Technical Control For ISO27001:2022

Technical Examples of
Examples of
Control Tools/Technique Explanation
Controls
Category s
IAM solutions
provide
centralized
user identity
- Identity and management,
access access
management provisioning,
(IAM) solutions and single
(e.g., Microsoft sign-on
Azure AD, Okta, capabilities.
OneLogin) - MFA adds an
Multi-factor extra layer of
- Access control authentication security by
policy - User (MFA) tools (e.g., requiring users
Access Control access Duo Security, to provide
management - Google multiple forms
User responsibilities Authenticator, of
RSA authentication
SecurID) - (e.g., password
Privileged access and biometric).
management PAM tools
(PAM) software manage and
(e.g., CyberArk, monitor the
BeyondTrust, use of
Centrify) privileged
accounts,
which have
elevated
access rights.
Examples of
Controls
Category s
Encryption
tools protect
the
confidentiality
of data by
converting it
into a coded
- Encryption tools format that
(e.g., BitLocker, can only be
FileVault, accessed with
VeraCrypt) - the correct
Public Key decryption key.
Infrastructure PKI solutions
(PKI) solutions manage the
(e.g., Microsoft creation,
- Cryptographic
Cryptography Certificate distribution,
controls
Services, DigiCert, and revocation
GlobalSign) - of digital
Hardware security certificates
modules (HSMs) used for
(e.g., Thales encryption and
nShield, digital
Securosys, signatures.
Utimaco) HSMs are
dedicated
hardware
devices that
securely
generate,
store, and
process
Examples of
Controls
Category s
cryptographic
keys.
Access control
systems
restrict
physical entry
to facilities and
data centers
- Access control based on
systems (e.g., authentication
magnetic locks, factors like
biometric readers, cards,
RFID) - biometrics, or
- Physical security
Surveillance proximity.
perimeter -
systems (e.g., Surveillance
Physical and Physical entry
CCTV, motion systems detect
Environmental controls -
detectors) - and record
Security Protecting against
Environmental physical
environmental
monitoring and security
threats
control systems incidents.
(e.g., fire Environmental
suppression, monitoring
cooling, power and control
backup) systems
protect against
natural and
human-caused
disasters that
could impact
the availability
Examples of
Controls
Category s
and integrity
of information
assets.
ITSM tools
help
- IT service organizations
management manage IT
(ITSM) tools (e.g., operations,
ServiceNow, including
Cherwell, change
Atlassian Jira management,
Service problem
Desk) management,
- Anti-malware and incident
- Operational
solutions (e.g., response. Anti-
procedures and
Microsoft malware
Operations responsibilities 
Defender, solutions
Security - Protection from
Symantec detect,
malware -
Endpoint prevent, and
Backups
Protection, Trend remove
Micro) - malicious
Backup and software.
disaster recovery Backup and
software (e.g., disaster
Veeam, Veritas recovery
Backup Exec, software
Microsoft Azure ensures the
Backup) availability and
recoverability
of information
Examples of
Controls
Category s
assets in the
event of a
system failure
or data loss.
Firewalls
control and
monitor the
flow of
network traffic,
protecting
- Firewalls (e.g.,
against
Palo Alto
unauthorized
Networks,
access and
Fortinet,
potential
Cisco) -
threats. VPNs
Virtual private
establish
- Network security networks (VPNs)
Communication secure,
management - (e.g., OpenVPN,
s Security encrypted
Information transfer ExpressVPN, Cisco
connections
AnyConnect) 
between
- Secure file
remote users
transfer solutions
and the
(e.g., SFTP, FTPS,
organization's
Secure email
network,
gateways)
enabling
secure remote
access. Secure
file transfer
solutions
ensure the
Examples of
Controls
Category s
confidentiality
and integrity
of information
during
transmission.
SDLC tools
integrate
security
practices into
- Secure software
the software
development
development
lifecycle (SDLC)
process,
tools (e.g.,
helping to
SonarQube,
identify and
Veracode,
- Security mitigate
Fortify) -
System requirements of vulnerabilities.
Configuration
Acquisition, information Configuration
management
Development systems - management
tools (e.g.,
and Security in tools automate
Ansible, Puppet,
Maintenance development and the
Chef) -
support processes deployment
Vulnerability
and
management
maintenance
solutions (e.g.,
of secure
Tenable Nessus,
configurations
Rapid7 InsightVM,
for information
Qualys)
systems.
Vulnerability
management
solutions
Examples of
Controls
Category s
continuously
scan for and
report on
security
vulnerabilities,
enabling
timely
remediation.
Vendor risk
management
platforms
assess,
monitor, and
manage the
- Vendor risk
security risks
management
posed by
platforms (e.g.,
third-party
Aravo, Prevalent,
- Information suppliers and
Supplier BitSight) -
security in supplier partners.
Relationships Contract
relationships Contract
management
management
software (e.g.,
software helps
Icertis, Ironclad,
organizations
ContractPodAI)
ensure that
security
requirements
are properly
defined and
contractually
Examples of
Controls
Category s
agreed upon
with suppliers.
SIEM tools
provide
centralized
security
monitoring,
- Security alerting, and
information and analytics to
event support the
management detection,
(SIEM) tools (e.g., investigation,
Splunk, IBM and response
Information - Management of QRadar, Sumo to security
Security information security Logic) - incidents.
Incident incidents and Incident response Incident
Management improvements and management response and
platforms (e.g., management
Palo Alto platforms
Networks Cortex streamline the
XSOAR, IBM coordination,
Resilient, documentation
ServiceNow ITSM) , and reporting
of security
incidents and
the associated
corrective
actions.
Information - Information - Disaster Disaster

