ISO standards may not always jump out as the most exciting of topics for dinner party conversation, but their growing importance in business cannot be denied. And this year it is well worth us talking about ISO 27001:2022 specifically (though perhaps not over dinner). It is expected that as many as 90,000* organisations might renew their certification or gain it for the very first time this year. The auditors will be busy!
For those who are renewing at the end of the three-year cycle, it is important to note that you will now be assessed under the newer 2022 standard specifications. This new version asks a lot more questions and is looking for conformity to a much more comprehensive framework.
ISO/IEC 27001:2022 Annex A introduced 11 brand new controls, merged 24 controls and revised 58 controls. These controls relate to some pretty hot topics including threat intelligence, information security for the use of cloud services, data leakage prevention, and the nitty-gritty of monitoring and web filtering. It was a welcome update and an appropriate reaction to the changes, risks, and threats faced by organisations in our increasingly digitising world.
I have heard some vendors enthusiastically making huge promises about the way their technology can ensure compliance, but when you are staring down the impending audit, such vague and excessive promises help no one. I will moderate my promises and provide specifics. Netskope One helps organisations comply with more than 70 of the controls required for certification, some fully and some partially. I know this because we have mapped it in detail. Imagine us as your cybersecurity Swiss Army knife for ISO 27001:2022 compliance with tools to help rationalise the standards.
Let’s briefly look into each of the four aspects from the framework.
The Organisational Backbone
Organisation-wide controls are the backbone of ISO 27001:2022, focused on the policies, procedures and responsibilities needed for effective information security. And for our customers, the Netskope Zero Trust Engine sits at the heart of all information security policies and controls, using threat intelligence, identity, access management and more to inform and enforce controls in the moment and track their acknowledgement. This unified approach empowers an organisation to pre-emptively address potential cybersecurity threats and helps them comply with 32 of the controls in this section of the framework.