Data security compliance with the ISO/IEC 27001:2022
How Thales solutions help with ISO/IEC 27001 information security, cybersecurity, and privacy protection standard
ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the world's best-known standard for information security management systems (ISMS).
The ISO/IEC 27001 standard provides all organizations with guidance for establishing, implementing, maintaining, and continually improving information security management systems. ISO standards are internationally agreed to by cybersecurity experts and are widely recognized globally. ISO certification is available for organizations across all economic sectors (all kinds of services and manufacturing as well as the primary sector; private, public, and non-profit organizations).
Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls.
Regulation Overview
First published in 2005 ISO/IEC 27001 was revised on September 25, 2013, as ISO/IEC 27001:2013, and again on October 25, 2022, as ISO/IEC 27001:2022. It has been updated to reflect the ever-changing landscape of technology and information security. The biggest change in 2022 is Annex A.
Annex A in ISO/IEC 27001 is a part of the standard that lists a set of classified security controls that organizations use to demonstrate compliance with ISO/IEC 27001 6.1.3 (Information security risk treatment). A total of 24 controls were merged and 58 controls were revised from the ISO/IEC 27002:2013 to align with the current cyber security and information security environment.
ISO/IEC 27001: 2013 | ISO/IEC 27001: 2022 |
---|---|
114 controls | 93 controls
|
ISO/IEC 27001 is an international standard with no penalties for non-compliance. However, ISO/IEC 27001:2022 certification can provide a layer of defense against fines by regulations such as GDPR in the event of a data breach, by showing an organization’s good faith efforts in implementing information security best practices.
Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls in 5 domains.
ISO/IEC 27001:2022 Requirements | Thales Solutions |
---|---|
Classification of Information | |
5.12: Classification of Information: | CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps. |
Data Security | |
5.3: Segregation of Duties 5.33: Protection of Records 5.34: Privacy and Protection of PII 8.7: Protection against Malware 8.10: Information Deletion 8.11: Data Masking 8.12: Data Leakage Prevention 8.24: Use of Cryptography | CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform. CipherTrust Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:
Thales Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments. Thales High Speed Encryptors (HSEs) provide network-independent data-in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. |
Access Control & Authentication | |
5.15: Access Control 5.17: Authentication information 5.18: Access Rights 6.7: Remote Working 8.3: Information Access Restriction 8.4: Access to Source Code 8.5: Secure Authentication | Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensure the right user is granted access to the right resource at the right time.
Thales OneWelcome Consent & Preference Management module enables organizations to gather the consent of end consumers, so, for example, financial institutions have clear visibility of consented data allowing them to manage access to data they are allowed to utilize. CipherTrust Transparent Encryption encrypts sensitive data, enforces granular privileged-user-access management policies and provides complete separation of roles. |
Cloud Security | |
5.23: Information security for use of cloud services 5.30: ICT readiness for business continuity | CipherTrust Cloud Key Manager can reduce third cloud security risks by maintaining on-premises under the full control of the organization the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems. CipherTrust Transparent Encryption provides complete separation of administrative roles. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorized users. Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services. |
Application Security | |
8.25: Secure development lifecycle 8.26: Application security requirements | CipherTrust Platform Community Edition makes it easy for DevSecOps to deploy data protection controls in hybrid and multi-cloud applications. CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens. CipherTrust Application Data Protection offers developer-friendly software tools for encryption key management and application-level encryption of sensitive data which provides the highest level of security at the application layer. Thales Data Protection on Demand (DPoD) is a cloud-based marketplace that offers Luna HSMs and CipherTrust solutions as a service. This enables in-house teams to leverage these proven and certified data security solutions easily and securely in their own offerings. |
ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the...
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.