The 2022 revision of ISO/IEC 27001 brings a sharper focus on proactive and resilient cybersecurity controls, including requirements around pseudonymization, encryption, and advanced monitoring. With certification to the 2013 version ending soon, organizations need to act fast.
This blog breaks down the new control areas introduced in the updated framework and explains how modern security solutions can help you address them, supporting compliance while strengthening your overall security posture. Learn how to embed privacy-by-design and intelligent threat detection using proven, integrated approaches.
11 New Security Controls
ISO 27001:2022 introduces 11 new controls all comprised within Annex A, the part of the standard that lists all 93 classified security controls (of which 82 are carried over from the 2013 version). The almost dozen new controls are as follows:
- 5.23 – Information security for use of cloud services
- 5.30 – ICT readiness for business continuity
- 5.7 – Threat intelligence
- 7.4 – Physical security monitoring
- 8.9 – Configuration management
- 8.10 – Information deletion
- 8.11 – Data masking
- 8.12 – Data leakage prevention
- 8.16 – Monitoring activities
- 8.23 – Web filtering
- 8.28 – Secure coding
Organizations hoping to comply with the international security standard have until October 31st 2025, to implement this batch of new security controls, and until July 31st 2025, to complete their transition audit. The task can be overwhelming, especially when teams get out of the planning stage and into implementation. Thankfully, many cybersecurity platforms present a host of ready-made solutions to help certification hopefuls hit the ground running and meet compliance requirements without burning out.
Let’s look at the focus of the new requirements, then at how holistic security strategies can help.
A New Emphasis on Monitoring, Cloud Security, and Data Protection
These three big-bucket categories – monitoring, cloud security, and data protection – summarize the intent of the six new controls that comprehensive cybersecurity solutions address.
Monitoring
Monitoring (8.16), and by extension threat intelligence (5.7), require ISO 27001:2022 candidates to note on a periodic basis both risks within their environment (internal systems) and without (the broader threat landscape).
To this end, robust data protection platforms provides companies with the ability to identify vulnerabilities and outside threats, monitor data access and activity, and rapidly apply zero-trust principles to data protection at scale. Data is protected where it stands, from databases to containerized environments, and compliance is simplified through security controls, long-term retention of audit records, separation of duties, and more.
In addition, comprehensive application security suites allow security teams to cover additional ground, preventing web-based attacks with WAF and offering a complete WAAP solution that protects against DDoS attacks, mitigates advanced automated attacks, and discovers, classifies, and protects APIs.
Cloud Security
There is a tenuous line between the security responsibilities of Cloud Service Providers (CSPs) and those of cloud service customers. The new ISO 27001 standard advises that companies get clear on where those responsibilities lie.
Under ISO 27001:2022 Control 5.23, Information security for use of cloud services, organizations must identify cloud threats (as pertaining to them and the CSP) and then administer information security principles to address those threats. It advocates a topic-specific approach in which cloud services policies are not applied with a one-size-fits-all blanket approach, but rather one tailored to individual business functions.
End-to-end cloud data security platforms enable organizations to unify capabilities across discovery, classification key and secretes management, and more. By consolidating these functionalities, such platforms eliminate the confusion of multiple tools and telemetry silos, giving organizations the visibility, control, and responsiveness they need to meet their shared responsibility obligations and ISO 27001:2022 mandates.
Data Protection
Data security mechanisms are often seen as a last line of defense, a final wall between attackers and the information they seek. The updated ISO 27001 requirements – Controls 8.10, 8.11, and 8.12 – mandate data security in a number of different forms: data deletion, data masking, and data leakage prevention.
By removing data that is no longer needed by the company (old customer payment information) and obfuscating sensitive bits not necessary for day-to-day business (SSNs on employee onboarding forms, for instance), cybercriminals can get right up to the source and still not be able to steal anything of value. Teams can prevent data loss with solutions like classification and encryption, while strict identity and access management (IAM) policies, from MFA to passwordless authentication, further harden an organization’s Information Security Management Systems (ISMS) against data leakage.
However, as the attack surface widens, data-centric security platforms provide an additional layer of defense that goes beyond traditional enterprise security approaches to place security controls on the data itself. Now, teams can further ensure compliance with the ability to protect data of any source and type, across any environment (multi-cloud, hybrid, on-premises), and across structured, unstructured, and semi-structured data stores.
Enabling Scalable Compliance for the Future
These solutions help organizations maintain compliance with a number of industry-leading certifications, from SOC2 to CSA STAR to ISO 27001:2022. Adhering to new ISO 27001 requirements by the October deadline is a necessary next step, but beginning a compliance partnership with a trusted security vendor lays a foundation that will facilitate scalable compliance for years to come – in this and other frameworks.
As threats change, cybersecurity responses do, too. Modern, automated, and scalable solutions will help future-proof your security strategy no matter what the latest requirement.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.