Technological controls of ISO 27001

The essential measures for information security

framework_ISO27001_pillar-2

The digital world is changing rapidly. As a result, the requirements for handling information assets - and securing them - are also changing. Protecting sensitive data is more important today than ever before. Technology, in particular, is the focus of constant innovation. This is why Annex A of ISO 27001 contains a series of measures that have been specially developed for securing and handling technology and digital security in organisations.


ISO 27001 is an international standard for information security. It defines requirements for implementing, realising and maintaining an information security management system (ISMS) to protect the confidentiality, integrity and availability of information.


An information security management system certified by ISO 27001 is a globally recognised way of adequately protecting an organisation's information. An ISMS consists of a series of measures that help to ensure information security.


Technological controls are an important component of an ISMS. The measures in this category ensure that data is also adequately secured digitally and that access and networks are controlled.


Control categories from Annex A: Technological, organisational, personnel-related and physical

Annex A of ISO 27001:2022 contains a list of 93 controls organised into four categories. Companies can select the appropriate measures from the relevant categories depending on the context. In this way, the controls are adapted to the current security requirements:

  • Organisational controls: These controls relate to the overall structure, culture, and policies of the organisation, as well as its risk management and information security management system (ISMS).
  • People controls: These controls focus on the people who have access to the organisation's information assets, including their training, awareness, and responsibilities.
  • Physical controls: These controls protect the physical assets of the organisation, such as its buildings, equipment, and data storage facilities.
  • Technological controls: These controls protect the organisation's information systems and networks, including its software, hardware, and data encryption.
 

In this article, we focus on the technological  controls from Annex A of ISO 27001:2022.

 

 


What are technological controls?

Technological controls include the authentication and encryption of data and the prevention of data loss. To protect the data, the technology must also be secured accordingly. Access rights, network security and data masking help to achieve this security.

In other words, these controls are designed to ensure that technical vulnerabilities are prevented and that software and systems are protected against malware. Access to software and services is regulated and documented for this purpose, and all information that is no longer used is deleted.

Technological controls include, among other things:

  • The deletion of all information that is no longer necessary
  • The management of technical vulnerabilities and the corresponding protection
  • Protective measures against malware
  • Measures for masking data
PILLAR_DE_ISO27001_Popup_image cta_COM

Get ISO 27001 certified in as little as 3 months.

Reduce manual work by up to 75%

ISO 27001: New technological controls

Compared to its predecessor, ISO 27001:2022 includes new technological measures that respond to the current challenges of information security:


The new technological controls include:

  • 8.1: Data masking
  • 8.9: Configuration management
  • 8.10: Information deletion
  • 8.12: Data leakage prevention
  • 8.16: Monitoring activities
  • 8.23: Web filtering
  • 8.28: Secure coding

What technological controls are there?

Technological controls are an important part of a comprehensive information security strategy, which focuses in particular on the appropriate security of technology, data, access and storage of information.


This area comprises 34 measures that you can implement. We have compiled a list with a comprehensive overview of all technological controls from Annex A of ISO 27001:

