Updated ISO Standards Require Enhanced Information Governance

In October 2022, the International Organization for Standardization (ISO) released a revised ISO 27001 on information security, cybersecurity, and privacy protection requirements for information security management systems (ISMS).

This is the first revision to ISO 27001 since 2013, and several of the updates signal an increased recognition of the critical role information governance plays in information security management. Interestingly, many of the themes found in new ISO 27001 controls are consistent with the guidelines ISO set forth earlier in 2022 when it promulgated ISO 24143 on Information Governance.

The modifications to the body of ISO 27001 are modest, but the Annex of information security controls was substantially restructured, with the total number of controls being reduced (from 114 to 93, largely through consolidation) and 11 new controls added.

This article focuses on several of the new controls aimed at data masking, managing data in the cloud, enhanced monitoring, and deleting information to align with data minimization requirements. These new controls are likely to impact data privacy and cybersecurity policies and procedures, as well as information governance programs and initiatives.

A Family of Standards

ISO, according to its website, “was founded with the idea of answering a fundamental question: ‘what's the best way of doing this?’” Traditionally, when an organization is certified as complying with an ISO, it means “that consumers can have confidence that their products are safe, reliable and of good quality.” ISO standards are important for any organization devoted to ensuring the quality and safety of their products and operations—whether automotive, healthcare, industrial equipment, energy, or technology.

ISO 27001 is one of a family of standards regarding information security management systems. ISO 27000 is the parent of the family and contains definitions for vocabulary used throughout the family.

The 27000 family of standards “enable organizations of all sectors and sizes to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by third parties,” according to the ISO website. ISO also released an update to family member ISO 27002 related to information security controls earlier this year, which includes guidelines that will be instructive for implementation of revised ISO 27001.

The information security management landscape has evolved significantly since ISO 27001 was last revised in 2013. At that time, migration of enterprise systems and applications to the cloud was only beginning to gain traction; the General Data Protection Regulation (GDPR) did not come into effect until five years later, with comprehensive state privacy regulations, including the California Consumer Privacy Act (CCPA) following shortly thereafter.

Security controls have not kept pace with these developments. For example, the most recent Ponemon-IBM Data Breach Survey, which tracks the costs—including redress for exposing personal data—of data breaches, found that costs associated with cloud-originated breaches were higher than on-premises incidents. In addition, the survey reported that 45% of cybersecurity incidents originated in the cloud, but 43% of responding organizations had not started or were only in the early stages of applying practices to secure their cloud environments.

Significant Added Controls

Against that background, it is not surprising to see in the 2022 ISO 27001 revision, new controls promulgated for managing data in the cloud, data masking, enhanced monitoring, and deleting information to align with data minimization requirements. The table below highlights several of the new controls and the types of information governance initiatives companies can undertake.

By Chuck Ragan, Redgrave LLP & Tom Seymour, Redgrave Data