Understanding the information security controls of the new ISO 27002: 2022 update is essential to use as a compliance guide for achieving ISO 27001 standards. This article provides in-depth information on the 11 new security controls and how they can be implemented to achieve information security for your business.
Before going into the details, let’s quickly define ISO 27002: 2022
What is ISO 27002: 2022?
ISO/IEC 27002 is an updated compliance guide to ISO 27001: 2013. It can be used to select security controls as per the requirements of a Company to achieve a robust information security management system (ISMS). This will make the organisation eligible to achieve ISO 27001 certification. In short, ISO 27002: 2022 is a guide to achieving ISO 27001 certification.
Information security requirements
An organization must determine its information security requirements. There are three main sources of information security requirements:
1) the assessment of the possible risks to the company, taking into consideration its overall business strategy and objectives. This can be provided through a risk assessment process that would determine the controls essential to ensure that the residual risk for the company meets its risk acceptance criteria.
2) the legal, statutory, regulatory, and contractual requirements that an organization and its interested parties (trading partners, service providers, etc.) have to comply with and their socio-cultural environment.
3) a documented set of the business requirements, principles and objectives that can be implemented in the different information stages developed by an organisation to support its operations.
Why use ISO/IEC 27002:2022?
It must be used to implement the security controls provided to achieve ISMS and ISO 27001 certification for an organisation. The guide provides security controls, which can be implemented by users as per their Company’s computer security requirements.
It is essential to know the 11 new security controls shared in ISO 27002: 2022 update to understand how to implement them according to the security requirement of a business.
Below listed are the new security controls as per their category:
5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring services
8.22 Web filtering
8.28 Secure coding
Threat Intelligence (5.7)
With the effects of globalization and technology, the importance of Cyber Threat Intelligence (CTI) has been continually increasing. In this light, ISO introduced an updated version of the ISO/IEC 27001:2022 for the implementation of enhanced security controls.
To create a decisive advantage, businesses are required to understand the overall cyber threat Intelligence landscape, its convergence, and trends affecting their industry and peers. They must also be aware of the organisation specific cyber security threats.
To achieve Cyber Threat Intelligence, businesses must: –
- Employ a CTI system to include information gathered from threat intelligence sources into the information security risk management processes of an organisation.
- Implement technical preventive and detective controls like firewalls, intrusion detection or prevention systems, or anti-malware solutions.
- Conduct daily information security audits, processes and techniques. Some examples of these include – PenTest, OWASP, Internal or External Network Assessment, and OSINT, etc.
Information Security for Use of Cloud Services (5.23)
Cloud services like Software, Infrastructure, and Platforms as services have led to an increased risk of big hacking incidents leading to tighter legal and regulatory obligations. It is essential to ensure that information is stored as well as monitored correctly on the cloud server.
Controls like robust supplier engagement and assessment processes need to be established.
Regularly review of Shared Responsibility Model and contractual agreements (including Service Levels Agreements (SLAs))
Strong cyber security and information security awareness, on malware and phishing risks, etc. must be created.
ICT readiness for business continuity (5.30)
All business needs a robust system architecture that can contain company data in a secure way. Redundancy ensures availability by having spare capacity in case of system failure and often requires duplicate systems such as power supplies. Adequate redundancy that can be spun up when necessary, forms an important part of business continuity planning. It should be tested regularly.
The process of assessment includes: –
- Plan and develop a business continuity plan (BCP).
- Test the BCP at regular intervals.
- Document the results and lessons learned activities.
Physical Security Monitoring (7.4)
Physical security monitoring can deter intruders and detect intrusion. Guards, cameras, and alarms all monitor against unauthorized access.
The design of any monitoring system should be considered confidential.
Regular testing is required to ensure that the system works. (CCTV, Access Card (Proximity Card), Duress Alarms, Physical Security Guards, etc.)
