PECB just released a new edition of the ISO 27001 standard in October. This edition had 11 new controls added to the existing ones, and some of the existing ones were merged into one. The last edition of the ISO 27001 standard was in 2013, and the new edition was released in 2022. I feel there has been some considerable gap that has been exploited between the 9-year period, and this new edition could have come out sooner.
A key example of what was added to the new control was Data masking and Configuration Management. This new addition should have been added for a long time as it helps ensure an organisation's data privacy. It is a step further to encrypt data in use, in transit and at rest. while encryption is mainly focused on data on an organisation network, data masking encompasses data on the network and other information, which could be on the cards, Access cards, softcopy documents etc.
Configuration management talks about how systems should be configured in the organisation. Nothing poses a more significant threat to security than the IT department of a firm wrongly configuring hardware, software, or application. Since hackers conduct a Vulnerability Assessment on organisation systems, if a wrong configuration is detected, be assured that hackers will penetrate and exploit this misconfiguration.
ISO 27001:2013 touches on almost all aspects of ensuring security, and the NIST security framework could only rival this standard. ISO 27001:2022 did introduce specific measures to ensure that security is taken from 90% to at least 99.99% as it builds on the concept of the former. some of the specific controls in the latest ISO 27001 was the physical monitoring aspect.
This control is precise, unlike that of the previous edition, which was just after ensuring the security physical of the organisation's premises. The new one talked about the organisation employing tools such as CCTV to monitor sensitive areas of the organisation and, if possible, the Delivery areas, entrance and other non-critical areas of the organisation. If an organisation can not afford CCTVs, then security guards should be entrusted with the responsibility of monitoring critical and non-critical areas of the organisation.
One good thing about the latest ISO 27001:2022 standard is that it further lays emphasis on the importance of tools and systems as this helps make security much more accessible. With the use of systems and other tools, security would be ensured in the organisation and data, people, and applications would be much more secure than ever. These tools make monitoring, tracking, auditing, and identity identification much more effortless.
:::Discord :::Whatsapp:::Twitter :::