The new ISO27001:2022 — what now?

The new version of ISO27001 was published in autumn 2022. According to the speci­fi­ca­tions of the Inter­na­tional Accred­i­tation Forum (IAF), initial and re-certi­fi­ca­tions may only be carried out in accor­dance with ISO27001:2022 from 30 April 2024.

Transition period and conversion to ISO27001:2022

The transition period for the conversion of already certified infor­mation security management systems (ISMS) to the new standard ends on 31 October 2025. It can be assumed that from summer 2023 onwards, accredited certi­fi­cation bodies will have expanded their programmes to such an extent that audits according to the new ISO27001:2022 will be possible from autumn 2023 at the latest.

Changes and adapta­tions to the ISMS and its documentation

However, as is not uncommon with new versions, the changes contained in this case are also associated with adjust­ments to the ISMS and its documen­tation. This applies in particular the completely revised and restruc­tured Annex A (resulting from the new ISO27002:2022). But there are also additions and adapta­tions in the chapters 4 to 10 to be considered.

Consul­tancy and support in adapting the ISMS

We are happy to advise you on the adaptation of your existing ISMS. In addition to identi­fying the tasks resulting from the changes, we will also actively help you with the imple­men­tation, if required, in order to achieve the mainte­nance of conformity with the standard.

ISO27001 certi­fi­cation: advice and support on the way to compliance with the standard

If you are thinking about ISO27001 certi­fi­cation, we would be happy to offer you our advice and, if required, our active support on the way to a standard-compliant ISMS. This can include, in particular, the transfer of knowledge in workshops, but also the imple­men­tation of an internal audit as well as support in the creation of documents and the intro­duction of processes.

Further infor­mation can be found here.

Appli­cation areas of Digital Identities: Digitally repre­senting — and protecting — physical identities

Appli­cation areas of digital identities:

Digitally repre­senting — and protecting — physical identities

With the current devel­opment of the European Regulation on Electronic Identi­fi­cation and Trust Services (eIDAS), a recog­nised and secure digital identity can come about throughout Europe. Digital identities have been common­place for a long time — from email accounts to social media to digital official trans­ac­tions: The use of digital services requires proof of identity. The necessary identi­fi­cation and authen­ti­cation is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.

A digital identity is the digital repre­sen­tation of a physical identity. The latter can be a person, but also an insti­tution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it repre­sents a collection of attributes in electronic form that charac­terise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identi­fi­cation is trans­ferred to the digital — for initial identi­fi­cation it requires regis­tration; recog­nition is achieved through authen­ti­cation. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes contro­versial role on social media, for example.

Possible uses of digital identities

Digital identities are necessary as a basis or digital repre­sen­tation for digital services and processes. They are used wherever digital services are offered and are person­alised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official proce­dures via eGovernment offerings. As with the identity card, the scope of appli­cation of a digital identity can go beyond mere identi­fi­cation and, for example, an age check can be possible.

Increasing digital­i­sation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identi­fi­cation and Trust Services) creates uniform framework condi­tions for the use of electronic means of identi­fi­cation and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equiv­alent of an identity card. It is supposed to enable identi­fi­cation and authen­ti­cation, verifi­cation of validity by third parties as well as secure storage and repre­sen­tation of identities. In addition, it should make it possible to generate qualified electronic signa­tures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.

The eIDAS also stipu­lates that EU member states must make the digital identity available to citizens; the envisaged accep­tance oblig­ation may also contribute to the elimi­nation of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more conve­nient handling, for example, when admin­is­trative proce­dures can be completed from home.

Unlike digital identities via Google or Facebook, the author­ities can ensure that data protection is complied with in accor­dance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smart­phone are to replace the electronic health card in the future — but this cannot yet be realised.

