Demystified! ISO/IEC 27002:2022 for Your Business

November 24, 2023
Posted by: Gradeon
Category: Compliance

Understanding ISO/IEC 27002:2022 – Expert Advice

To fortify an organisation’s cybersecurity stance, IT professionals and auditors must maintain awareness of global best practices. Recently, the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC) revised their widely acknowledged standard ISO/IEC 27002:2022 Information Security, cybersecurity, and Privacy Protection—Information Security Controls. Thus, it becomes crucial for practitioners to acquaint themselves with the alterations, particularly the introduction of 11 new controls.

This article follows the initial segment, “A Guide to the Updated ISO/IEC 27002:2022 Standard, Part I

8.10 Information Deletion

Information Deletion is a control to prevent unnecessary exposure of sensitive data and ensures adherence to legal, regulatory, and contractual requirements for data removal. As per ISO/IEC 27002:2022, “Information retained in systems or storage media should be expunged when no longer necessary.” Organisations must limit the storage duration of sensitive information to mitigate the risk of accidental or malicious data disclosure. A defined process delineating the data to erase, when and how it should occur, and assigning responsibility for erasure considering business, regulatory, or contractual security requirements is essential.

From an ISO standpoint, specific documentation isn’t mandated. Nonetheless, having disposal policies, acceptable usage policies, and security operation procedures detailing the deletion of sensitive information from devices, servers, and networks is imperative. A data retention policy stipulates storage duration for various information categories, and their erasure timelines are also essential.

8.11 Data Masking

Data Masking is a preventive measure to curtail the exposure of sensitive data, such as personally identifiable information (PII), ensuring compliance with legal and regulatory requirements. ISO/IEC 27002:2022 outlines, “Data masking should align with the organisation’s access control policy, relevant policies, and business requirements, adhering to pertinent legislation.” Employing anonymisation, encryption, obfuscation, and pseudonymisation helps shield data. Processes should identify which data requires masking, who can access it, and the applicable masking methods.

From an ISO perspective, documentation is necessary. Access control policies should explicitly cover data masking requirements. For entities complying with GDPR or similar regulations, a privacy policy, a personal data protection policy, and a data masking policy are crucial in delineating data masking concerning privacy laws.

8.12 Data Leakage Prevention

Data Leakage Prevention functions as a detective and preventive measure, aiming to identify and halt unauthorised extraction and disclosure of information. ISO/IEC 27002:2022 emphasises, “Measures for data leakage prevention should extend to systems, networks, and devices handling sensitive information.” Organisations must classify, monitor, and proactively prevent information leaks across IT systems, networks, or devices. Establishing protocols to assess data sensitivity, technological risks (e.g., potential data breaches via smartphones), and monitoring channels susceptible to data leakage are essential.

While ISO does not mandate specific documentation, having information classification policies, security operational procedures, and acceptable use policies defining rules related to data leakage prevention is beneficial.

8.16 Monitoring Activities

Monitoring Activities function as a detective and corrective control, aiming to identify abnormal behaviour and potential security incidents. ISO/IEC 27002:2022 stipulates, “Continuous monitoring of networks, systems, and applications is crucial, with appropriate actions taken upon detecting potential security incidents.” Organisations benefit from defining the scope and intensity of monitoring activities and maintaining comprehensive records.

Monitoring aspects may include tracking inbound/outbound network traffic, system access, critical system configurations, security tool logs, and resource usage/performance. Establishing a baseline for normal behaviour aids in detecting anomalies. Real-time or periodic monitoring should align with organisational needs and capabilities.

While ISO doesn’t require specific documentation, developing procedures detailing system monitoring and assigning responsible personnel for maintaining necessary records is advisable.

8.23 Web Filtering

Web Filtering is a preventive measure against malware compromise and unauthorised web access. ISO/IEC 27002:2022 advocates “Management of external website access to reduce exposure to malicious content.” Organisations can employ IP or domain blocking to mitigate the risk of inadvertently accessing illegal content, viruses, or phishing material. Strategies like signature-based filtering or defining acceptable/unacceptable websites and domains are effective. Establishing usage rules and providing personnel training on secure web use are essential.

ISO standards do not mandate specific documentation, but creating procedures outlining web filtering processes can be beneficial.

8.28 Secure Coding

Secure Coding is a preventive measure that ensures software is developed securely, reducing potential information security vulnerabilities. ISO/IEC 27002:2022 recommends “Applying secure coding principles throughout software development.” Establishing a secure coding baseline and implementing governance processes aid in countering evolving threats. Continual improvement, guided by real-world threats and vulnerability information, ensures the adoption of safe coding practices.

While ISO doesn’t mandate specific documentation, including secure coding rules in software development policies is advised.

Conclusion

The updated versions of ISO/IEC 27001 and ISO/IEC 27002 standards mirror technological advancements and evolving industrial practices. These revisions aim to simplify and enhance the standards’ usability. While organisations have a grace period to align with the updated standards, taking proactive steps to adhere to the latest guidelines is recommended.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

DEMYSTIFYING ISO/IEC 27002:2022 – Part II

Understanding ISO/IEC 27002:2022 – Expert Advice

8.10 Information Deletion

8.11 Data Masking

8.12 Data Leakage Prevention

8.16 Monitoring Activities

8.23 Web Filtering

8.28 Secure Coding

Conclusion

Consulting Services

Compliance Services

PCI Services

Cyber Services

Products

How can we help you?