In security, everything is always evolving and standards are no exception. ISO 27001:2022 will soon replace ISO 27001:2013. No significant requirements from 2013 were deleted for the 2022 version. But, there are plenty of changes, mainly in two categories:
a whole bunch of new security controls
merging many of the old 2013 checks.
For this blog post, let's just focus on the new ones that focus on security.
ISO 27001:2022 revision introduces 11 new controls
A.5.7 Threat intelligence
This key ISO 27001:2022 control is all about gathering info on threats and analyzing them to take the right actions for protection. This means getting the scoop on specific attacks and the sneaky methods and technologies those attackers are using. Additionally, it calls for monitoring the latest attack trends. Here's the trick: you want to gather this intel from both inside your own organization and outside sources like announcements from government agencies and vendor reports. By staying on top of what's happening you’ll be able to comply with A.5.7.
🎯 Great news - it’s as if Aikido was designed for this. It’s literally what Aikido does.
A.5.23 Information security for the use of cloud services
To comply with this ISO 27001:2022 requirement you’ll need to set security requirements for cloud services in order to better protect your information in the cloud. This includes purchasing, using, managing and terminating the use of cloud services.
🎯 Aikido has a built-in cloud security posture management (CSPM) tool to help you.
A.5.30 ICT readiness for business continuity
This control requires your information and communication technology to be ready for potential disruptions. Why? So that required information and assets are available when needed. This includes readiness planning, implementation, maintenance and testing.
🎯 To enable you to comply with this ISO 27001:2022 requirement, Aikido checks your readiness for big cloud disruptions, including your ability to back up across regions. This feature is not a default setting even for AWS.
A.7.4 Physical security monitoring
This ISO 27001:2022 control is a bit different than the others - it’s focused on the physical workspace. It requires you to monitor sensitive areas in order to allow only authorized people to access them. The spaces this could affect might include anywhere you operate: your offices, production facilities, warehouses and any other physical space that you use.
🥋 Top tip: it’s time to head down to the local dojo! For this one, you’ll need real Aikido! (the martial art) 😂
A.8.9 Configuration management
This control requires you to manage the whole cycle of security configuration for your technology. The objective is to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring and review.
🎯 One of the things here is that you make sure the correct security is set up in your git (GitHub) for each branch, so not everyone can merge without the proper approvals. Aikido will verify a lot of the configuration issues in your cloud. It will also verify that you use IAC to define your cloud, to avoid drift in config in your cloud.
A.8.10 Information deletion
You must delete data when no longer required to comply with this control. Why? To avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media and cloud services.
⚠️ This type of control is not something Aikido covers.
A.8.11 Data masking
ISO 27001:2022 requires you to use data masking (aka, data obfuscation) together with access control in order to limit the exposure of sensitive information. This primarily means personally identifiable information (PII), because there are already robust privacy regulations. Furthermore, it could also include other categories of sensitive data.
⚠️ This control is about making sure you don’t log the wrong PII to logging systems, etc. Luckily, most modern systems (e.g. Sentry) have some kind of built-in filter for this requirement. But, Aikido is not built to check for this control.
A.8.12 Data leakage prevention
For this control, you’ll need to apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information. And if such incidents happen you’ll need to detect them in a timely manner. This includes information in IT systems, networks and any devices.
🎯 Aikido verifies your cloud doesn’t have any security misconfiguration that could result in an unwanted data leak.
A.8.16 Monitoring activities
This control requires you to monitor your systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring your IT systems, networks and applications.
🎯 Once you get your apps set up it’s not enough to just let the emails pile up in your inbox archive. Best to let them send alerts to Slack. And, guess what? Aikido does this.
A.8.23 Web filtering
In order to protect your IT systems, the web filtering control requires you to manage which websites your users are accessing. This way, you can prevent your systems from being compromised by malicious code. You’ll also prevent users from utilizing illegal materials from the Internet.
🎯 In practice, this means using any kind of WAF such as AWS WAF or Cloudflare. Aikido’s got you covered - we monitor for their presence.
A.8.28 Secure coding
ISO 27001:2022 is also concerned with secure coding. This control requires you to establish secure coding principles and apply them to your software development. Why? To reduce security vulnerabilities in the software. When? This could include activities before, during, and after the coding.
🎯 This is Aikido’s static application security testing (SAST), which we’ve built on best-in-class open-source software. Additionally, you can use our software composition analysis (SCA), built on Trivy.
ISO 27001:2022 compliance with help from Aikido
If you’re still on ISO 27001:2013, you’ll have some work to do. But don’t worry. It’s feasible to get up to speed on ISO 27001:2022 in a short amount of time.
So, if you want to get your application secured quickly, Aikido gives you a complete overview of how you’re doing regarding code and cloud controls.