Security certifications are increasingly important in today’s business environment. Customers want assurances that the information they share with vendors will be kept safe. Business partners are more aware of supply chain weaknesses and no longer accept claims of security practices without evidence. ISO27001 is the “gold standard” cyber security companies look for when building business relationships as a hallmark of good security practices.
There are several standards with which organizations can choose to comply. Among the broadest and most respected is ISO 27001. This is the international standard for information security produced by the International Organization for Standardization (ISO); “an independent, non-governmental international organization with a membership of 167 national standards bodies.”
ISO 27001 provides the privacy and security requirements for an organization’s Information Security Management System (ISMS). A companion document, ISO 27002, acts as a “how to” guide to implementing ISO 27001 and provides best-practice guidance on applying the controls listed in Annex A of ISO 27001.
As one would expect, the standard is updated periodically as technology and the threat landscape evolve. The latest revision, ISO 27001:2022, was released in October and included a new requirement to prevent “data leakage”. Annex A 8.12: Data leakage prevention states:
“Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.”
To be clear, the need to protect sensitive data from unauthorized leakage was always implicit in earlier versions of the standard. Among other requirements, organizations seeking certification needed to classify data, protect information shared through electronic messaging, and protect the confidentiality and security of personally identifiable information. These are all provided by DLP solutions like Reveal.
The newest release now makes the requirement explicit. The Control type lists two requirements to meet certification:
The guidance for data leakage prevention is specific and requires organizations to monitor many exfiltration channels supported by Reveal, including:
Further, Reveal works in a user-friendly manner. Incident based training allows organizations to train their employees to make the right decisions. On detection of unacceptable behavior, Reveal reinforces corporate security policies. A pop-up will remind the user that the attempted action puts data and risk. It can even require the user to acknowledge the policy or display the policy to promote good cyber hygiene. Security team can easily view all policy violations in a single pane of glass and a human centric approach highlights users with a high risk score to allow for easier prioritization.
Reveal uses a lightweight endpoint agent to continuously monitor all endpoints. It uses AI and machine learning to learn how data is used – in real time – on the endpoint as it is used. Agents roll out in five minutes and begin collecting data and enforcing policies immediately.
Because the agent is on the endpoint, it detects and mitigates threats on and off the corporate network. It can warn users or halt suspicious activity by isolating devices from the network, locking out user sessions, blocking uploads, and killing processes to protect your organization.
If your organization is working to meet the latest ISO 27001:2022 requirements, we can help.
ISO 27001:2022 received several changes, including:
First, conduct a gap analysis to identify the differences between your current practices and the new requirements. Then, align risk assessment processes with ISO 31000 and identify new risks based on updated controls.
Update your Information Security Management System (ISMS) documentation with the latest controls and integrate them into your other security processes. Then, it's critical to train employees on these new policies and conduct internal audits to ensure you made all the proper changes.
ISO 27001:2022 gives organizations a more holistic approach to information security, from physical security to technological measures. ISO 27001:2022 has updated controls for cloud security and improved risk mitigation compared to previous versions. Its simplified guidelines also make it easier to maintain your ISMS.
Adopting the ISO 27001:2022 standards gives organizations better protection against security threats, improves customer trust, streamlines operational efficiency, and supports compliance. The bottom line is that it reduces costs, preserves your reputation, and gives you a competitive advantage.