Security and protection of the user

One possible attack scenario that partic­u­larly affects digital identities is theft in the form of imper­son­ation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking trans­ac­tions or confi­dential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authen­ti­cation, as it already takes place in online banking, for example, with a password on the one hand and additional TAN gener­ation on an external device on the other. The hardware token in smart cards repre­sents the highest level of security as a certified version.

Standardised trust levels

The level of security depends on the purpose of the digital identity and is regulated in the Imple­menting Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are partic­u­larly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corre­sponds to a one-factor authen­ti­cation, as is common in social networks or forums. Substantial protection is provided by the afore­men­tioned two-factor authen­ti­cation. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identi­fi­cation can take place via video-identi­fi­cation or post-identi­fi­cation procedures.

However, the higher the security level, the more compli­cated its technical imple­men­tation. High-priced smart­phones, for example, come with certified security compo­nents — while lower-priced devices are equipped with inferior biometric sensors that can be easily manip­u­lated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store crypto­graphic key material with their chip processors. In this way, the infra­struc­tures behind them ensure authenticity.

The future potential of digital identities

Digiti­sation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disrup­tions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digiti­sation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescrip­tions, for example.

Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday appli­ca­tions can be made via a portal. Not to be neglected are also conceivable appli­cation possi­bil­ities for customer loyalty: After all, digital services that customers use can be used to gain infor­mation about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friend­liness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious conse­quences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certi­fi­ca­tions and to ensure conformity and thus legal certainty.


Nothing works on the internet without digital identities — digital services require initial identi­fi­cation of the user and authen­ti­cation for further use, for example, via passwords with additional TAN gener­ation within the framework of multi­factor proce­dures. The security require­ments depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the require­ments in order to use the appli­cation potential for customers, partners or suppliers.


Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH

Further infor­mation:

Press contact:

Patrick Schulze


Lornsen­strasse 128–130

22869 Schenefeld

Phone +49 (0) 40 840 55 92–18

SRC goes GEAR (Global Executive Assessor Roundtable)!


The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops and promotes the use of infor­mation security standards for secure payments. It is respon­sible for 15 globally recog­nized and widely used standards for securing electronic payment processes — from payment card production and issuance to payment at the point of interest or in web & app, to the processing of payments in the background.

SRC has been assessing the use of those infor­mation security standards since PCI SSC was founded by means of corre­sponding assess­ments and product evalu­a­tions. The PCI SSC attaches great impor­tance to the exchange between different stake­holders and uses various committees and activ­ities for this purpose. SRC has so far partic­i­pated in Special Interest Groups and Task Forces as well as in Community Meetings and Request for Comment phases.

Global Executive Assessor Roundtable

The PCI SSC has been giving experi­enced assessor companies the oppor­tunity to advise its senior management since 2018 through the Global Executive Assessor Round­table (GEAR). We are excited that our company has been selected this year to be part of the inter­faces between leadership of the PCI SSC itself and leadership of the assessment companies by this respon­sible membership. This will enable us to contribute our years of experience in a direct way. The nomination is valid for the next two years and gives us the oppor­tunity to play an influ­ential role in the further devel­opment of speci­fi­ca­tions for assessment proce­dures, new training programs and quali­fi­cation require­ments for future assessors. Other GEAR respon­si­bil­ities include finding ways to promote assessors’ engagement in emerging and new markets, and optimizing assessors’ skills to add value for payments companies

We are proud to be included in this circle and see it as a recog­nition of our past perfor­mance and relevance in the payments security market. At the same time, we are aware of our respon­si­bility to act as a repre­sen­tative for a large community of assessment companies and take this as an additional incentive for the future.

Link to GEAR:

8 digit BINs and PCI DSS

On April 1, 2022, the payment brands Visa and Mastercard will expand the BIN (Bank Identi­fi­cation Number) of their cards worldwide from 6 to 8 digits. In future, the first 8 digits of a 16-digit credit card number (Primary Account Number, PAN) will be used to identify the card issuer. The BIN is used in many occasions where the use of the full PAN is not necessary — e.g. for routing of trans­ac­tions, or for reporting.


