ISO 27002 is an international standard that defines a range of information security controls that can be used to manage risk. It’s useful because it provides a way to frame your thinking and guidance on how to implement each control. It’s related to a standard called ISO 27001. Where ISO 27001 sets out how to operate an Information Security Management System (ISMS), ISO 27002 gives information on what controls you may choose to implement as a result. The two can be used together, or it could be used standalone as your control framework.
The latest version of the ISO 27002 standard was published earlier this year in February 2022, replacing the previous version published nine years ago and bringing it up-to-date with the latest developments.
Fewer sections and controls
A major change is apparent in the structuring of the latest ISO 27002. The revision has seen fourteen categories go down to only four, and 114 controls reduced to 93. Despite the decrease in the number of controls, which is mostly due to merged controls, eleven new controls are present.
With a more focused structure, the categories are now split into types of controls at a much higher level than before. The controls are: organisational, people, physical and technological.
The category structure is more adaptable for inclusion of controls in the future and helps to align responsibility for controls. For example, Human Resources owning and providing evidence of the people controls, or Facilities being responsible for ensuring physical controls are effective and suitable to protect the organisation.
The new ISO27002 controls
Let’s take a look at the new controls and what they mean:
|Threat intelligence||Awareness of threat landscape through data gathering and analysis|
|Information security for the use of cloud services||Consideration of the management, onboarding, offboarding and use of cloud services in relation to information security|
|ICT readiness for business continuity||Establishing plans for business continuity, alongside maintenance and testing of plans to provide assurance of business availability and operations|
|Physical security monitoring||Monitoring of physical locations to prevent unauthorised access to them|
|Configuration management||Configuring and hardening of IT assets, including cloud services|
|Information deletion||Handling data appropriately through deletion in accordance with legal and regulatory requirements|
|Data masking||Using techniques to provide data protection to reduce the exposure of sensitive data|
|Data leakage prevention||To detect data loss in systems and prevent it from exposure|
|Monitoring activities||Monitoring to detect unusual events or behaviour within systems and assist in the detection of suspected incidents|
|Web filtering||Preventing access to unauthorised websites that are malicious, illegal or not business related|
|Secure coding||Using tools and principles to code securely to provide code quality assurances and reduce the likelihood of vulnerabilities in software development|
Another addition is the attributes table for every control. This provides guidance on the impact of the control. It states the:
- Control type
- Information security properties
- Cyber security concepts
- