What are the 11 new security controls in ISO 27001:2022?
Some of these new controls are very similar to the old controls from the 2013 revision, however since these controls were classified as new in ISO 27002:2022,all 11 have been listed in this article.
The guidelines of ISO 27002:2022 were used as the main source. To comply with ISO 27001, it is not mandatory to follow the ISO 27002 guidelines, which means that the suggestions in this article are optional.
Finally, note that these controls are not mandatory: ISO 27001 allows you to exclude a control if (1) you did not identify any related risks and (2) if there are no legal/ regulatory/contractual requirements to implement that particular control.
Each control in this article has an overview of requirements, technology, people, and documentation. So, let’s go over the 11 controls in more detail.
A.5.7 Threat intelligence
Description. This control requires you to collect information about threats and analyze them in order to take appropriate mitigation measures. This
information could be about particular attacks, about methods and technologies used by attackers and/or about attack trends. You must collect this information internally, as well as from external sources such as reports from vendors, announcements from government agencies, etc.
Technology. Smaller businesses probably don’t need any new technology related to this control; rather, they will have to find out how to extract threat information from your existing systems. if not yet have one, larger companies will need to purchase a system that alerts them about new threats (as well as about vulnerabilities and incidents). The companies of any size will need to use threat intelligence to strengthen their systems.
Organization/processes. You should establish processes for how to collect and use threat intelligence to introduce preventive controls into your
IT systems, improve their risk assessment and introduce new methods to
People. Make employees aware of the importance of sending notifications threats and train them on how and to whom these should be communicated, threats. Documentation. ISO 27001 does not require documentation, however it may include rules on threat intelligence in the following documents:
• Vendor Security Policy: Define how security is communicated information about threats between the company and its suppliers and partners.
• Incident management procedure: defines how the incident is communicated information about threats internally in the company.
• Security operating procedures: define how to collect and process threat information.
A.5.23 Information security for the use of cloud services
Description. This control requires you to establish security requirements for the services in the cloud in order to have a better protection of your information in the cloud. This includes the purchase, use, management and termination of use of the cloud services.
Technology. In most cases, new technology will not be needed, because
most cloud services already have security features. In some cases, you may need to upgrade your service to a more secure one, while in some exceptional cases you will have to change the provider of the cloud if you don’t have security features. For the most part, the only change required will be the use of existing cloud security features of a more exhaustive way.
Organization/processes. You must set up a process to determine the requirements security standards for cloud services and to determine the criteria for select a cloud provider; In addition, you must define a process for determine acceptable use of the cloud, as well as security requirements when cancel the use of a cloud service.
People. Educate employees about the security risks of using cloud services and train them on how to use the security features of cloud services.
Documentation. ISO 27001 does not require documentation, however if it is a smaller company, you can include rules about cloud services in the
Provider security policy. Larger companies could develop a separate policy that specifically focuses on the security of services on the cloud.
A.5.30 ICT readiness for business continuity
Description. This control requires that your information technology and communication is ready for possible interruptions, so that the information and necessary assets are available when needed. This includes the preparation planning, deployment, maintenance, and testing.
Technology. If you haven’t invested in solutions that enable resiliency and redundancy of your systems, you may need to introduce such technology, which may vary from data backup to redundant communication links. These solutions should be planned based on your risk assessment and the speed.
A.7.4 Physical security supervision
Description. This control requires you to monitor sensitive areas to allow only authorized people to access them. This could include your offices, production facilities, warehouses, and other facilities.
Technology. Depending on your risks, you may need to implement alarm systems or video monitoring; You may also decide to implement a non-technological solution such as a person observing the area (for example, a guard).
Organization/processes. You must define who is in charge of monitoring sensitive areas and which communication channels to use to report an incident.
People. Make employees aware of the risks of unauthorized physical entry into sensitive areas and train them on how to use monitoring technology.
Documentation. ISO 27001 does not require documentation, however you can include physical security monitoring in the following documents:
- Procedures that regulate physical security: what is monitored and who is in charge of monitoring.
- Incident management procedure: how to report and handle a physical security incident.
