How to prepare yourself for ISO 27001:2022

Survive your vendor security review

In security, everything is always evolving and standards are no exception. ISO 27001:2022 will soon replace ISO 27001:2013. No significant requirements from 2013 were deleted for the 2022 version. But, there are plenty of changes, mainly in two categories:

• a whole bunch of new security controls
• merging many of the old 2013 checks.

For this blog post, let's just focus on the new ones that focus on security.

ISO 27001:2022 revision introduces 11 new controls

A.5.7 Threat intelligence

This key ISO 27001:2022 control is all about gathering info on threats and analyzing them to take the right actions for protection. This means getting the scoop on specific attacks and the sneaky methods and technologies those attackers are using. Additionally, it calls for monitoring the latest attack trends. Here's the trick: you want to gather this intel from both inside your own organization and outside sources like announcements from government agencies and vendor reports. By staying on top of what's happening you’ll be able to comply with A.5.7.

🎯 Great news - it’s as if Aikido was designed for this. It’s literally what Aikido does.

A.5.23 Information security for the use of cloud services

To comply with this ISO 27001:2022 requirement you’ll need to set security requirements for cloud services in order to better protect your information in the cloud. This includes purchasing, using, managing and terminating the use of cloud services.

🎯 Aikido has a built-in cloud security posture management (CSPM) tool to help you.

A.5.30 ICT readiness for business continuity

This control requires your information and communication technology to be ready for potential disruptions. Why? So that required information and assets are available when needed. This includes readiness planning, implementation, maintenance and testing.

🎯 To enable you to comply with this ISO 27001:2022 requirement, Aikido checks your readiness for big cloud disruptions, including your ability to back up across regions. This feature is not a default setting even for AWS.

A.7.4 Physical security monitoring

This ISO 27001:2022 control is a bit different than the others - it’s focused on the physical workspace. It requires you to monitor sensitive areas in order to allow only authorized people to access them. The spaces this could affect might include anywhere you operate: your offices, production facilities, warehouses and any other physical space that you use.

🥋 Top tip: it’s time to head down to the local dojo! For this one, you’ll need real Aikido! (the martial art) 😂

A.8.9 Configuration management

This control requires you to manage the whole cycle of security configuration for your technology. The objective is to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring and review.

🎯 One of the things here is that you make sure the correct security is set up in your git (GitHub) for each branch, so not everyone can merge without the proper approvals.
Aikido will verify a lot of the configuration issues in your cloud. It will also verify that you use IAC to define your cloud, to avoid drift in config in your cloud.

A.8.10 Information deletion

You must delete data when no longer required to comply with this control. Why? To avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media and cloud services.

⚠️ This type of control is not something Aikido covers.

A.8.11 Data masking

ISO 27001:2022 requires you to use data masking (aka, data obfuscation) together with access control in order to limit the exposure of sensitive information. This primarily means personally identifiable information (PII), because there are already robust privacy regulations. Furthermore, it could also include other categories of sensitive data.

⚠️ This control is about making sure you don’t log the wrong PII to logging systems, etc. Luckily, most modern systems (e.g. Sentry) have some kind of built-in filter for this requirement. But, Aikido is not built to check for this control.

A.8.12 Data leakage prevention

For this control, you’ll need to apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information. And if such incidents happen you’ll need to detect them in a timely manner. This includes information in IT systems, networks and any devices.

🎯 Aikido verifies your cloud doesn’t have any security misconfiguration that could result in an unwanted data leak.

A.8.16 Monitoring activities

This control requires you to monitor your systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring your IT systems, networks and applications.

🎯 Once you get your apps set up it’s not enough to just let the emails pile up in your inbox archive. Best to let them send alerts to Slack. And, guess what? Aikido does this.

A.8.23 Web filtering

In order to protect your IT systems, the web filtering control requires you to manage which websites your users are accessing. This way, you can prevent your systems from being compromised by malicious code. You’ll also prevent users from utilizing illegal materials from the Internet.

🎯 In practice, this means using any kind of WAF such as AWS WAF or Cloudflare. Aikido’s got you covered - we monitor for their presence.

A.8.28 Secure coding

ISO 27001:2022 is also concerned with secure coding. This control requires you to establish secure coding principles and apply them to your software development. Why? To reduce security vulnerabilities in the software. When? This could include activities before, during, and after the coding.

🎯 This is Aikido’s static application security testing (SAST), which we’ve built on best-in-class open-source software. Additionally, you can use our software composition analysis (SCA), built on Trivy.

ISO 27001:2022 compliance with help from Aikido

If you’re still on ISO 27001:2013, you’ll have some work to do. But don’t worry. It’s feasible to get up to speed on ISO 27001:2022 in a short amount of time.

So, if you want to get your application secured quickly, Aikido gives you a complete overview of how you’re doing regarding code and cloud controls.

Want to know how you’re doing? Check your compliance now with Aikido! It only takes just a few minutes:  https://app.aikido.dev/reports/iso

Interested in a chat with someone who’s been through the ISO certification process? Fill out the form below & we’ll set up a call