What is the ISO/IEC 27001:2022 Standard?
ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the world’s best-known standard for information security management systems (ISMS). The ISO/IEC 27001 standard provides all organizations with guidance for establishing, implementing, maintaining, and continually improving information security management systems.
ISO standards are internationally agreed to by cybersecurity experts and are widely recognized globally. ISO certification is available for organizations across all economic sectors (all kinds of services and manufacturing as well as the primary sector; private, public, and non-profit organizations).
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the organization, and that this system employs all the best practices and principles enshrined in this International Standard.
Regulation | Active Now
DORA is structured around five key pillars, each designed to address distinct aspects of financial services digital operational resilience.
- ICT risk management and governance: DORA makes management and board members responsible for defining, implementing, and maintaining an ICT risk management framework to effectively deliver greater digital operational resilience. DORA mandates that financial entities have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk.
- Incident reporting: Financial services organizations need to establish systems to monitor, manage, log, classify and report ICT-related incidents to evaluate attacks, mitigate impact on customers and operations, and report to the authorities.
- Digital operational resilience testing: Financial entities need to implement and perform a comprehensive digital operational resilience testing program annually. DORA also outlines that financial entities need to ensure the involvement of ICT third-party providers in their digital operational resilience testing if applicable.
- ICT third-party risk: One of DORA’S key emphases is ICT third-party risk and its role in risk mitigation. Financial institutions rely heavily on external ICT providers who may be outside of the EU, such as several cloud providers. Consequently, financial entities need to include ICT third-party risk as an integral component of their ICT risk management framework.
- Information sharing: DORA also encourages voluntary information sharing about cyberthreat information and intelligence to enhance the industry’s digital operational resilience.
ISO standards are internationally agreed to by cybersecurity experts and are widely recognized globally. ISO certification is available for organizations across all economic sectors (all kinds of services and manufacturing as well as the primary sector; private, public, and non-profit organizations).
ISO/IEC 27001 is an international standard with no penalties for non-compliance. However, ISO/IEC 27001:2022 certification can provide a layer of defense against fines by regulations such as GDPR in the event of a data breach, by showing an organization’s good faith efforts in implementing information security best practices.
While ISO/IEC 27001 specifies the requirements for establishing an ISMS, ISO/IEC 27002 provides the detailed best practices and controls that can be applied within the ISMS. The main difference is that the ISO/IEC 27001 is a standard that organizations can get certified for, while ISO/IEC 27002 is not. The requirements in the table below are listed on both ISO 27001 and ISO 27002.
How Thales Helps with ISO / IEC 27001:2022 Compliance
Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls. We provide comprehensive cyber security solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.
ISO / IEC 27001:2022 Compliance Solutions
ISO Requirements Supported: 8. Technological Controls
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF) protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self- Protection (RASP).
ISO Requirements Supported: 5. Organizational Controls and 8. Technological Controls
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption, tokenization, and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment. They also identify anomalous behaviour and monitor activity to identify potential threats and verify compliance, allowing organizations to prioritize where to allocate their efforts.
ISO Requirements Supported: 5. Organizational Controls, 6 People Controls, 7 Physical Controls, and 8. Technological Controls
Provide seamless, secure, and trusted access to applications and digital services for customers, employees, and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and multi-factor authentication that help ensure that the right user is granted access to the right resource at the right time.
eBook
Compliance with the ISO 27001 information security, cybersecurity, and privacy protection standard
Read our detailed eBook to understand how Thales can help with ISO 27001 compliance requirements.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.