What are the 11 new ISO 27001 Controls?
ISO 27001 is the internationally recognized standard for information security management systems. It is continually evolving to reflect the changing landscape of cyber security threats. The most recent upgrade, in 2022, added eleven new controls. Learn about these new controls and why they are important for enterprises wanting to achieve ISO 27001 compliance.
5.7: Threat Intelligence
This control stresses the need of collecting and analyzing data on information security threats. Organizations can obtain useful insights into their preventive and reactionary activities by collecting threat intelligence.
Staff workers must be trained to recognize and respond to threats effectively. CybeReady and other training platforms can help employees understand how to improve the effectiveness of ISO 27001 controls.
5.23: Information Security for Use of Cloud Services
As enterprises become more reliant on cloud services, it is critical to have secure protocols for their use, termination, and management. Because of the lack of direct physical control over cloud data, user training and strict policies are essential for preserving data integrity.
5.30: Maintaining Information and Communications Technology (ICT)
This control stresses the importance of safe and reliable ICT systems in order to sustain communications and functionality during disruptive cyber attacks. Adequate planning, hardware, and training are required to assure continuity.
7.4: Monitoring physical security
While cyber-attacks are primarily conducted online, physical security is equally vital. Cameras, alarm systems, and security patrols can help to improve physical security.
8.9: Management of configuration
To avoid configuration drift and unauthorized changes, businesses must design and monitor suitable security configurations for their technology assets on a regular basis. Thorough documentation of configuration setup and review processes is required.
8.10: Deletion of unnecessary information
Establishing data retention policies and securely deleting stored data when it is no longer needed is the objective of this control. It is important to reduce storing of sensitive data that is not needed for business requirements anymore. User training should include guidelines on when and how to safely delete unnecessary records.
8.11: Use of data masking
Data masking measures, such as encryption or anonymization, should be used wherever possible, especially during the development and testing stages. This control stresses the significance of teaching employees on data masking techniques and scenarios.
8.12: Data Leakage Protection
The primary goal of this control is to reduce data leakage during storage, transport, and processing. Policies and methods should be implemented to decrease the risk of leakage. Users should be instructed on best practices for handling data responsibly.
8.16: Monitoring Activities
Continuous monitoring of networks, software applications, and technological assets is required to detect suspicious activity. Users should be aware of the systems and activities being monitored.
8.23: Web Filtering
Limiting access to external websites is crucial to prevent risky user behavior. Communicating policies and expectations to users is important. It is also essential to train them to identify potentially dangerous sites that are not intercepted by the web filter.
8.28: Secure Coding
This control stresses the adoption of secure coding techniques by in-house software developers. To ensure secure coding methods, it is critical to maintain a safe development environment, establish steps to prevent unauthorized source code changes, thoroughly record changes, and provide coders with required training.
Businesses should be aware of these new rules and implement them to improve their data protection policies.
