Discover the new regulations and requirements for ISO 27001:2022 and what they mean for your organisation's Data Loss Prevention (DLP) strategy.
Having ISO 27001 in place is a given for most cybersecurity teams.
As well as being a key requirement for partners who want to work with the business, it also helps the team show that they have an effective strategy in place when it comes to cyber attacks.
Although ISO 27001 has been around for a while, the newest updates to the standard show that the regulations are adapting to the fast-paced developments of the cybersecurity world.
ISO 27001 is an international standard, created to manage information security management systems.
Its latest iteration is ISO 27001:2022. It was released in October last year, and includes 11 new controls - one of which focuses on DLP (Data Leakage Prevention).
Although 11 new controls to contend with sounds like a lot, don’t panic. You might already have some of these covered, and if not, you have until October 31st, 2025 to get them in place.
But as with anything in the cybersecurity world, there’s no time like the present. Getting everything sorted early can ensure you meet the ISO 27001:2022 requirements, and you’ll be protecting your sensitive data in the process.
There are 11 new regulations introduced:
ISO 27001:2022 states that your DLP strategy should aim to detect and prevent the loss of sensitive data like PHI and PII.
The regulations also state:
“Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.”
To meet this, you’ll need to be protecting your physical assets such as devices, USB sticks etc, but you’ll also need to be protecting your cloud apps, including any SaaS apps you use within your business.
With more and more data being hosted in the cloud, this update makes a lot of sense. Data breaches are becoming ever more costly for businesses, while data is becoming a currency in itself for hackers.
A DLP software like Metomic can help you achieve this automatically with around the clock detection of sensitive data in your SaaS apps such as Google Drive, Jira, and Slack, as well as remediation and redaction abilities to comply with your company’s security policy.
Technically, you won’t need to provide documentation to show that you’re compliant with this, but it’s worth setting out your DLP strategy, as well as ‘Acceptable Use’ and ‘Information Security Policy’ documents for your employees to minimise the risk of data leaks.
There are a few things you can do to make sure you’re complying with ISO 27001:2022:
As well as ensuring you comply with A.8.12 (Data Leakage Prevention), Metomic can also help you align with these new regulations too:
A.8.10 - Information deletion
With automatic redaction abilities, Metomic can remove sensitive data from SaaS apps like Slack and Google Drive, without getting in the way of your employees doing their jobs.
A.8.11 - Data masking
Metomic encrypts data so that it’s unable to be identified by prying eyes. We also don’t store any of our customer data in our platform, we store encryptions of it. That means if we suffer a data breach, our customer data isn’t at risk.
A.8.12 - Data Leakage Prevention.
Metomic helps you take steps to protect your most sensitive data by automatically remediating data risks in your ecosystem.
A.8.16 - Monitoring activities
Metomic automatically monitors your SaaS apps for sensitive data, around the clock, giving you hours of your time back. No more manually scrolling through channels to see whether sensitive data has been shared, it’ll all be waiting for you as soon as you log in.
A.8.28 - Secure coding
We identify secrets and keys that should stay protected, to ensure all of your coding is secured, especially in apps like GitHub.
A data loss prevention software like Metomic is an ideal fit for ensuring you’re complying with ISO 27001:2022. To see how we can help your business, book a demo of the Metomic platform with one of our SaaS Security Specialists, and we’ll tell you where your sensitive data is lurking, and how we can help you protect it.