The international standard ISO27001 is one of the longest-standing and most widely recognized benchmarks for cybersecurity and privacy protection worldwide.
Introduced initially as BS 7799 in 2995 and updated to ISO27001 in 2005, the standard establishes an information security management system (ISMS), delivering a comprehensive framework for organizational security and information risk management.
The standard has seen several updates since its introduction, most recently in 2022 when it was revised to accommodate a shifting technological landscape and more diverse operating practices across organizations.
Since its inception, information and information systems have been at the core of the standard, with data security a primary objective.
In this post, we explain the role of data discovery in achieving and maintaining compliance with ISO27001:2022, and the controls that are directly supported by a program of continuous discovery and data monitoring.
ISO27001:2022 updates you should know
The latest version of the ISO27001 standard was published in 2022 and restructured the standard significantly.
While the 2022 release can be mapped easily to its predecessor, some of the changes introduced have wider implications for organizations seeking compliance.
Arguably the most significant is the shift in focus from “information systems” – referring to devices, databases and applications – to “information assets and associated systems.”
While appearing little more than a subtle wording change, this data-centric update drastically changes the approach organizations should take to compliance.
In the latest update, several controls were removed from the standard. Meanwhile, 11 new controls have been added to address an evolving technology and cyber-threat landscape. These include:
- A.5.23 Information security for the use of cloud services
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
Data discovery and ISO27001
Compliance with ISO27001 relies on a clear and comprehensive understanding of the organization’s data landscape. Only with this information can it adequately assess its data risk and determine the controls necessary to protect its data assets, including intellectual property, personal information and sensitive records.
Data discovery is essential to this process, facilitating identification and inventory of sensitive data assets held in structured and unstructured formats, and across on-premises systems, end point devices and cloud-based platforms.
How Enterprise Recon supports ISO27001 compliance
In total, data discovery scanning – using advanced discovery and data management tools like Enterprise Recon – can directly support compliance with 13 of the 94 controls across the standard:
5. Organizational controls
Control # Control description Enterprise Recon
5.9 An inventory of information and other associated assets, including owners, shall be developed and maintained. Enterprise Recon helps identify data across an organization’s digital estate, facilitating creation and maintenance of information assets and their associated systems.
5.12 Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. Enterprise Recon offers classification features, supporting labelling of data assets.
5.18 Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. Enterprise Recon supports access rights management, identifying users or groups and their level of access to data assets, and enables revocation of unauthorized access.
5.26 Information security incidents shall be responded to in accordance with the documented procedures. Enterprise Recon aids incident response by enabling rapid identification of affected data through targeted scanning of impacted systems and devices.
5.32 The organization shall implement appropriate procedures to protect intellectual property rights. Enterprise Recons support identification of 300+ pre-defined personal information data types and custom data types across on-premises, end point and cloud-based systems. In-built remediation features enable data management and security through masking, encryption, quarantine and deletion. Delegated remediation features allow remediation actions to be managed by data and/or system owners.
5.33 Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
5.34 The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
8. Technical controls
Control # Control description Enterprise Recon
8.1 Information stored on, processed by or accessible via user end point devices shall be protected. Enterprise Recon facilitates data management on end point devices through identification and remediation capabilities.
8.3 Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. Enterprise Recon supports access rights management, identifying users or groups and their level of access to data assets, and enables revocation of unauthorized access.
8.10 Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. Enterprise Recon can facilitate data management for redundant, obsolete and trivial data (ROT) via built-in remediation capabilities including deletion.
8.11 Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. Enterprise Recon’s in-built remediation features enable data management and security through masking, encryption, quarantine and deletion.
8.12 Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. Enterprise Recon offers classification features, supporting labelling of data assets. This is a pre-requisite of effective data leakage prevention, optimizing performance of DLP technologies.
8.33 Test information shall be appropriately selected, protected and managed. Enterprise Recon supports identification of sensitive data types and custom data types unauthorized in test data, and can be used to verify the appropriateness of test data prior to use.
Data discovery is the foundation of ISO27001 compliance
The latest updates to ISO27001 put data front and center, making it clear that organizations need a solid understanding of their information assets to stay compliant. That’s where data discovery comes in. By helping organizations find and keep track of sensitive data across all systems – structured and unstructured, on-premises and in the cloud – discovery tools like Enterprise Recon play a foundational role in meeting the updated requirements.
It's not just about compliance – continuous data discovery supports better security overall, helping organizations stay ahead of cybersecurity and data risks in an increasingly complex threat landscape.
To find out how Ground Labs can help you achieve and maintain ISO27001 compliance, arrange a complimentary data workshop or book a call with one of our experts today.