Thales BLOG

Ensuring ISO27001 Compliance with Thales CPL Solutions

JUNE 18, 2024

Vivian Lee Vivian Lee | Solutions Marketing Manager, APAC, Thales More About This Author >

ISO/IEC 27001:2022, the latest edition of the internationally recognized standard for information security management systems (ISMS), introduces several significant updates and revisions to address the evolving security challenges that worldwide organizations face. 

One of the most significant changes in the standard is the overhaul of Annex A, which now aligns closely with the updates introduced in ISO/IEC 27002:2022 on information security controls, published earlier in the same year. This alignment promotes consistency and coherence between the two standards, driving a more integrated approach to information security management. Moreover, the title of Annex A has been revised to "Information security controls reference," reflecting its purpose more accurately.

Restructuring, Merging Controls

Through merging and restructuring, the total number of controls in Annex A has been cut from 114 to 93 and have been categorized into four main groups: Organizational Controls (A.5), People Controls (A.6), Physical Controls (A.7), and Technological Controls (A.8). This restructuring is intended to streamline the control framework and improve its usability for businesses implementing ISMS.

Furthermore, ISO/IEC 27001:2022 has introduced 11 new controls to Annex A that address emerging security concerns, including threat intelligence, cloud service security, business continuity readiness, and secure coding practices. These additions mirror the evolving threat landscape and the technological advancements that mark it to keep the standard relevant and effective for mitigating contemporary security risks. 

Compliance with complex standards such as ISO/IEC 27001:2022 can be challenging, particularly for smaller companies that lack dedicated security and compliance teams. Fortunately, Thales’ solutions can help implement the Standard effectively by addressing the five domains' essential requirements named in Annex A of the standard for Information Security Controls.

Classification of Information

You can’t secure what you don’t know you have. With data sprawl becoming a serious issue, classifying your data is crucial. Accurately identifying and categorizing data allows organizations to determine its storage location and assess its significance.

Section 5.12 in the standard focuses on the classification of information. In line with regulation, the Thales CipherTrust Data Discovery and Classification solution identifies structured and unstructured sensitive data regardless of where it is stored, on-premises or in the cloud. It features built-in templates to enable quick identification of regulated data, pinpoint security risks, and help establish if compliance gaps exist.

Data Security

Several sections in the standard, under clause 5 – Organizational controls and clause 8 – Technological controls, center around data security. These range from segregating duties and protecting records and PII to protecting against malware and using cryptography, data masking, or DLP to address data security issues.

Thales offers an integrated suite of data-centric security products and solutions in its CipherTrust Data Security Platform. This platform unifies data discovery, protection, and control in one platform and provides a host of capabilities for safeguarding data at rest in files, volumes, and databases.

CipherTrust Transparent Encryption provides data-at-rest encryption with centralized key management and privileged user access control across all clouds and within big data and container environments. CipherTrust Tokenization employs dynamic data masking, ensuring the pseudonymization of sensitive information in databases while enabling aggregate data analysis without exposing sensitive information during its analysis or in reports.

CipherTrust Enterprise Key Management is used in diverse cases to strengthen and streamline key management in cloud and enterprise environments. In addition, it enables encrypted information to be deleted by destroying encryption keys.

Ransomware protection comes from CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP). This tool monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take control of a business’s endpoints and servers.

Access Control & Authentication

Authentication systems protect user data and ensure secure access, particularly for today’s distributed workforces. Several sections under clauses 5, 6 – People controls and 8, in ISO/IEC 27001:2022 deal with managing access to sensitive data, including authentication, remote working, and access restrictions.

Thales OneWelcome offers identity and access management solutions that restrict the access of both internal and external users according to their roles and contexts. Supported by robust multi-factor authentication (MFA), precise access policies, and detailed authorization protocols, it guarantees that appropriate users gain access to the correct resources when needed.

In addition, Thales OneWelcome Consent & Preference Management allows organizations to collect user data based on their consent. For instance, this enables financial institutions to have transparent insight into consented data, helping them effectively manage access to data. CipherTrust Transparent Encryption provides a complete separation of roles and enforces granular privileged-user-access management policies.

Cloud Security

Regarding securing the ubiquitous cloud environments that characterize modern businesses today, the standard’s sections 5.23 and 5.30 cover information security for using cloud services and ICT readiness for business continuity, respectively.

CipherTrust Cloud Key Manager enables organizations to enforce the separation of duty between their data and their CSP by securely storing encryption keys outside of the corresponding cloud. In addition, they can apply risk-appropriate key management controls and workload protection based on the sensitivity of the data and compliance mandates. Controlling keys is an excellent step toward data sovereignty, too.

Application Security

Application security has become crucial because it protects sensitive data, prevents unauthorized access, and ensures the reliability and integrity of software systems. Sections 8.25 and 8.26 deal with secure development and application security requirements.

DevSecOps can now quickly deploy data protection controls in hybrid and multi-cloud applications with CipherTrust Platform Community Edition. Moreover, CipherTrust Secrets Management protects and automates access to secrets across DevOps tools and cloud workloads, including secrets, credentials, certificates, API keys, and tokens.

Next, CipherTrust Application Data Protection provides developer-friendly tools for encryption key management and application-level encryption of sensitive data, ensuring the highest security level at the application layer.

Leave Complexity Behind

Compliance with ISO/IEC 27001:2022 is essential to safeguard sensitive information, maintain trust with stakeholders, and mitigate the risks of data breaches and regulatory penalties.

Discover a wide range of tools that go beyond the surface level. If your company is facing challenges with ISO/IEC 27001:2022 compliance, Thales offers customized solutions that address the five fundamental requirements of the standard. Our solutions are designed to simplify the implementation process, ensuring effective implementation even for smaller businesses.

For more information you can also watch our on-demand webinar, keep up with ISO27001:2022 to strengthen your Cyber Resilience.