Navigating ISO 27001
Technological controls of ISO 27001
The Essential Measures for Information Security
The digital world is changing rapidly. As a result, the requirements for handling information assets - and securing them - are also changing. Protecting sensitive data is more important today than ever before. Technology, in particular, is the focus of constant innovation. This is why Annex A of ISO 27001 contains a series of measures that have been specially developed for securing and handling technology and digital security in organisations.
ISO 27001 is an international standard for information security. It defines requirements for implementing, realising and maintaining an information security management system (ISMS) to protect the confidentiality, integrity and availability of information.
An information security management system certified by ISO 27001 is a globally recognised way of adequately protecting an organisation's information. An ISMS consists of a series of measures that help to ensure information security.
Technological controls are an important component of an ISMS. The measures in this category ensure that data is also adequately secured digitally and that access and networks are controlled.
Control categories from Annex A: Technological, organisational, personnel-related and physical
Annex A of ISO 27001:2022 contains a list of 93 controls organised into four categories. Companies can select the appropriate measures from the relevant categories depending on the context. In this way, the controls are adapted to the current security requirements:
- Organisational controls: These controls relate to the overall structure, culture, and policies of the organisation, as well as its risk management and information security management system (ISMS).
- People controls: These controls focus on the people who have access to the organisation's information assets, including their training, awareness, and responsibilities.
- Physical controls: These controls protect the physical assets of the organisation, such as its buildings, equipment, and data storage facilities.
- Technological controls: These controls protect the organisation's information systems and networks, including its software, hardware, and data encryption.
In this article, we focus on the technological controls from Annex A of ISO 27001:2022.
What are technological controls?
Technological controls include the authentication and encryption of data and the prevention of data loss. To protect the data, the technology must also be secured accordingly. Access rights, network security and data masking help to achieve this security.
In other words, these controls are designed to ensure that technical vulnerabilities are prevented and that software and systems are protected against malware. Access to software and services is regulated and documented for this purpose, and all information that is no longer used is deleted.
Technological controls include, among other things:
- The deletion of all information that is no longer necessary
- The management of technical vulnerabilities and the corresponding protection
- Protective measures against malware
- Measures for masking data
Get ready for the ISO 27001 audit with up to 75% less workload
100% first-try pass rate in external audits on ISO 27001
ISO 27001: New technological controls
Compared to its predecessor, ISO 27001:2022 includes new technological measures that respond to the current challenges of information security:
The new technological controls include:
- 8.1: Data masking
- 8.9: Configuration management
- 8.10: Information deletion
- 8.12: Data leakage prevention
- 8.16: Monitoring activities
- 8.23: Web filtering
- 8.28: Secure coding.
What technological controls are there?
Technological controls are an important part of a comprehensive information security strategy, which focuses in particular on the appropriate security of technology, data, access and storage of information.
This area comprises 34 measures that you can implement. We have compiled a list with a comprehensive overview of all technological controls from Annex A of ISO 27001:
|
Technological Controls |
Annex A 8.1 |
User Endpoint Devices |
|
Technological Controls |
Annex A 8.2 |
Privileged Access Rights |
|
Technological Controls |
Annex A 8.3 |
Information Access Restriction |
|
Technological Controls |
Annex A 8.4 |
Access to Source Code |
|
Technological Controls |
Annex A 8.5 |
Secure Authentication |
|
Technological Controls |
Annex A 8.6 |
Capacity Management |
|
Technological Controls |
Annex A 8.7 |
Protection Against Malware |
|
Technological Controls |
Annex A 8.8 |
Management of Technical Vulnerabilities |
|
Technological Controls |
Annex A 8.9 |
Configuration Management |
|
Technological Controls |
Annex A 8.10 |
Information Deletion |
|
Technological Controls |
Annex A 8.11 |
Data Masking |
|
Technological Controls |
Annex A 8.12 |
Data Leakage Prevention |
|
Technological Controls |
Annex A 8.13 |
Information Backup |
|
Technological Controls |
Annex A 8.14 |
Redundancy of Information Processing Facilities |
|
Technological Controls |
Annex A 8 |
Logging |
|
Technological Controls |
Annex A 8.16 |
Monitoring Activities |
|
Technological Controls |
Annex A 8.17 |
Clock Synchronization |
|
Technological Controls |
Annex A 8.18 |
Use of Privileged Utility Programs |
|
Technological Controls |
Annex A 8.19 |
Installation of Software on Operational Systems |
|
Technological Controls |
Annex A 8.20 |
Networks Security |
|
Technological Controls |
Annex A 8.21 |
Security of Network Services |
|
Technological Controls |
Annex A 8.22 |
Segregation of Networks |
|
Technological Controls |
Annex A 8.23 |
Web filtering |
|
Technological Controls |
Annex A 8.24 |
Use of Cryptography |
|
Technological Controls |
Annex A 8.25 |
Secure Development Life Cycle |
|
Technological Controls |
Annex A 8.26 |
Application Security Requirements |
|
Technological Controls |
Annex A 8.27 |
Secure System Architecture and Engineering Principles |
|
Technological Controls |
Annex A 8.28 |
Secure Coding |
|
Technological Controls |
Annex A 8.29 |
Security Testing in Development and Acceptance |
|
Technological Controls |
Annex A 8.30 |
Outsourced Development |
|
Technological Controls |
Annex A 8.31 |
Separation of Development, Test and Production Environments |
|
Technological Controls |
Annex A 8.32 |
Change Management |
|
Technological Controls |
Annex A 8.33 |
Test Information |
|
Technological Controls |
Annex A 8.34 |
Protection of Information Systems During Audit Testing |
How are technological controls implemented?
The implementation of technological controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems from technological attacks and then implement the appropriate controls to mitigate these threats.
The process of implementing technological controls can be broken down into the following steps:
Risk identification
The first stage is to identify the potential threats to the organisation's information and information systems from technological attacks. The following factors can be considered:
External threats: Cyberattacks, malware, phishing
Internal threats: Employee error, fraud, espionage
Control selection
After the risk assessment, the organisation can select the appropriate controls within the risk treatment to mitigate the identified threats. It is important to weigh up the costs and benefits of the controls.
Control design
In the third phase, the design of the controls is determined. This includes the specification of the technical and organisational measures required to implement the controls.
Control implementation
In the fourth phase, the controls are implemented. This includes the procurement and installation of the necessary hardware and software as well as the training of employees.
Control monitoring
The controls must be monitored regularly to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.
Technological controls to strengthen your information security
Technological controls are measures that improve the security of information and information systems. They help to protect information and information systems against unauthorised access, manipulation, destruction and loss.
The 2022 version of ISO 27001 considers the current challenges of information security and offers ways to establish an appropriate approach to current conditions.
Find the right controls for your organisation and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.
up to 50%
Cheaper than external consultants
up to 300%
Increase your opt-in rate with Consent & Preference Management
3 months
Get audit-ready in as little as three months
100%
First-try pass rate in external audits on ISO 27001 and TISAX®
Saves up to 100 hours
of manual work to get ISO 27001 certified or TISAX® labels
Customers trust us
P I C
PRIVACY
External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts
INFOSEC
Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit
COMPLIANCE
Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates
ISO 27001:2022 requirements
Trusted and used by companies
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.