Technical Measures in Information Security

Corporate Information as a Prime Target

The study “Economic Security 2025” by the industry association Bitkom shows that hackers are focusing more than ever on the economic value of information and data: 87 percent of the companies surveyed have been affected by data theft, industrial espionage, or sabotage within the last twelve months, or suspect they have been. Communication data (69 percent) and customer data (57 percent) were stolen particularly frequently.

The economic damage is reaching new heights: Overall, the losses to the German economy amount to around 289 billion euros annually, with approximately 70 percent directly attributable to cyberattacks. The failure or damage to information and production systems alone causes losses of over 73 billion euros per year. Companies and organizations must further strengthen the protection of their critical data during processing. Additional guidelines in ISO 27001 help to further improve information security, reduce the attack surface, and strengthen protection in a targeted manner.

What technical measures for information security are specified in ISO 27001?

In total, there are 93 information security controls in Annex A of ISO 27001, organized into four categories:

• Organizational controls
• Human resources controls
• Physical controls
• Technological controls

The three controls for information security that we will examine in more detail below are from the “Technological controls” category:

• 8.10 “Deletion of information”
• 8.11 “Data masking”
• 8.12 “Prevention of data breaches”

What does information deletion mean?

Control 8.10 requires the secure and traceable deletion of data that is no longer needed (information deletion) to prevent its unauthorized disclosure and to comply with legal and contractual requirements.

This measure addresses the risks posed by information that is no longer needed but remains on information systems, devices, or other storage media. Deleting this unnecessary data prevents its disclosure - and thus ensures compliance with legal, statutory, regulatory, and contractual requirements for data deletion. This further reduces the risk of unauthorized disclosure.

In doing so, companies should consider the following points:

• Selecting a deletion method suitable for the business and legal environment, such as electronic overwriting or cryptographic deletion
• Documenting the results
• Maintaining records when using third-party service providers for information deletion

If third parties handle data storage on behalf of your company, deletion requirements should be specified in the contractual agreement to ensure compliance both during and after the termination of these services.

Secure Data Deletion in Practice

To ensure the reliable removal of sensitive information while ensuring compliance with relevant data retention policies and applicable laws and regulations, the ISMS standard provides for the following procedures, services, and technologies:

• Establishment of dedicated systems that enable the secure destruction of information, for example in accordance with retention policies or upon request by data subjects
• Deletion of outdated versions, copies, or temporary files on all storage media
• Use of exclusively approved and secure deletion software to permanently and irrevocably remove information
• Deletion via approved and certified providers of secure disposal services
• Use of disposal procedures suitable for the specific storage medium to be disposed of, such as the demagnetization of hard drives

When using cloud services, it is important to verify the suitability of the offered deletion procedures. If this is the case, the organization should use the erasure method or request that the cloud provider delete the information. Where possible, these erasure processes should be automated within the framework of topic-specific guidelines.

To prevent the unintentional disclosure of sensitive information, all device storage media returned to suppliers should be removed prior to return. On some devices, such as smartphones, data removal is only possible through destruction or internal functions (e.g., restoring factory settings). Depending on the classification of the information, an appropriate procedure must be selected.

Deletion processes should be documented based on sensitivity to provide evidence of data removal in case of doubt.

What does ISO 27001 mean by data masking?

Security measure 8.11, “Data Masking,” describes measures such as masking, pseudonymization, and anonymization to modify sensitive data in such a way that it remains protected and can only be used to the extent necessary. An important complementary measure here is the encryption of sensitive data.

For a range of sensitive information, such as when processing personal data, company- and industry-specific or regulatory requirements mandate the masking, pseudonymization, or anonymization of the information.

Pseudonymization or anonymization techniques make it possible to conceal personal data, obscure the true data, and hide cross-references between pieces of information. To implement this effectively for the protection of personal data, it is essential to take all relevant elements of sensitive information into account appropriately.

While anonymization irreversibly alters the data, with pseudonymization it is entirely possible to deduce a true identity through additional cross-referenced information. Therefore, additional cross-referenced information should be stored separately and securely during the pseudonymization process.

Other techniques for data masking include:

• Encryption
• Filling with zeros or deleting characters
• Replacing numbers and data
• Substitution – replacing one value with another to conceal sensitive data
• Replacing values with their hash

Implementation of Data Masking

When implementing these measures, it is important to consider a number of factors:

• Users should not have access to all data, but should only be able to view the data they actually need.
• In some cases, not all data in a record should be visible to users. In such cases, data masking procedures must be designed and implemented. Example: Patient data in a medical record that should not be visible to all staff, but only to employees with specific roles relevant to treatment.
• In some cases, the obfuscation of the data should not be apparent to those accessing it (obfuscation of the obfuscation), for example, if the actual data can be inferred from the data category (pregnancy, blood test, etc.) .
• Legal or regulatory requirements, for example, the requirement to mask payment card data during processing or storage

In general, data masking, pseudonymization, or anonymization require a few general conditions:

• The strength of data masking, pseudonymization, or anonymization depends significantly on the use of the processed data.
• Access to the processed data should be secured by appropriate safeguards.
• Consideration of agreements or restrictions regarding the use of the processed data.
• Prohibition against comparing processed data with other information to identify the data subject.
• The provision and receipt of the processed data must be securely tracked and controlled.