Security Aspects security recovery and recovery and
Examples of
Controls
Category s
of Business continuity - business business

Continuity Redundancies continuity continuity
Management planning tools planning tools
(e.g., Arcserve help
UDP, Zerto, organizations
Datto) - develop, test,
High availability and execute
and failover plans to
solutions (e.g., ensure the
Microsoft SQL availability of
Server AlwaysOn, information
VMware vSphere assets and the
HA, Veritas resumption of
Cluster Server) critical
business
processes in
the event of a
disruption.
High
availability and
failover
solutions
provide
redundancy
and automatic
failover
mechanisms to
maintain the
continuous
operation of
Examples of
Controls
Category s
information
systems.
Some key points about the tools and techniques:

1. Identity and access management (IAM): These solutions provide
centralized user identity management, access provisioning, and single
sign-on capabilities, helping to control who has access to what
information.
2. Multi-factor authentication (MFA): MFA adds an extra layer of security
by requiring users to provide multiple forms of authentication, such as a
password and a biometric factor, to gain access.
3. Privileged access management (PAM): PAM tools manage and
monitor the use of privileged accounts, which have elevated access
rights, to minimize the risk of unauthorized access and misuse.
4. Encryption and cryptographic tools: These solutions protect the
confidentiality of data by converting it into a coded format that can only
be accessed with the correct decryption key.
5. Physical security systems: Access control systems, surveillance systems,
and environmental monitoring and control systems help protect the
physical premises and infrastructure that house the organization's
information assets.
6. Anti-malware and backup solutions: These tools protect against
malware and ensure the availability and recoverability of information
assets in the event of a system failure or data loss.
7. Network security technologies: Firewalls, virtual private networks
(VPNs), and secure file transfer solutions help control and monitor
network traffic, protect against unauthorized access, and ensure the
secure transmission of information.
8. Secure software development and configuration management:
These tools and practices integrate security into the software
development lifecycle and automate the deployment and maintenance
of secure configurations for information systems.
9. Vendor risk management platforms: These solutions assess, monitor,
and manage the security risks posed by third-party suppliers and
partners, ensuring that security requirements are properly defined and
contractually agreed upon.
10. Security information and event management (SIEM) and incident
response tools: These solutions provide centralized security monitoring,
incident detection, and coordinated incident response capabilities to
support the effective management of security incidents.
11. Business continuity and high availability solutions: These tools help
organizations develop, test, and execute plans to ensure the availability
of information assets and the resumption of critical business processes
in the event of a disruption.

Technical Control For ISO27001:2022

Uploaded by

Copyright:

Available Formats

Technical Control For ISO27001:2022

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Technical Control For ISO27001:2022

Uploaded by

Copyright:

Available Formats

Technical Examples of

Information - Information - Disaster Disaster

of Business continuity<br>- business business

Some key points about the tools and techniques:

You might also like