Thales banner

Data security compliance with the ISO/IEC 27001:2022

How Thales solutions help with ISO/IEC 27001 information security, cybersecurity, and privacy protection standard

ISO/IEC 27001:2022

GlobalISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the world's best-known standard for information security management systems (ISMS).

The ISO/IEC 27001 standard provides all organizations with guidance for establishing, implementing, maintaining, and continually improving information security management systems. ISO standards are internationally agreed to by cybersecurity experts and are widely recognized globally. ISO certification is available for organizations across all economic sectors (all kinds of services and manufacturing as well as the primary sector; private, public, and non-profit organizations).

Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls.

  • Regulation
  • Compliance

Regulation Overview

First published in 2005 ISO/IEC 27001 was revised on September 25, 2013, as ISO/IEC 27001:2013, and again on October 25, 2022, as ISO/IEC 27001:2022. It has been updated to reflect the ever-changing landscape of technology and information security. The biggest change in 2022 is Annex A.

Annex A in ISO/IEC 27001 is a part of the standard that lists a set of classified security controls that organizations use to demonstrate compliance with ISO/IEC 27001 6.1.3 (Information security risk treatment). A total of 24 controls were merged and 58 controls were revised from the ISO/IEC 27002:2013 to align with the current cyber security and information security environment.

 

Annex A Control Categories

ISO/IEC 27001: 2013

ISO/IEC 27001: 2022

114 controls
14 sections

93 controls
4 sections

  • Organizational – 37 controls
  • People – 8 controls
  • Physical – 14 controls
  • Technological – 34 controls

 

ISO/IEC 27001 is an international standard with no penalties for non-compliance. However, ISO/IEC 27001:2022 certification can provide a layer of defense against fines by regulations such as GDPR in the event of a data breach, by showing an organization’s good faith efforts in implementing information security best practices.

Thales helps organizations comply with ISO/IEC 27001:2022 by addressing essential requirements listed in Annex A for Information Security Controls in 5 domains.

 

ISO/IEC 27001:2022 Requirements

Thales Solutions

Classification of Information

 

5.12: Classification of Information:

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.

Data Security

 

5.3: Segregation of Duties

5.33: Protection of Records

5.34: Privacy and Protection of PII

8.7: Protection against Malware

8.10: Information Deletion

8.11: Data Masking

8.12: Data Leakage Prevention

8.24: Use of Cryptography

CipherTrust Data Security Platform is an integrated suite of data-centric security products and solutions that unify data discovery, protection, and control in one platform. CipherTrust Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:

  • CipherTrust Transparent Encryption delivers data-at-rest encryption with centralized key management and privileged user access control across multiple clouds, and within big data and container environments.
  • CipherTrust Tokenization with dynamic data masking permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data without exposing sensitive data during the analysis or in reports.
  • CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments over a diverse set of use cases, encrypted information can be effectively deleted by destroying encryption keys.
  • CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.

Thales Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.

Thales High Speed Encryptors (HSEs) provide network-independent data-in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.

Access Control & Authentication

 

5.15: Access Control

5.17: Authentication information

5.18: Access Rights

6.7: Remote Working

8.3: Information Access Restriction

8.4: Access to Source Code

8.5: Secure Authentication

Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensure the right user is granted access to the right resource at the right time.

  • SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication.
  • Thales converged badge solutions simplify the management of physical and logical access by consolidating all corporate security applications in a single user's badge.
  • The broad list of supported authentication methods enables organizations to protect all their users and sensitive digital resources with strong multifactor authentication. 

Thales OneWelcome Consent & Preference Management module enables organizations to gather the consent of end consumers, so, for example, financial institutions have clear visibility of consented data allowing them to manage access to data they are allowed to utilize.

CipherTrust Transparent Encryption encrypts sensitive data, enforces granular privileged-user-access management policies and provides complete separation of roles.

Cloud Security

 

5.23: Information security for use of cloud services

5.30: ICT readiness for business continuity

CipherTrust Cloud Key Manager can reduce third cloud security risks by maintaining on-premises under the full control of the organization the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.

CipherTrust Transparent Encryption provides complete separation of administrative roles. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorized users.

Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services.

Application Security

 

8.25: Secure development lifecycle

8.26: Application security requirements

CipherTrust Platform Community Edition makes it easy for DevSecOps to deploy data protection controls in hybrid and multi-cloud applications.

CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens.

CipherTrust Application Data Protection offers developer-friendly software tools for encryption key management and application-level encryption of sensitive data which provides the highest level of security at the application layer.

Thales Data Protection on Demand (DPoD) is a cloud-based marketplace that offers Luna HSMs and CipherTrust solutions as a service. This enables in-house teams to leverage these proven and certified data security solutions easily and securely in their own offerings.

Recommended Resources

Data security compliance with the ISO/IEC 27001:2022 - information security, cybersecurity, and privacy protection standard - eBook

Data security compliance with the ISO/IEC 27001:2022 - information security, cybersecurity, and privacy protection standard - eBook

ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 170 national standards bodies. ISO/IEC 27001 is jointly published by ISO and the International Electrotechnical Commission (IEC) and is the...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization

Os principais pilares para proteger dados confidenciais em qualquer organização - White Paper

Tradicionalmente, as organizações têm focado a segurança de TI principalmente na defesa do perímetro, construindo muros para bloquear a entrada de ameaças externas na rede. No entanto, com a atual proliferação de dados, a evolução das regulamentações de privacidade globais e...