Camera surveillance systems and other monitoring systems that collect personal information or may be used to track individuals may require special consideration under data protection laws. For example, camera surveillance may require a data protection impact assessment under GDPR legislation.
Configuration Management (8.9)
Configuration management is the process of maintaining computer systems, servers, and software in a desired, consistent state.
It involves maintaining a Configuration Management Database (CMDB) as a part of the Configuration Management tool. Standard templates also must be maintained for the secure configuration or hardening of hardware, software, services, and networks. For example: – Server and the laptop builds. (Standard Operating Environment).
It is essential to immediately change the vendor default authentication information like passwords after installation and review the other important default security-related parameters. (2FA/MFA, TACACS+ or Radius). Organisations must verify that licence requirements have been met. (Microsoft MAP Tool or software license Inventory)
Information Deletion (8.10)
This involves the deletion of data that is not required anymore and is stored in information systems, devices, or any other storage media.
When deleting system information, and the data stored in applications, and services, do make use of an appropriate deletion method. You can also approach a professional Secure Data disposal service for the same.
Results of deletion should be recorded as evidence.
Use disposal mechanisms appropriate to the type of storage media being dumped.
Data Masking (8.11)
Data masking is the process of modifying sensitive data such that it is of no or little price to an attacker.
Masking needs to be applied to a data field to protect data that is classified as personally identifiable information (PII), sensitive personal data (Secret/Confidential), or commercially sensitive data (Top Secret / Critical)
For data masking, Security Controls like Data encryption, hashing data, Varying numbers and dates, hashing data, etc. can be used.
Data Leakage Prevention (8.12)
Monitoring and detecting the unauthorised attempts to reveal or rob data are key to Data Leakage Prevention. (DLP Implementation).
On detecting an attempt, organisations must implement measures like an email quarantine or access blocks. (Configure Alerts where possible)
Other methods aim to prevent data leakage on an employee level. For this, it is essential to explain to the staff about policies. They must also be provided with training on accessing, sharing, or uploading data. (Conduct DLP training to annual activity schedule)
Policies and processes to identify and classify information are required to be updated, reviewed, and communicated to protect it from any breach of data. The policies are namely Access Control Policy,
Secure Document Management Policy and Information Classification Policy respectively.
Monitoring Activities (8.16)
To detect anomalous behaviour and potential information security incidents, do implement system monitoring such as networks (Switches, Wi-Fi Apps), systems (Servers &n Workstations), and applications (LOB Applications).
Monitoring should be continuous using a monitoring tool in real-time or in periodic intervals, subject to organisational need and capability.
Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner. This will help in minimising the effect of adverse information security events.
Do consider implementing security controls like Firewalls, Antivirus, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Data Leakage Prevention (DLP) and Security Information Event Management tools (SIEM).
Web Filtering (8.22)
Web filtering prevents users from viewing certain URLs and websites. This technology stops the user browsers from loading pages of these sites.
Do consider implementing access controls to: –
- Websites with an information upload function that is permitted for genuine business reasons, like file-sharing services. (Google Drive, Dropbox, Blue Box, etc.)
- Suspected malicious websites distributing phishing content and malware. (WAF, White list, Black list, etc.)
- Command and control servers. (Proxy servers or external DNS filtering on endpoints).
So, these were the new 11 security controls as per the ISO 27002: 2022 update. If you want an expert to take you through these controls and assist you in their implementation to achieve an information security management system, you must book a consultation with Anitech immediately. Your organisation’s strength lies in systems that secure your company’s sensitive data from cyber-attacks.
What is the difference between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 is a certification standard that can be achieved with the help of the compliance guide – ISO 27002.
What exactly has changed in the new version of ISO27001?
There are 11 new controls, and the total controls are 93, contrary to the 114 controls present in the previous version.
How can ISO/IEC 27002 help your business?
It will provide a step-by-step process it to assess risks and implement security controls to overcome them. This in turn will make your organisational eligible to achieve ISO 27001 certification, which will further increase your reputation and client, and customer trust.