Romain Deslorieux | Director, Strategic Partnerships | Thales
More About This Author >
Romain Deslorieux | Director, Strategic Partnerships | Thales
More About This Author >
The digital threat landscape today is unrecognizable from 2013, with each year bringing new tech trends and threats. Distributed and hybrid workforces, cloud-native architectures, a culture of bring-your-own-everything, more cunning and sophisticated adversaries, Artificial Intelligence, and AI agents have redefined how entities think about data security.
In response, the ISO/IEC 27001 standard (long considered a cornerstone of cybersecurity governance) was revised in 2022 to help companies manage these emerging risks and operational realities.
Here’s what changed between the 2013 and 2022 versions:
- New threats, new controls: 11 new controls were added to reflect cloud use, data lifecycle protection, and threat intelligence.
- Fewer, smarter categories: The number of controls was streamlined from 114 to 93 and grouped into four clear themes: Organizational, People, Physical, and Technological.
- More focus on data-centric security: Controls now call for proactive protection of sensitive data through masking, deletion, and leakage prevention.
- Cloud and SaaS are front and center: The standard recognizes the complexity of securing hybrid environments, cloud infrastructure, and API-driven workflows.
- Shift to continuous assurance: Organizations are expected to monitor and respond to security events in real-time; prevention alone is no longer enough.
- Alignment with modern frameworks: Zero Trust, NIST, and risk-based approaches to security governance are more harmonious.
The result? ISO/IEC 27001:2022 is more aligned with today’s risks and more demanding. The need to operationalize controls in cloud, hybrid, and decentralized environments means that traditional security approaches are no longer sufficient.
Where Thales Adds Value
Thales supports your compliance journey with a comprehensive, cloud-ready portfolio built to help meet the demands of ISO/IEC 27001:2022. Our solutions address six essential categories, each designed to map the control areas and evolving risks outlined in the updated standard.
1. Threat Detection and Intelligence
Leverage threat intelligence and behavioral analytics to detect and respond to evolving risks. Monitor data access and system activity across multi-cloud and hybrid environments. Support controls for threat intelligence, monitoring, and event management.
2. Cloud Data Security
Encrypt data across all cloud platforms, at rest, in motion, and in use. Keep control of your encryption keys, even when data resides in the public cloud. Ensure data confidentiality and integrity in shared responsibility environments.
3. Data Discovery and Classification
Identify and classify sensitive information across your data estate. Automate tagging and policy enforcement based on data type and sensitivity. Enable downstream controls like masking, encryption, and secure deletion.
4. Data Loss Prevention
Protect sensitive data from unauthorized access, sharing, or exfiltration. Apply tokenization, granular encryption, and user access controls. Limit internal and external threats while meeting compliance mandates.
5. Application and API Protection
Shield web applications and APIs from known and unknown threats. Use machine learning to detect bots, business logic abuse, and DDoS attacks. Ensure resilience for customer-facing digital services.
6. Identity and Access Management (IAM)
Strengthen user authentication with adaptive MFA and policy-based access. Support Zero Trust by ensuring the right people access the right data at the right time. Centralize identity governance across cloud and on-premise systems.
Thales Solutions and ISO/IEC 27001:2022 Controls
Thales delivers technology that supports ISO/IEC 27001:2022 compliance and improves operational resilience, visibility, and control.
- CipherTrust Data Security Platform: Encryption, tokenization, key management, and data discovery, all in one platform.
- Data Security Posture Management (DSPM): Visualize and protect sensitive data across IaaS, PaaS, and SaaS ecosystems.
- Imperva Application Security: End-to-end protection for your applications, APIs, and web assets.
- Thales Identity & Access Management: Secure access with intelligent MFA, SSO, and identity analytics.
The following table is a non-exhaustive mapping of how Thales products support the revised ISO/IEC 27001:2022 controls.
| ISO 27001:2022 Control | Thales Product(s) | Solution |
| A.5.7 – Threat Intelligence |
| Deliver proactive threat detection, behavioral analysis, and event correlation |
| A.5.23 – Use of Cloud Services |
| Encryption, access policies, and data classification secure data in multi-cloud environments |
| A.8.10 – Data Deletion |
| Enable secure erasure of data via crypto-shredding or automated deletion workflows |
| A.8.11 – Data Masking |
| Protect sensitive fields through tokenization and masking to minimize exposure |
| A.8.12 – Data Leakage Prevention |
| Prevent exfiltration through user access controls, policy enforcement, and encryption |
| A.8.16 – Monitoring Activities |
| Real-time monitoring of access and activity for apps, APIs, and databases |
| A.5.15 / A.5.17 – Access Control & Identity Verification |
| Deliver risk-based access policies, SSO, and adaptive authentication across services |
Build Security That Goes Beyond Compliance
Achieving ISO/IEC 27001:2022 certification is a milestone, but maintaining trust, continuity, and resilience in the face of evolving threats requires more. Thales helps you go further by embedding security into every infrastructure, data, and identity stack layer.
Visit our ISO 27001:2022 solutions hub to explore how we can help accelerate your compliance and strengthen your business in the long term.