Demystifying ISO/IEC 27002:2022 Part I

In February 2022, the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) updated the widely acknowledged ISO/IEC 27002:2022 Information security standard. This is a comprehensive reference for generic information security controls and implementation guidance. Designed explicitly within the context of an information security management system (ISMS) based on ISO/IEC 27001, this updated standard offers internationally recognised best practices and includes 11 new controls.

It is advisable for key stakeholders like Owners, Managers, Managing Directors, Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), Chief Technology Officers (CTOs), Chief Financial Officers (CFOs), and Heads of Digital to grasp the implications of the new controls outlined in ISO/IEC 27002:2022.

Let’s delve into a few key updated controls that hold substantial relevance:

5.7 Threat Intelligence

Understanding and analysing information security threats is pivotal for proactive mitigation. ISO/IEC 27002:2022 emphasises collecting and analysing threat intelligence to take informed actions and prevent potential harm through fraudulent action. Collaboration through shared intelligence among organisations is also encouraged to enhance overall threat intelligence.

Application: While ISO doesn’t mandate documentation, incorporating threat intelligence rules into supplier security policies, incident management procedures, and security operating procedures is recommended.

5.23 Information Security for the Use of Cloud Services

With the increasing reliance on cloud services, ISO/IEC 27002:2022 underscores the need for organisations to establish and communicate specific policies related to cloud service usage. Defining responsibilities between cloud service providers (CSPs) is good practice and ensures the services subscribed to perform as expected. In detail, there are gaps, so it’s crucial to manage information security risks effectively when following outsourced models and ensuring value.

Implementation: Though ISO doesn’t necessitate documentation, including cloud service rules in supplier security policies and documenting acquisition, clearly defined ‘roles and responsibilities’, use, management, and exit processes is advisable.

5.30 ICT Readiness for Business Continuity

Ensuring information and asset availability during disruptions is paramount. ISO/IEC 27002:2022 stresses planning, implementation, and testing of ICT readiness aligned with business continuity objectives. This ensures that an organisation’s goals are sustained during disruptions by identifying and implementing suitable ICT continuity strategies.

Application: While ISO doesn’t mandate documentation, integrating ICT readiness into the disaster recovery plan and internal audit reports is necessary. For those implementing ISO 22301 standards, documenting readiness through business impact analysis (BIA), business continuity strategy, plan, and testing reports is essential.

7.4 Physical Security Monitoring

Continuous monitoring to detect unauthorised physical access is crucial. ISO/IEC 27002:2022 highlights the need to monitor sensitive areas using surveillance systems and ensure protection against unauthorised access or system tampering. Compliance with local laws and data protection regulations is emphasised, especially concerning personnel monitoring and video retention periods.

Implementation: ISO doesn’t specifically require documentation for this control.

8.9 Configuration Management

Maintaining correct configurations for hardware, software, and networks is vital. ISO/IEC 27002:2022 stresses establishing, documenting, and monitoring configurations to prevent unauthorised changes. Implementing defined process tools and recording changes with comprehensive system management tools are crucial to ensuring secure configurations.

Application: ISO requires documentation for this control. A standard operating procedure or a defined configuration process with logged changes for audit trail purposes is necessary.

Conclusion

ISO/IEC 27002:2022 is an essential framework aligning organisations with evolving technology and industrial practices. Although there isn’t a specific deadline for organisations to adopt the updated standard, it’s advisable to initiate alignment tasks promptly.

For any organisation to mature, comprehending and implementing the updated ISO/IEC 27002:2022 controls is pivotal for bolstering information security measures in today’s dynamic business landscape.