The updated version of ISO 27001 in 2022 is visible in Annex A. The latter now has only 93 security controls. As compared to the previous edition’s 14 categories containing 114 controls, this ISO standard is more condensed. Only four categories are now present, which are- physical, organizational, people, and technological. It is time to take a look at how the new additions would assist organizations in handling advanced cyber threats.
How Effective Are The 11 New Security Controls?
Now the question may arise that if the number of security controls has decreased to 93, then how 11 of them are new? Well, this is because some of the similar controls merged while a few of them changed. This refinement gave rise to the new security controls that share common features with some of their older counterparts.
Organizations need not document the implementation of these ISO security controls except for the one related to Configuration Management. Large-sized enterprises only need to create an individual procedure describing the execution of the concerned security control. Smaller companies must include separate guidelines in specific documents for both authorities and users to follow them.
ISO 27001:2022 enforces the protection of IT systems through the users’ accessibility management. An organization must keep track of the traffic on its websites to prevent the entry of malicious codes. Individuals using information illegally from the web often enter such codes to disturb the organization’s data privacy. This security control recommends the restriction of access to specific IP addresses that require protection.
Technical tools such as anti-malware software or determining specific processes are helpful for web filtering. ISO 27001 emphasizes the need to create awareness among employees for safe usage of the internet. System administrators must undergo training to execute web filtering. ISO 27001 doesn’t demand documentation of web filtering rules from an ISMS.
Monitoring IT systems, applications, and networks is crucial for identifying unusual activities and responding to them accordingly. ISO 27001 provides a guideline for what to keep track of. These are mainly:
- The outbound and inbound traffic
- Security tool and event logs
- Code execution
- Chief administrators’ functions
- Performance of system resources
The thought of being checked will keep employees alert of their activities, so informing and explaining to them beforehand, is necessary. IT administrators need to be knowledgeable in the application of monitoring tools. This security control introduces a monitoring system that will determine the methods and responsibilities of examining the areas mentioned above. It prompts an organization to set a cyber security benchmark for detecting activities not complying with it. Besides, reporting any data security breach should also be a part of the system.
Security of software development is another prime concern of ISO 27001:2022. Establishing principles for secure coding is an ISO directive. The application of such principles keeps a check on the vulnerabilities regarding software development. This ISO standard directs the deployment of technical security components like encryption.
An organization must use appropriate tools for software testing and handling attacks resulting from logging errors. Source code protection and maintenance of libraries’ inventory are essential measures to take. ISO 27001 affirms the need to train software developers for the following tasks:
- Determine the secure coding baseline for importing software components externally
- Establish secure coding rules for developing internal software
- Set up a procedure for deciding on libraries and external tools employees will use
- Define the activities before, after, and at the time of coding
- Create processes for threat surveillance and software modification
Prevent data leakage
This ISO 27001 security control focuses on preventing the unauthorized exposure of confidential data. Timely detection of such accidental occurrences in networks, devices, and IT systems is the ultimate solution. To become ISO 27001:2022 compliant, organizations must implement monitoring methods.
Restriction of data uploading, copy, pasting, email quarantine, and obstruction of data downloads to detachable storage devices. These are powerful monitoring techniques. This security control commands that an organization’s employees must be aware of the do’s and don’ts of working with sensitive data. It is essential to inform them about the kind of data the organization is dealing with. The execution procedures should involve the following:
- Data sensitivity detection
- Examination of channels susceptible to data leakage
- Selection of confidential data exposure-blocking technology
- Risk assessment of different technologies applied to sensitive data, like capturing its image on a smartphone
Access control to sensitive information becomes effective on accompanying data masking according to ISO 27001. The 2022 version of this standard instructs the need for observing this security control to secure personal data. Organizations often have to collect and store the private details of their clients and customers. Thus, data masking helps enterprises in offering clarity to consumers about the latter’s data privacy.
Employees require training to deploy obfuscation, encryption, and other pseudonymization tools. The responsibility to teach them how and what type of data to mask lies with the organization’s ISMS. ISO 27001:2022 makes it binding on an enterprise to determine processes regarding:
- Data accessibility control
- Decisions on techniques and defining the kind of data that needs making.
This security control emphasizes the erasure of data when it is not in use. It is crucial to keep data leakage in check. The data deletion applies to data stored in cloud services, removable media, and IT systems. ISO 27001 enforces the secure erasing of unnecessary data in alignment with the organization’s risk assessment or regulatory requirements.
Determining the responsibilities and time of data erasure, what to erase, and deletion methods are critical. Creating awareness among employees regarding the removal of sensitive data that are of no need to their organization is significant. ISO 27001 directs an ISMS to train its participants for the efficient execution of this procedure.
Hardware, software, and networks are subject to configuration management that needs to be secure to avoid unauthorized changes. ISO 27001:2022 demands the review and monitoring of configuration implementation. Smaller companies can easily abide by this security control since they do not require any specific tool for it. Larger companies must utilize relevant software for enforcing defined configurations. To comply with ISO, an enterprise must impart the knowledge of introducing configuration security to its employees. The execution processes involved are:
- Decide on software configuration
- Review and approve the configuration
- Examine the configuration and manage it
According to the rule of ISO 27001:2022, an organization must document its initiatives in deploying this security control.
ISO 27001:2022 ensures that any enterprise with this accreditation must train its employees in monitoring technology usage. They should learn about the risks of the physical entry of unauthorized data users in sensitive areas. Such areas are mostly warehouses, production facilities, and offices. This security control comprises the following measures that an ISMS must take:
- Delegate the monitoring responsibilities
- Define communication channels required for security incident reporting
- Decide on the implementation of both non-technical tools and technology like video monitoring, alarm systems, etc.
Business continuity readiness
An organization must be prepared against significant disruptions in its workflow in the event of a technical or manual crisis. ISO 27001:2022 compels an enterprise to provide information assets to its employees even after suffering an accidental attack. This security control obliges the organization to invest in technology for system resilience. It is crucial for an enterprise to analyze the data security risks and plan solutions accordingly. For instance, the introduction of communication links or data backup. The processes that organizations need to establish are:
- Determine the time for system and data recovery to plan remedies accordingly
- Consider the possible risks and the business requirements for system recovery
- Testing of the business continuity plan
- Maintenance of the technology to be used for disaster recovery
An enterprise must empower its employees with the readiness to face sudden potential setbacks to become ISO-compliant. It should offer professional training to its workers in the maintenance of communication and IT technology.
Cloud service security
ISO 27001 ascertains that an enterprise must be alert about the risks related to its purchase and management of cloud services. This security control affirms the importance of updating the security of cloud services an organization is utilizing. It should determine the security requirements for the secure termination of the existing cloud service. An appropriate criterion is needed for cloud provider selection. ISO directs an organization to set up a procedure for ensuring the authorized use of cloud services. Employees must undergo training in the usage of cloud security features.
This security control emphasizes the implementation of preventive measures following threat information extraction. It calls for the creation of security testing and risk assessment procedures. Organizations need to educate their employees in communicating threat notifications. Details regarding cyber-attack trends, hacking technologies and methods fall within the purview of threat information. An ISMS must collect this information both from external and internal sources. Announcements by government agencies and vendor reports are such sources that enterprises must look into.
ISO 27001:2022 focuses on hardening a company’s IT security by incorporating measures relevant to these security controls. It is not just about technology but the way an organization administers varying cybersecurity procedures. ISO 27001 Lead Implementer Training is just suitable for individuals desiring to sharpen their claws for preventing data privacy breaches.