ISO/IEC 27002:2022 Demystified: Boost Cybersecurity in 2024

November 17, 2023
Posted by: Gradeon
Category: Compliance

In February 2022, the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) updated the widely acknowledged ISO/IEC 27002:2022 Information security standard. This is a comprehensive reference for generic information security controls and implementation guidance. Designed explicitly within the context of an information security management system (ISMS) based on ISO/IEC 27001, this updated standard offers internationally recognised best practices and includes 11 new controls.

It is advisable for key stakeholders like Owners, Managers, Managing Directors, Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), Chief Technology Officers (CTOs), Chief Financial Officers (CFOs), and Heads of Digital to grasp the implications of the new controls outlined in ISO/IEC 27002:2022.

Let’s delve into a few key updated controls that hold substantial relevance:

5.7 Threat Intelligence

Understanding and analysing information security threats is pivotal for proactive mitigation. ISO/IEC 27002:2022 emphasises collecting and analysing threat intelligence to take informed actions and prevent potential harm through fraudulent action. Collaboration through shared intelligence among organisations is also encouraged to enhance overall threat intelligence.

Application: While ISO doesn’t mandate documentation, incorporating threat intelligence rules into supplier security policies, incident management procedures, and security operating procedures is recommended.

5.23 Information Security for the Use of Cloud Services

With the increasing reliance on cloud services, ISO/IEC 27002:2022 underscores the need for organisations to establish and communicate specific policies related to cloud service usage. Defining responsibilities between cloud service providers (CSPs) is good practice and ensures the services subscribed to perform as expected. In detail, there are gaps, so it’s crucial to manage information security risks effectively when following outsourced models and ensuring value.

Implementation: Though ISO doesn’t necessitate documentation, including cloud service rules in supplier security policies and documenting acquisition, clearly defined ‘roles and responsibilities’, use, management, and exit processes is advisable.

5.30 ICT Readiness for Business Continuity

Ensuring information and asset availability during disruptions is paramount. ISO/IEC 27002:2022 stresses planning, implementation, and testing of ICT readiness aligned with business continuity objectives. This ensures that an organisation’s goals are sustained during disruptions by identifying and implementing suitable ICT continuity strategies.

Application: While ISO doesn’t mandate documentation, integrating ICT readiness into the disaster recovery plan and internal audit reports is necessary. For those implementing ISO 22301 standards, documenting readiness through business impact analysis (BIA), business continuity strategy, plan, and testing reports is essential.

7.4 Physical Security Monitoring

Continuous monitoring to detect unauthorised physical access is crucial. ISO/IEC 27002:2022 highlights the need to monitor sensitive areas using surveillance systems and ensure protection against unauthorised access or system tampering. Compliance with local laws and data protection regulations is emphasised, especially concerning personnel monitoring and video retention periods.

Implementation: ISO doesn’t specifically require documentation for this control.

8.9 Configuration Management

Maintaining correct configurations for hardware, software, and networks is vital. ISO/IEC 27002:2022 stresses establishing, documenting, and monitoring configurations to prevent unauthorised changes. Implementing defined process tools and recording changes with comprehensive system management tools are crucial to ensuring secure configurations.

Application: ISO requires documentation for this control. A standard operating procedure or a defined configuration process with logged changes for audit trail purposes is necessary.

Conclusion

ISO/IEC 27002:2022 is an essential framework aligning organisations with evolving technology and industrial practices. Although there isn’t a specific deadline for organisations to adopt the updated standard, it’s advisable to initiate alignment tasks promptly.

For any organisation to mature, comprehending and implementing the updated ISO/IEC 27002:2022 controls is pivotal for bolstering information security measures in today’s dynamic business landscape.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Demystifying ISO/IEC 27002:2022 Part I

5.7 Threat Intelligence

5.23 Information Security for the Use of Cloud Services

5.30 ICT Readiness for Business Continuity

7.4 Physical Security Monitoring

8.9 Configuration Management

Conclusion

Consulting Services

Compliance Services

PCI Services

Cyber Services

Products

How can we help you?