security. By adopting this standard, businesses can improve their resilience against similar disruptions, ensuring they are better prepared to handle incidents and maintain business continuity.