Wherever a full PAN is used, the systems, environ­ments, processes and people must meet the require­ments of the data security standard PCI DSS (Payment Card Industry Data Security Standard). As useful as the protection of the PAN by the PCI DSS is – it is not necessary for the BIN. The PCI DSS therefore describes the condi­tions under which parts of the PAN do not require the same protection as the full PAN. If not the full PAN is stored, processed or trans­mitted, but only parts of it, the PCI DSS refers to “truncation”. If the full PAN is stored in the background, but not all digits are displayed in an appli­cation, the PCI DSS refers to the display as “masking”. In everyday life, the term “crossing out” is also used for the two different measures; from PCI DSS point of view, however, they have to be differentiated.

The following rules previ­ously applied to truncation and masking:

  • Masking: PCI DSS Requirement 3.3 states that a maximum of the first six and last four digits (“first 6, last 4”) of the PAN may be displayed, as long as there is no business need to view the full PAN.
  • Truncation: PCI DSS Requirement 3.4 lists truncation as an example of rendering PANs unreadable, but does not define it. The permitted formats are rather defined by the inter­na­tional payment card organi­za­tions and get summa­rized by the PCI SSC in FAQ entry #1091. Most of them had agreed on the rule “first 6, any other 4”, which had lasted for many years.

Changed rules for truncation and masking 

However, due to the switch to 8‑digit BINs and the need for many companies to process them, the payment brands have now changed their speci­fi­ca­tions. The current summary in the PCI SSC FAQ entry now defines that “first 8, any other 4” is permitted for truncation for 16-digit PANs. The (test) card number 4012888888881881 is then allowed to be stored and processed in the form 40128888xxxx1881, for example — it is suffi­cient if any four digits are crossed out after the BIN. Only for shorter PANs, the existing rules “first 6, any other 4” (Discover) or “first 6, last 4” (American Express) remain in place. A corre­sponding adjustment of the PCI DSS requirement for masking is expected with the change to PCI DSS v4.0.

From a security point of view, removing so few digits is not an improvement — but from a business perspective, the change is probably necessary. It is to be hoped that, overall, this will be offset by other security measures.
In any case, the require­ments of the PCI DSS will not prevent the use of 8‑digit BIN in the future.

Caution when combining different formats 

Regardless of the length of the BIN, merchants and service providers who work with truncated card data should take care not to weaken the protection by mixing different formats.

  • It must be considered that the extended truncation formats only apply to 16-digit PANs. The length of the PAN must therefore be taken into account for truncation during storage.
  • Truncation formats such as “first 6, any other 4” theoret­i­cally allow the existence of different truncated versions of the same PAN. The above card number might be stored as 40128888xxxx1881 in one system and 401288888888xxxx in another. This is not prohibited — but it must be ensured that no one without an according business need can merge the two versions and thus recon­struct further digits of the PAN — right down to the complete card number.
    This also applies if different formats are used for masking and truncation.
  • If both truncated PANs and the hash values of PANs are stored in an environment, the two values themselves are initially uncritical. However, if the truncated PANs and their hash values can be related, the original full PAN can be easily recon­structed using rainbow tables. In this case, additional measures must also be taken to prevent the two versions from being merged.

PCI DSS v4.0 is coming — an overview

The PCI DSS (Payment Card Industry Data Security Standard) is well known as a compre­hensive data security standard for payment card data of the inter­na­tional payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, funda­men­tally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.

New validation options 

PCI SSC plans to add more flexi­bility to the standard. Tradi­tionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the tradi­tional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appro­pri­ateness of the customized way. This documen­tation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing proce­dures to verify the imple­men­tation of the customized controls.

Requirement changes

To make sure PCI DSS compliance is kept up throughout the year, additional require­ments are announced by the PCI SSC, e.g. the necessity for

  • Defin­ition of roles and respon­si­bil­ities for all PCI DSS relevant topics; and for
  • Regular verifi­cation of PCI DSS scope.

