Next DLP Blog

What to Know About Changes to ISO 27001: 2022 | Data Loss Prevention

Written by Katie Crowell | Dec 2, 2022 10:36:00 AM

Security certifications are increasingly important in today’s business environment. Customers want assurances that the information they share with vendors will be kept safe. Business partners are more aware of supply chain weaknesses and no longer accept claims of security practices without evidence. ISO27001 is the “gold standard” cyber security companies look for when building business relationships as a hallmark of good security practices.

There are several standards with which organizations can choose to comply. Among the broadest and most respected is ISO 27001. This is the international standard for information security produced by the International Organization for Standardization (ISO); “an independent, non-governmental international organization with a membership of 167 national standards bodies.” 

ISO 27001 provides the privacy and security requirements for an organization’s Information Security Management System (ISMS). A companion document, ISO 27002, acts as a “how to” guide to implementing ISO 27001 and provides best-practice guidance on applying the controls listed in Annex A of ISO 27001.

Data Leakage Protection

As one would expect, the standard is updated periodically as technology and the threat landscape evolve. The latest revision, ISO 27001:2022, was released in October and included a new requirement to prevent “data leakage”. Annex A 8.12: Data leakage prevention states:

“Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.”

To be clear, the need to protect sensitive data from unauthorized leakage was always implicit in earlier versions of the standard. Among other requirements, organizations seeking certification needed to classify data, protect information shared through electronic messaging, and protect the confidentiality and security of personally identifiable information. These are all provided by DLP solutions like Reveal.

The newest release now makes the requirement explicit. The Control type lists two requirements to meet certification:

  • #Preventive – This indicates the controls should stop an incident from occurring. In other words, use techniques that will identify attacks in progress, prior to exfiltration of sensitive data.
  • #Detective – Recognizing that no solution is perfect, this requires organizations to be able to be aware of and investigate any incidents that do occur. 

Annex A 8.12 Guidance

The guidance for data leakage prevention is specific and requires organizations to monitor many exfiltration channels supported by Reveal, including:

  • Email – Real time classification of email attachments, including browser-based email sites.
  • Portable storage devices – Prevents movement of sensitive information to USB devices other than by authorized users to those devices explicitly approved by the organization.
  • SaaS applications – Monitors data as it is used to prevent movement to unauthorized applications, including O365 and Google Workspace
  • Untrusted third-party cloud services – Monitors data as it is used to prevent movement to unauthorized applications including Box, Dropbox, and others.
  • Screenshots and copy/paste of sensitive information – Reveal can clear a clipboard containing sensitive information whether from or to an email, messaging apps, document, spreadsheet, or other format. 
  • Printing – Reveal supports print control and can prevent printing other than by authorized users on authorized devices.

Further, Reveal works in a user-friendly manner. Incident based training allows organizations to train their employees to make the right decisions. On detection of unacceptable behavior, Reveal reinforces corporate security policies. A pop-up will remind the user that the attempted action puts data and risk. It can even require the user to acknowledge the policy or display the policy to promote good cyber hygiene. Security team can easily view all policy violations in a single pane of glass and a human centric approach highlights users with a high risk score to allow for easier prioritization.

How Reveal Works

Reveal uses a lightweight endpoint agent to continuously monitor all endpoints. It uses AI and machine learning to learn how data is used – in real time – on the endpoint as it is used. Agents roll out in five minutes and begin collecting data and enforcing policies immediately.

Because the agent is on the endpoint, it detects and mitigates threats on and off the corporate network. It can warn users or halt suspicious activity by isolating devices from the network, locking out user sessions, blocking uploads, and killing processes to protect your organization.

If your organization is working to meet the latest ISO 27001:2022 requirements, we can help.

Frequently asked questions

What are the key changes in ISO 27001:2022?

ISO 27001:2022 received several changes, including: 

  • Updated annex A controls: The number of controls has been reduced and reorganized into four new themes: People, Organizational, Technological, and Physical.
  • Integration with ISO 31000: ISO 27001:2022 has better alignment with ISO 31000 to improve risk management processes.
  • New control additions: The update introduced new controls for data masking, monitoring activities, and secure coding.
  • Simplification: The new ISO 27001:2022 has a streamlined structure to make the standard more accessible and easier to implement.
  • Emphasis on cloud security: The updated version now includes guidelines for cloud security to address the growing use of cloud services.

What steps should organizations take to comply with ISO 27001:2022?

First, conduct a gap analysis to identify the differences between your current practices and the new requirements. Then, align risk assessment processes with ISO 31000 and identify new risks based on updated controls. 

Update your Information Security Management System (ISMS) documentation with the latest controls and integrate them into your other security processes. Then, it's critical to train employees on these new policies and conduct internal audits to ensure you made all the proper changes. 

How does ISO 27001:2022 improve information security management?

ISO 27001:2022 gives organizations a more holistic approach to information security, from physical security to technological measures. ISO 27001:2022 has updated controls for cloud security and improved risk mitigation compared to previous versions. Its simplified guidelines also make it easier to maintain your ISMS. 

What are the benefits of adopting ISO 27001:2022 standards?

Adopting the ISO 27001:2022 standards gives organizations better protection against security threats, improves customer trust, streamlines operational efficiency, and supports compliance. The bottom line is that it reduces costs, preserves your reputation, and gives you a competitive advantage.