DEMYSTIFYING ISO/IEC 27002:2022  – Part II

Understanding ISO/IEC 27002:2022 – Expert Advice

To fortify an organisation’s cybersecurity stance, IT professionals and auditors must maintain awareness of global best practices. Recently, the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC) revised their widely acknowledged standard ISO/IEC 27002:2022 Information Security, cybersecurity, and Privacy Protection—Information Security Controls. Thus, it becomes crucial for practitioners to acquaint themselves with the alterations, particularly the introduction of 11 new controls.

This article follows the initial segment, “A Guide to the Updated ISO/IEC 27002:2022 Standard, Part I

8.10 Information Deletion

Information Deletion is a control to prevent unnecessary exposure of sensitive data and ensures adherence to legal, regulatory, and contractual requirements for data removal. As per ISO/IEC 27002:2022, “Information retained in systems or storage media should be expunged when no longer necessary.” Organisations must limit the storage duration of sensitive information to mitigate the risk of accidental or malicious data disclosure. A defined process delineating the data to erase, when and how it should occur, and assigning responsibility for erasure considering business, regulatory, or contractual security requirements is essential.

From an ISO standpoint, specific documentation isn’t mandated. Nonetheless, having disposal policies, acceptable usage policies, and security operation procedures detailing the deletion of sensitive information from devices, servers, and networks is imperative. A data retention policy stipulates storage duration for various information categories, and their erasure timelines are also essential.

8.11 Data Masking

Data Masking is a preventive measure to curtail the exposure of sensitive data, such as personally identifiable information (PII), ensuring compliance with legal and regulatory requirements. ISO/IEC 27002:2022 outlines, “Data masking should align with the organisation’s access control policy, relevant policies, and business requirements, adhering to pertinent legislation.” Employing anonymisation, encryption, obfuscation, and pseudonymisation helps shield data. Processes should identify which data requires masking, who can access it, and the applicable masking methods.

From an ISO perspective, documentation is necessary. Access control policies should explicitly cover data masking requirements. For entities complying with GDPR or similar regulations, a privacy policy, a personal data protection policy, and a data masking policy are crucial in delineating data masking concerning privacy laws.

8.12 Data Leakage Prevention

Data Leakage Prevention functions as a detective and preventive measure, aiming to identify and halt unauthorised extraction and disclosure of information. ISO/IEC 27002:2022 emphasises, “Measures for data leakage prevention should extend to systems, networks, and devices handling sensitive information.” Organisations must classify, monitor, and proactively prevent information leaks across IT systems, networks, or devices. Establishing protocols to assess data sensitivity, technological risks (e.g., potential data breaches via smartphones), and monitoring channels susceptible to data leakage are essential.

While ISO does not mandate specific documentation, having information classification policies, security operational procedures, and acceptable use policies defining rules related to data leakage prevention is beneficial.

8.16 Monitoring Activities

Monitoring Activities function as a detective and corrective control, aiming to identify abnormal behaviour and potential security incidents. ISO/IEC 27002:2022 stipulates, “Continuous monitoring of networks, systems, and applications is crucial, with appropriate actions taken upon detecting potential security incidents.” Organisations benefit from defining the scope and intensity of monitoring activities and maintaining comprehensive records.

Monitoring aspects may include tracking inbound/outbound network traffic, system access, critical system configurations, security tool logs, and resource usage/performance. Establishing a baseline for normal behaviour aids in detecting anomalies. Real-time or periodic monitoring should align with organisational needs and capabilities.

While ISO doesn’t require specific documentation, developing procedures detailing system monitoring and assigning responsible personnel for maintaining necessary records is advisable.

8.23 Web Filtering

Web Filtering is a preventive measure against malware compromise and unauthorised web access. ISO/IEC 27002:2022 advocates “Management of external website access to reduce exposure to malicious content.” Organisations can employ IP or domain blocking to mitigate the risk of inadvertently accessing illegal content, viruses, or phishing material. Strategies like signature-based filtering or defining acceptable/unacceptable websites and domains are effective. Establishing usage rules and providing personnel training on secure web use are essential.

ISO standards do not mandate specific documentation, but creating procedures outlining web filtering processes can be beneficial.

8.28 Secure Coding

Secure Coding is a preventive measure that ensures software is developed securely, reducing potential information security vulnerabilities. ISO/IEC 27002:2022 recommends “Applying secure coding principles throughout software development.” Establishing a secure coding baseline and implementing governance processes aid in countering evolving threats. Continual improvement, guided by real-world threats and vulnerability information, ensures the adoption of safe coding practices.

While ISO doesn’t mandate specific documentation, including secure coding rules in software development policies is advised.


The updated versions of ISO/IEC 27001 and ISO/IEC 27002 standards mirror technological advancements and evolving industrial practices. These revisions aim to simplify and enhance the standards’ usability. While organisations have a grace period to align with the updated standards, taking proactive steps to adhere to the latest guidelines is recommended.