With the rapid evolution of the digital age, information security has become an important issue that organizations cannot ignore. In response to changing threats and challenges, the International Standards Organization has added 11 new control measures to ISO 27001:2022 to further strengthen information security protection measures to ensure that organizations can continue to respond to risks. The following will introduce these new measures one by one, and provide practical examples and operational suggestions.
1. Threat Intelligence (5.7)
The new version of ISO 27001 emphasizes the collection and analysis of information security threat intelligence to provide organizations with more accurate threat awareness and take appropriate response actions. For example, for major vulnerabilities such as Log4j, or for DDoS attacks, organizations should develop corresponding protection measures and conduct event analysis to accumulate insights into future threats. In addition, organizations should establish sound evidence records to support effective analysis and response to threat intelligence.
2. Information security using cloud services (5.23)
With the popularity of cloud computing, the new version of ISO 27001 emphasizes information security requirements when using cloud services. Organizations should develop processes applicable to cloud services based on their information security needs, including the processes for obtaining, using, managing, and exiting cloud services. For example, organizations should work with cloud service providers to clearly outline the relevant terms of information security to ensure that the use of cloud services will not lead to information leakage or increased risks.
3. ICT readiness for business continuity (5.30)
The new version of ISO 27001 emphasizes the critical role of information and communication technologies (ICT) in business continuity. Organizations should plan, implement, maintain and test ICT readiness against business continuity objectives. Organizations need to ensure the availability of information and related assets during service outages. For example, organizations should evaluate the reliability of offsite redundancy options to ensure that business operations can be quickly restored in the event of a service outage.
4. Physical Security Monitoring (7.4)
The new version of ISO 27001 emphasizes physical security monitoring of operations to prevent access by unauthorized entities. This includes continuous monitoring of operations to detect and prevent entry by any unauthorized entities. For example, organizations can set up devices such as monitors and intrusion detectors to monitor the security status of their operations in real time.
5. Configuration management (8.9)
The new version of ISO 27001 emphasizes the security configuration management of hardware, software, services and networks. The organization should establish, document, implement, monitor and review configurations to ensure they are functioning properly and have security settings in place. For example, organizations can establish standard configuration templates that specify requirements for password management, security configuration, etc., and ensure that these requirements are implemented throughout the entire life cycle.
6. Information deletion (8.10)
The new version of ISO 27001 emphasizes the management of information deletion to prevent the disclosure of unnecessary sensitive information. Organizations should delete information when it is no longer required, consistent with legal, regulatory, regulatory and contractual requirements. Operational suggestions include establishing deletion methods, retaining evidence, recording deletion time, etc.
7. Data Masking (8.11)
The new version of ISO 27001 emphasizes the need for data masking to protect sensitive data such as personally identifiable information (PII). Organizations should limit exposure of sensitive information based on subject-specific access policies. For example, de-identification, anonymization, etc. can be performed to protect sensitive information.
8. Data leakage prevention (8.12)
The new version of ISO 27001 centralizes data leakage prevention measures to ensure that unauthorized information disclosure is effectively prevented. This can be achieved through various technical measures, such as firewalls, security measures, network security, etc., to ensure that information is protected from unauthorized access or disclosure.
9. Monitoring activities (8.16)
The new version of ISO 27001 emphasizes the monitoring of various activities, including network traffic, system abnormalities, login conditions, etc. Organizations should establish effective monitoring mechanisms to detect abnormal behavior and respond quickly. For example, organizations can use monitors, detectors and other tools to monitor information systems.
10. Web security protection (8.23)
The new version of ISO 27001 emphasizes the management of access to external websites to reduce exposure to malicious content. Organizations should ensure that access to external websites is strictly monitored to prevent malware and unauthorized access to network resources.
11. Secure Coding (8.28)
The new version of ISO 27001 emphasizes the security requirements for programming. Organizations should develop secure coding methods and consider preservation requirements, version control, etc. during development. In addition, for open source vulnerabilities, organizations should conduct effective security management beforehand, during development, and afterward to ensure program security.
In summary, the 11 new control measures in the new version of ISO 27001:2022 further strengthen the organization's information security protection in the digital environment. Organizations should fully understand these measures and implement and manage them accordingly according to their business needs to ensure that information security is fully protected.
In conclusion, with the advent of the digital era, information security has become more critical than ever. The latest version of ISO 27001:2022 introduces 11 new control measures, further strengthening an organization’s preparedness and response capabilities against evolving information security threats. These measures cover multiple key areas, including threat intelligence collection and analysis, cloud service usage, business continuity preparedness, physical security monitoring, data deletion, and data masking. By effectively implementing these controls, organizations can better protect sensitive information, mitigate potential risks, ensure business sustainability, and maintain agility in responding to various security challenges. Therefore, organizations should closely monitor these new measures and integrate them into their information security management system (ISMS) to maintain robust information security protection in today’s modern digital environment.
One-stop solution provider