In addition, existing require­ments will be adapted to threat and security evolvement. Changes to require­ments on the following topics are forecasted:

  • Authen­ti­cation requirements,
  • Detection mechanism and awareness measures for ongoing threats, and
  • Risk assess­ments.

Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.

Transition process

The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.

So after publi­cation in March 2022, take your time to read the new PCI DSS version, identify the changes, and under­stand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.

Your PCI DSS consultant or assessor can help you under­standing the intention of changes, your need for migration, and the validation require­ments. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS respon­sible.

To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.

5G Security High Assurance

SRC specialist Oberender | 5G Security High Assurance

As part of the CAST forum hot topic: 5G Security, SRC specialist Oberender will give a presen­tation on 5G Security High Assurance. The CAST workshop is hosted by BSI unit SZ32 and will take place online on November 11, 2021.

5G technology will define digital life in Germany in the future and thus its security features directly protect the integrity of society and its citizens. The test procedure currently being developed by BSI is to consist of three parts: a test based on the 3GPP defined SECAM Evalu­ation Method­ology TS 33.916, which is being refined at BSI as a Technical Guideline. Possible further tests will use the Accel­erated Security Certi­fi­cation (ESC) and the Common Criteria (CC) certi­fi­cation scheme. The security assessor’s perspective here is quite unique. SRC has extensive experience in all testing methods and will provide insight into the advan­tages and disad­van­tages of the testing methods with regard to the testing of 5G and 6G commu­ni­cation platforms in this presen­tation. Dr. Jens Oberender presents the different test methods SECAM, BSZ and CC for the approval of 5G security and discusses their objec­tives and focus.

Mobile networks in Germany are currently entering their next evolu­tionary stage with 5G technology. This process is accom­panied by security require­ments and related certi­fi­cation activ­ities. Germany needs secure and sovereign infra­struc­tures for commu­ni­ca­tions. Security features such as relia­bility and avail­ability are essential factors for Germany’s economic devel­opment. The CAST workshop hot topic: 5G-Security provides an overview and outlook on the current status of 5G-Security and its future development.

BSZ Certificate

SRC recog­nized as test center for accel­erated safety certi­fi­cation (BSZ)

On 01 October the “Accel­erated Security Certi­fi­cation (BSZ)”, the new certi­fi­cation procedure of the German Federal Office for Infor­mation Security (BSI) has started. Already on September 28, SRC was recog­nized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standard­ization, Certi­fi­cation and Security of Telecom­mu­ni­cation Networks at the BSI. On behalf of the BSI he handed over the certificate of recog­nition to Peter Jung, who is respon­sible for the BSZ at SRC.

Accel­erated Security Certi­fi­cation is the BSI’s new light­weight procedure for certi­fying the security of IT products. In contrast to a CC certi­fi­cation, a certi­fi­cation according to BSZ has several advan­tages: a consid­erably lower documen­tation effort, a signif­i­cantly shortened imple­men­tation and thus a lower cost.

The certi­fi­cation scheme follows a risk-based approach. In this process, the security perfor­mance of the IT product is tested by a recog­nized testing body such as SRC within a fixed timeframe using confor­mance and penetration tests to determine its security perfor­mance and its resis­tance to attacks.

The user also benefits. He receives compre­hen­sible documen­tation of the security perfor­mance and the promise that any vulner­a­bil­ities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evalu­ation according to BSZ, we are very pleased about the recog­nition as a test center for this innov­ative certi­fi­cation scheme that has now taken place” says Peter Jung as repre­sen­tative of the test center and topic respon­sible for the Accel­erated Security Certi­fi­cation BSZ at SRC.

SRC was one of the first test centers to be recog­nized for BSZ. SRC performed the evalu­ation of the LANCOM-1900EF, the first certified BSZ product ever.