A.8.9 Configuration management
Description. This control requires you to manage the entire security configuration cycle of your technology to ensure an adequate level of security and prevent unauthorized changes. This includes configuration definition, implementation, monitoring, and review.
Technology. The technology whose configuration needs to be managed could
include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without additional tools, while larger companies will probably need some software that enforces the defined configurations.
Organization/processes. You must set up a process for proposing, reviewing, and approving security configurations, as well as processes for managing and monitoring configurations.
People. Educate employees on why tight control of security settings is necessary and train them on how to define and implement security settings.
Documentation. ISO 27001 requires that this control be documented. If you are a small business, you can document the configuration rules in your Security Operating Procedures. Larger companies often have a separate procedure that defines the setup process.
Typically, you will have separate specifications that define the security settings for each of your systems, in order to avoid frequent updates to the documents mentioned in the previous paragraph. Additionally, all configuration changes must be logged to enable an audit trail.
A.8.10 Deletion of information
Description. This control requires you to delete data when it is no longer needed, to prevent the leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion to your IT systems like hard drives, removable media like USB, or cloud services.
Technology. You should use tools for secure deletion, according to regulatory or contractual requirements, or according to your risk assessment.
Organization/processes. You must set up a process that will define what data should be deleted and when, and define the responsibilities and methods for deletion.
People. Educate employees on why it’s important to delete sensitive information and train them on how to do it correctly.
Documentation. ISO 27001 does not require documentation, however, it may include rules on deletion of information in the following documents:
- Deletion and Destruction Policy: How information is disposed of in the removable media.
- Acceptable Use Policy: How regular users should delete sensitive information on their computers and mobile devices.
- Security Operating Procedures: How system administrators
should remove sensitive information on servers and networks.
- Larger organizations may also have
a data retention policy that defines how long each type of information is needed and when it
must be deleted.
A.8.11 Data masking
Description. This control requires that you use data masking in conjunction with access control to limit the exposure of sensitive information. This mainly means personal data, because it is heavily regulated by privacy regulations, but it could also include other categories of sensitive data.
Technology. Companies may use pseudonymization or anonymization tools to mask data if required by privacy or other regulations. Other methods such as encryption or obfuscation can also be used.
Organization/processes. You must set up processes that determine what data should be masked, who can access what type of data, and what methods will be used to mask the data.
People. Inform employees why it is important to mask data and train them on what data should be masked and how.
Documentation. ISO 27001 does not require documentation, however you can include rules on data masking in the following documents:
A.8.23 Web Filtering
Description. This control requires you to manage which websites your users access to protect your IT systems. In this way, you can prevent your systems from being compromised by malicious code and also prevent users from using illegal materials from the Internet.
Technology. You could use tools that block access to particular IP addresses, which could include the use of anti-malware software. You can also use non-technological methods such as developing a list of prohibited websites and asking users not to visit them.
Organization/processes. You must set up processes that determine what types of websites are not allowed and how web filtering tools are maintained.
People. Inform employees about the dangers of using the Internet and where to find guidelines for safe use, and train your system administrators on how to perform web filtering.
Documentation. ISO 27001 does not require documentation, however if you are a smaller company you can include rules about web filtering in the following documents:
- Security Operating Procedures – Define rules for system administrators on how to implement web filtering.
- • Acceptable Use Policy: Define rules for all users about what is acceptable use of the Internet.
- Larger companies could develop a separate procedure.
- That describes how web filtering is performed.
A.8.28 Secure encryption
Description. This control requires you to establish secure coding principles and apply them to your software development to reduce vulnerabilities in software security. This could include activities before, during, and after coding.
Organization/processes. You must establish a process for defining the minimum secure coding baseline, both for internal software development and for third-party software components, a process for monitoring emerging threats and advising on secure coding, a process for deciding which tools and libraries can be used, and a process that defines the activities performed before coding, during coding, after coding (revision and maintenance) and for software modification.
People. Make your software developers aware of the importance of using secure coding principles and train them on methods and tools for secure coding.
Documentation. ISO 27001 does not require documentation, however if you are a smaller company you can include rules on secure coding in the Secure Development Policy. Larger companies may develop separate procedures for secure coding for each of their software development projects.