What does data leak prevention mean?

Control 8.12 “Data Leak Prevention” requires technical and organizational measures to detect, monitor, and actively prevent the unauthorized outflow of sensitive data.

This measure outlines specific actions to be implemented on all systems, networks, and other devices that process, store, or transmit sensitive information. To minimize the outflow of sensitive data, organizations should consider the following aspects:

• Identification and classification of information, such as personal data, pricing models, and product designs
• Monitoring of channels through which data can leak externally, such as emails, file transfers, mobile devices, and portable storage media
• Measures to prevent data leakage, such as quarantining emails containing sensitive information
   

Measures to Prevent Data Leaks

To prevent data leaks in modern, complex IT infrastructures with their vast array of diverse data, organizations also need suitable tools that

• identify and monitor sensitive information at risk of unauthorized disclosure, for example in unstructured data on a user’s system
• detect the disclosure of confidential data, for example when data is uploaded to untrusted third-party cloud services or sent via email
• block user actions or network transfers that reveal critical information, such as preventing the copying of database entries into a spreadsheet

Organizations should critically assess the need to restrict users’ permissions to copy, paste, or upload data to services, devices, and storage media outside the organization. Where necessary, appropriate tools to prevent data leaks should be implemented, or existing technologies should be configured accordingly.

For example, users can be granted permission to view and edit data remotely—but not permission to copy and paste it outside your company’s control. If a data export is nevertheless necessary, the data owner can approve it on a case-by-case basis and, if necessary, hold users accountable for unauthorized activities.

Preventing data breaches explicitly includes protecting confidential information or trade secrets that could be misused for espionage or that are of critical importance to the community. In such cases, measures should also be designed to confuse attackers—for example, by substituting false information, using reverse social engineering, or deploying honeypots to lure attackers.

Data breaches can be mitigated through standard security controls, such as topic-specific policies on access control and secure document management (see also Measures/Controls 5.12 and 5.15).

What is important when using monitoring tools?

When using monitoring tools, it is crucial that they are used lawfully, proportionately, and transparently, and that the privacy and data protection rights of the individuals concerned are safeguarded. In particular, data protection and the GDPR must be carefully taken into account.

To protect their own information, many tools inevitably also monitor employees’ communications and online activities, as well as interactions with third parties. This monitoring raises a multitude of legal and ethical questions that must be considered before deploying such tools. Fundamentally, it is essential to strike an appropriate balance between the company’s security interests and the personal rights of data subjects. Particularly in the European context, data protection regulations such as the GDPR set strict limits: monitoring measures must be lawful, necessary, and proportionate, and must not go beyond what is necessary for the respective purpose.

In addition, organizations are obligated to ensure transparency. This means that employees must be clearly informed about what data is collected, for what purpose, and how long it will be stored. Principles such as data minimization, purpose limitation, and access restriction must also be observed. In many cases, a Data Protection Impact Assessment (DPIA) is also required before introducing monitoring tools, particularly when systematic monitoring takes place or there is an increased risk to the rights and freedoms of data subjects.

In addition to legal requirements, organizational aspects also play an important role: Companies should define clear guidelines for the use of monitoring tools, establish responsibilities, and ensure that the collected data is adequately protected and can only be accessed by authorized individuals.

Last but not least, acceptance within the company is also crucial: Excessive or non-transparent monitoring can undermine employee trust and have a negative impact on corporate culture. Therefore, the use of such tools should always be well-justified, documented, and regularly reviewed.

Technological Measures in Information Security – A Summary

Within the broader context of information security objectives - confidentiality, integrity, and availability - the data processing procedures described here play a key role in enhancing the protection of sensitive data.

Through continuous monitoring of data and information flows, the masking of sensitive information, and strict guidelines for data deletion, companies can sustainably improve their protection against data leaks and data loss - and counteract the unintended disclosure of critical information. Furthermore, these procedures make a decisive contribution to company-wide cybersecurity and general data protection in accordance with the GDPR, while minimizing the attack surface for hackers and industrial espionage.

Companies and organizations must now appropriately establish these procedures and the necessary tools and integrate them into their business processes to demonstrate compliance with requirements in future certification audits or data protection audits.

With the professional insight of our experienced auditors and our certification expertise spanning over 40 years, we recommend ourselves as your partner for information security and ISO 27001 certification.