DLT for IT service providers in the banking environment

SRC expert Botermann | DLT for IT service providers in the banking environment

Crypto assets based on blockchains move many states, companies and the world of banks and their IT service providers.

Distributed ledger technology (DLT for short) is the term used to describe the technology of “distributed cash ledgers”. The key difference: trans­ac­tions are legit­imized in a decen­tralized manner and stored with the partic­i­pants. As a disruptive technology, DLT makes numerous inter­me­di­ation and clearing points redundant. Banks are threatened with the loss of their position as anchors for trust­worthy transactions.

But this is precisely where the prospects for future business models lie, since it is precisely the banks that tradi­tionally have expertise in the safekeeping of confi­dential infor­mation. The decisive technical trust anchor of every trans­action via DLT is the customer’s private key. The trusted management of this private key may prove to be a perspective for the evolution of banks’ business models.

To summarize: DLT appli­ca­tions offer IT service providers in the banking environment good oppor­tu­nities to adapt their own business models and also position themselves for the future. Services in the crypto custody business can be seen as a suitable entry point, which can be expanded and supple­mented in the future.

How can business models in the banking environment be adapted to these devel­op­ments? What oppor­tu­nities does the crypto custody business offer? What technical and regulatory require­ments must be met?

In the articles DLT for IT service providers in the banking environment (german), crypto custody business: starting point for business field expansion (german) and crypto custody business as a business area expansion for banks (german) published in gi GELDINSTITUTE and on, SRC expert Dr. Benjamin Botermann gives an insight and overview of challenges, oppor­tu­nities and stopler stones of the crypto custody business with distributed ledger technology (DLT).

The SRC experts will follow the exciting devel­op­ments in the field of cryptocur­rency and digital euros for you and support you in the realization of your crypto­custody business. We will be happy to inform you about the possi­bil­ities to get involved in this innov­ative sector.

Intensive seminar | Basic knowledge of IT basics and security measures for non-IT specialists on 15 November 2021

Intensive seminar (online)
Basic knowledge of IT basics and security measures for non-IT specialists

Bank IT in particular is required to protect sensitive infor­mation and data with a high level of security and at the same time make it available to autho­rised persons. To achieve this, infor­mation security officers, data protection officers, IT officers and other bank employees must coordinate closely. Despite different profes­sional backgrounds, a common “language” must be found. To do this, it is advan­ta­geous to be able to visualise the conceptual world of IT in the context of its processes and inter­re­la­tion­ships. This is the only way to succeed in an inter­dis­ci­plinary exchange with IT experts about IT security measures and their effects in the company and its diverse internal and external commu­ni­cation structures.

The intensive seminar “Basic knowledge of IT basics and security measures for non-IT experts” provides the necessary knowledge about infor­mation technology and security measures. The target group is non-IT specialists in credit institutions.

The speaker Florian Schumann is IT manager at SRC Security Research & Consulting GmbH. In this position, he is respon­sible for the continuous devel­opment of IT. He is also a consultant for infor­mation security and a qualified auditor according to § 8 (a) BSIG for critical infrastructures.

Module 1: IT terms and basics

  • Networks
  • Commu­ni­cation media and protocols
  • Basic IT security measures in networks
  • Basic IT security measures in data centres
  • Backup & Restore
  • Virtu­al­i­sation
  • Concepts of user administration

Module 2: Encryption

  • Symmet­rical and asymmet­rical procedures
  • key management
  • Signature
  • Authen­ti­cation (e.g. multi-factor authen­ti­cation according to PSD2) and integrity assurance

In addition, partic­i­pants will receive an overview of new technologies and trends, e.g. big data, cloud, artificial intel­li­gence, special features of mobile working / home office. The intensive seminar offers suffi­cient space to reflect on the upcoming challenges for security.

Intensive seminar (online)

Basic knowledge of IT basics and security measures for non-IT specialists
on Monday, 15 November 2021, 10:00 a.m. to 5:00 p.m.