Technological Controls

Annex A 8.1

User Endpoint Devices

Technological Controls

Annex A 8.2

Privileged Access Rights

Technological Controls

Annex A 8.3

Information Access Restriction

Technological Controls

Annex A 8.4

Access to Source Code

Technological Controls

Annex A 8.5

Secure Authentication

Technological Controls

Annex A 8.6

Capacity Management

Technological Controls

Annex A 8.7

Protection Against Malware

Technological Controls

Annex A 8.8

Management of Technical Vulnerabilities

Technological Controls

Annex A 8.9

Configuration Management

Technological Controls

Annex A 8.10

Information Deletion

Technological Controls

Annex A 8.11

Data Masking

Technological Controls

Annex A 8.12

Data Leakage Prevention

Technological Controls

Annex A 8.13

Information Backup

Technological Controls

Annex A 8.14

Redundancy of Information Processing Facilities

Technological Controls

Annex A 8.15

Logging

Technological Controls

Annex A 8.16

Monitoring Activities

Technological Controls

Annex A 8.17

Clock Synchronization

Technological Controls

Annex A 8.18

Use of Privileged Utility Programs

Technological Controls

Annex A 8.19

Installation of Software on Operational Systems

Technological Controls

Annex A 8.20

Networks Security

Technological Controls

Annex A 8.21

Security of Network Services

Technological Controls

Annex A 8.22

Segregation of Networks

Technological Controls

Annex A 8.23

Web filtering

Technological Controls

Annex A 8.24

Use of Cryptography

Technological Controls

Annex A 8.25

Secure Development Life Cycle

Technological Controls

Annex A 8.26

Application Security Requirements

Technological Controls

Annex A 8.27

Secure System Architecture and Engineering Principles

Technological Controls

Annex A 8.28

Secure Coding

Technological Controls

Annex A 8.29

Security Testing in Development and Acceptance

Technological Controls

Annex A 8.30

Outsourced Development

Technological Controls

Annex A 8.31

Separation of Development, Test and Production Environments

Technological Controls

Annex A 8.32

Change Management

Technological Controls

Annex A 8.33

Test Information

Technological Controls

Annex A 8.34

Protection of Information Systems During Audit Testing

How are technological controls implemented?

The implementation of technological controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems from technological attacks and then implement the appropriate controls to mitigate these threats.

The process of implementing technological controls can be broken down into the following steps:


Risk identification

The first stage is to identify the potential threats to the organisation's information and information systems from technological attacks. The following factors can be considered:

External threats: Cyberattacks, malware, phishing

Internal threats: Employee error, fraud, espionage


Control selection

After the risk assessment, the organisation can select the appropriate controls within the risk treatment to mitigate the identified threats. It is important to weigh up the costs and benefits of the controls.


Control design

In the third phase, the design of the controls is determined. This includes the specification of the technical and organisational measures required to implement the controls.


Control implementation

In the fourth phase, the controls are implemented. This includes the procurement and installation of the necessary hardware and software as well as the training of employees.


Control monitoring

The controls must be monitored regularly to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.


Technological controls to strengthen your information security

Technological controls are measures that improve the security of information and information systems. They help to protect information and information systems against unauthorised access, manipulation, destruction and loss.


The 2022 version of ISO 27001 considers the current challenges of information security and offers ways to establish an appropriate approach to current conditions.

Find the right controls for your organisation and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.

🏢 Organization Schema Preview (Development Only)
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "@id": "www.dataguard.com#organization",
      "name": "DataGuard",
      "legalName": "DataCo GmbH",
      "description": "DataGuard, the European leader in security and compliance software, is trusted by more than 4,000 organizations across 50+ countries. We help you identify and manage your security and compliance risks and fast-track your certifications and compliance by combining expert consultancy with AI-powered automation. Our purpose-built, all-in-one platform is developed with the experience of over 1.5 million total hours by a team of certified security and compliance experts.",
      "foundingDate": "2018",
      "taxID": "DE315880213",
      "logo": "https://7759810.fs1.hubspotusercontent-na1.net/hubfs/7759810/DataGuardLogo.svg",
      "url": "www.dataguard.com",
      "email": "info@dataguard.de",
      "telephone": "+49 89 452459 900",
      "address": {
        "@type": "PostalAddress",
        "streetAddress": "Sandstrasse 33",
        "addressLocality": "Munich",
        "addressRegion": "Bavaria",
        "postalCode": "80335",
        "addressCountry": "Germany"
      },
      "sameAs": [
        "https://www.linkedin.com/company/dataguard1/",
        "https://www.youtube.com/channel/UCEQzPZ6sCBCj9cAoBvaLL6w",
        "https://x.com/i/flow/login?redirect_after_login=%2FDataGuard_dg"
      ]
    }
  ]
}

✅ Organization schema markup for "DataGuard" has been injected into the document head.