Data security compliance with the ISO/IEC 27001:2022
How Thales solutions help with ISO/IEC 27001 information security, cybersecurity, and privacy protection standard
ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the world's best-known standard for information security management systems (ISMS).
The ISO/IEC 27001 standard provides all organizations with guidance for establishing, implementing, maintaining, and continually improving information security management systems. ISO standards are internationally agreed to by cybersecurity experts and are widely recognized globally. ISO certification is available for organizations across all economic sectors (all kinds of services and manufacturing as well as the primary sector; private, public, and non-profit organizations).
Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls.
Regulation Overview
First published in 2005 ISO/IEC 27001 was revised on September 25, 2013, as ISO/IEC 27001:2013, and again on October 25, 2022, as ISO/IEC 27001:2022. It has been updated to reflect the ever-changing landscape of technology and information security. The biggest change in 2022 is Annex A.
Annex A in ISO/IEC 27001 is a part of the standard that lists a set of classified security controls that organizations use to demonstrate compliance with ISO/IEC 27001 6.1.3 (Information security risk treatment). A total of 24 controls were merged and 58 controls were revised from the ISO/IEC 27002:2013 to align with the current cyber security and information security environment.
ISO/IEC 27001: 2013 | ISO/IEC 27001: 2022 |
---|---|
114 controls | 93 controls
|
ISO/IEC 27001 is an international standard with no penalties for non-compliance. However, ISO/IEC 27001:2022 certification can provide a layer of defense against fines by regulations such as GDPR in the event of a data breach, by showing an organization’s good faith efforts in implementing information security best practices.
Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls in 5 domains.
ISO/IEC 27001:2022 Requirements | Thales Solutions |
---|---|
Classification of Information | |
5.12: Classification of Information: | CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps. |
Data Security | |
5.3: Segregation of Duties 5.33: Protection of Records 5.34: Privacy and Protection of PII 8.7: Protection against Malware 8.10: Information Deletion 8.11: Data Masking 8.12: Data Leakage Prevention 8.24: Use of Cryptography | CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform. CipherTrust Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:
Thales Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments. Thales High Speed Encryptors (HSEs) provide network-independent data-in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. |
Access Control & Authentication | |
5.15: Access Control 5.17: Authentication information 5.18: Access Rights 6.7: Remote Working 8.3: Information Access Restriction 8.4: Access to Source Code 8.5: Secure Authentication | Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensure the right user is granted access to the right resource at the right time.
Thales OneWelcome Consent & Preference Management module enables organizations to gather the consent of end consumers, so, for example, financial institutions have clear visibility of consented data allowing them to manage access to data they are allowed to utilize. CipherTrust Transparent Encryption encrypts sensitive data, enforces granular privileged-user-access management policies and provides complete separation of roles. |
Cloud Security | |
5.23: Information security for use of cloud services 5.30: ICT readiness for business continuity | CipherTrust Cloud Key Manager can reduce third cloud security risks by maintaining on-premises under the full control of the organization the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems. CipherTrust Transparent Encryption provides complete separation of administrative roles. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorized users. Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services. |
Application Security | |
8.25: Secure development lifecycle 8.26: Application security requirements | CipherTrust Platform Community Edition makes it easy for DevSecOps to deploy data protection controls in hybrid and multi-cloud applications. CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens. CipherTrust Application Data Protection offers developer-friendly software tools for encryption key management and application-level encryption of sensitive data which provides the highest level of security at the application layer. Thales Data Protection on Demand (DPoD) is a cloud-based marketplace that offers Luna HSMs and CipherTrust solutions as a service. This enables in-house teams to leverage these proven and certified data security solutions easily and securely in their own offerings. |
국제표준화기구(ISO)는 독립적인 비정부 국제 기구로, 170개의 국가 표준화 기관을 보유하고 있습니다. ISO/IEC 27001은국제표준화기구와 국제전기기술위원회(IEC)가 공동으로 제정하여 세계에서 가장 많이 알려진 정보 보안 경영 시스템(ISMS)표준입니다. ISO/IEC 27001 표준은 모든 기업에게 정보 보안 경영 시스템을 구성, 구현, 유지 및 지속적으로 개선하는 데필요한 지침을 제시합니다.
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
전통적으로 조직은 주로 경계 방어에 IT 보안을 집중했기 때문에 벽을 세워 외부 위협이 네트워크에 진입하는 것을 차단했습니다. 경계 방어는 여전히 중요하지만 충분하지는 않습니다. 사이버 범죄는 주기적으로 경계 방어를 뚫고 있으며 데이터는 클라우드 방어 경계 외부 어딘가에 있는 경우가 많으므로, 조직은 데이터가 어디에 있든 데이터를 보호하는 데이터 중심 보안 전략을 적용해야 합니다. 오늘날 급증하는데이터, 진화하는 글로벌 및 지역 개인정보 보호 규제, 클라우드 채택의 증가, 지속적인 지능형...