Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
As a quick refresher: controls are actions that mitigate security risks. They’re typically defined by three main factors: who performs an activity, the nature of the action, and how often the action happens.
When it comes to the original ISO 27001 framework, there are 114 ISO 27001 controls that address specific security risks to ensure an organization’s information security management system (ISMS) is robust enough to protect sensitive data.
However, with the release of ISO 27001:2022, the number of controls is being reduced to 93 from the original 114 controls.
The main part of ISO 27001 that has been changed pertains to its Annex A controls and domains. This is where controls have been merged, removed, and added.
Previously, Annex A’s 114 controls were divided into 14 categories or domains:
In ISO 27001:2022, the 14 domains have been replaced by four themes:
Furthermore, ISO 27001:2022 controls now have five types of attributes so that they’re easier to categorize:
So, what are the new controls that ISO 27001:2022 has introduced? Let’s take a look at each of those now.
This control requires your organization to gather information both internally and externally about threats, including attack trends as well as technologies and methods attackers are employing. Next, you’ll need to analyze all of this information in order to take appropriate actions to mitigate risk and ensure your organization is safe.
For this control, you’ll need to determine and set security requirements for cloud services, including criteria for selecting a cloud provider, what’s considered acceptable use of the cloud, and requirements when terminating the service. These security measures around buying, utilizing, managing, and canceling the use of cloud services will allow your organization to better protect the information you have stored in the cloud.
The ICT readiness control requires your organization to have its information and communication technology (ICT) ready for potential disruptions. This process will include creating a plan — which includes a thorough understanding of risks as well as business needs for recovery — implementing that plan, setting up a technology maintenance process, and testing your disaster recovery and/or business continuity plans. This control ensures that all required assets and information are available when they’re needed should an incident occur.
For the physical security monitoring control, you’ll need to monitor sensitive areas like warehouses, offices, and other facilities in order to ensure only authorized personnel have access to them. This can include hiring a security guard and/or installing an alarm or video monitoring system. Although no documentation is required for this control by ISO 27001:2022, you may want to independently document what is being monitored, who is in charge of what system and/or who is monitoring a specific area/premises, and more.
The configuration management control requires your organization to manage the whole cycle of security configuration for your technology, including networks, systems, services, software, and hardware. You’ll need to create a process for defining, proposing, implementing, monitoring, reviewing, managing, and approving security configurations. This will help your organization ensure you have a robust security program in place and will also help you avoid any unauthorized changes to your configurations. This control will need to be documented.
For this control, you’ll need to set up a process in order to define which data need to be deleted and when as well as define methods and responsibilities for deletion. This will allow you to effectively and efficiently delete data from networks like your cloud services and IT systems when they’re no longer required. Deleting such data will help you comply with privacy and other security requirements, as well as avoid any leakage of sensitive information.
For this control, you’ll need to set up processes to determine which of your data need to be masked, who can access which type of data, and which methods — like anonymization, encryption, pseudonymization, or obfuscation — will be used in order to mask the data. This data masking and access control will help your organization limit the exposure of sensitive information like personal identifiable information (PII).
This control requires your organization to determine the sensitivity of data, assess the risks of various technologies, monitor channels, and define which technology to use in order to prevent data leakage. This will help you avoid unauthorized disclosure of sensitive information as well as detect any such leaks in a timely manner. It may include implementing measures like encryption, restricting uploads, and disabling downloads across your technology ecosystem in order to keep sensitive data safe.
For this control, you’ll need to continuously monitor your networks, systems, and applications — including log-ons, activity, and traffic — in order to recognize any unusual activity and take appropriate action. You’ll define which systems will be monitored, how they will be monitored, who will be responsible for monitoring what, how to define unusual activity, how to report any incidents, and more.
The web filtering control requires your organization to establish processes to manage which websites your users are accessing, determine which types of websites aren’t allowed, and establish how your web filtering tools are maintained in order to prevent your network and systems from being compromised.
This control ensures your organization is using secure coding principles in order to reduce vulnerabilities in your software. Applying these principles to your software development process can help your organization be safe from tampering, attacks, malicious log-ons, and ensure only safe external apps and tools are allowed.
Are you ready to start preparing for ISO 27001:2022? The good news is if you’re already in the process of achieving ISO 27001:2013, all your work is not lost. In fact, ISO 27001:2013 will not be retired for another three years. However, you may want to start using the new Annex A controls from ISO 27001:2022, and Strike Graph can help with that.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?