With the rapid evolution of the digital age, information security has become an important issue that organizations cannot ignore. In response to evolving threats and challenges, the International Organization for Standardization has added 11 new controls to ISO 27001:2022 to further strengthen information security protection measures to ensure that organizations can continuously address risks. The following will introduce these new measures one by one, and provide practical examples and operational suggestions.
1. Threat Intelligence (5.7)
The new version of ISO 27001 emphasizes the collection and analysis of information security threat intelligence to provide organizations with more accurate threat awareness and take appropriate response actions. For example, in response to major vulnerabilities such as Log4j, or to DDoS attacks, organizations should develop corresponding protection measures and conduct incident analysis to accumulate insights into future threats. In addition, organizations should establish a comprehensive evidentiary record to support effective analysis and response to threat intelligence.
2. Information security when using cloud services (5.23)
With the popularity of cloud computing, the new version of ISO 27001 emphasizes the information security requirements when using cloud services. Organizations should develop processes applicable to cloud services based on their information security needs, including the processes for acquiring, using, managing and exiting cloud services. For example, organizations should work with cloud service providers to clearly outline relevant information security terms to ensure that the use of cloud services does not lead to information leakage or increased risks.
3. ICT preparedness for business continuity (5.30)
The new version of ISO 27001 emphasizes the key role of information and communications technology (ICT) in business continuity. Organizations should plan, implement, maintain and test ICT readiness in line with business continuity objectives. In the event of a service disruption, organizations need to ensure the availability of information and related assets. For example, organizations should evaluate the reliability of offsite backup solutions to ensure that business operations can be quickly restored in the event of a service disruption.
4. Physical security monitoring (7.4)
The new version of ISO 27001 emphasizes physical security monitoring of operating premises to prevent access by unauthorized entities. This includes continuous monitoring of operating premises to detect and prevent entry of any unauthorized entities. For example, organizations can set up surveillance cameras, intrusion detectors and other devices to monitor the security status of operating sites in real time.
5. Configuration Management (8.9)
The new version of ISO 27001 emphasizes the security configuration management of hardware, software, services and networks. Organizations should establish, document, implement, monitor, and review configurations to ensure they are functioning properly and are secure. For example, organizations can establish standard configuration templates that specify requirements such as password management and secure configuration, and ensure that these requirements are implemented throughout the lifecycle.
6. Information Deletion (8.10)
The new version of ISO 27001 emphasizes the management of information deletion to prevent the leakage of unnecessary sensitive information. Organizations should delete information when it is no longer needed in accordance with legal, regulatory, supervisory and contractual requirements. Operational suggestions include establishing deletion methods, preserving evidence, and recording deletion times.
7. Data Masking (8.11)
The new version of ISO 27001 emphasizes the need for data masking to protect sensitive data such as personally identifiable information (PII). Organizations should limit exposure of sensitive data based on specific subject access policies. For example, de-identification and anonymization can be performed to protect sensitive information.
8. Data Leakage Prevention (8.12)
The new version of ISO 27001 centralizes data leakage prevention measures to ensure that unauthorized information disclosure is effectively prevented. This can be achieved through various technical measures, such as firewalls, security measures, network security, etc., to ensure that information is not accessed or disclosed without authorization.
9. Monitoring activities (8.16)
The new version of ISO 27001 emphasizes the monitoring of various activities, including network traffic, system anomalies, login status, etc. Organizations should establish effective monitoring mechanisms to detect abnormal behavior and respond quickly. For example, organizations can use tools such as monitors and detectors to monitor information systems.
10. Web Security Protection (8.23)
The new version of ISO 27001 emphasizes the management of access to external websites to reduce exposure to malicious content. Organizations should ensure that access to external websites is strictly monitored to prevent malware damage and avoid access to unauthorized network resources.
11. Secure Coding (8.28)
The new version of ISO 27001 emphasizes the security requirements for program writing. Organizations should develop secure coding methods and consider security requirements, version control, etc. during the development process. In addition, for open source vulnerabilities, organizations should conduct effective security management before, during, and after the development process to ensure the security of the program.
In summary, the 11 new controls in the new version of ISO 27001:2022 further strengthen the information security protection of organizations in digital environments. Organizations should fully understand these measures and implement and manage them accordingly based on their business needs to ensure that information security is fully protected.
In conclusion, with the advent of the digital age, information security has become more critical than ever. The latest version of ISO 27001:2022 introduces 11 new controls that further strengthen organizations’ preparedness and response capabilities in the face of evolving information security threats. These measures cover a number of key areas, from the collection and analysis of threat intelligence, to the use of cloud services, business continuity preparation, to physical security monitoring, data deletion, data masking and other aspects. Through the effective implementation of these controls, organizations can better protect sensitive information, reduce potential risks, ensure business sustainability, and remain flexible in the face of various security challenges. Therefore, organizations should pay close attention to these additional measures and incorporate them into their information security management systems to ensure that strong information security protection is maintained in the modern digital environment.
One-stop solution provider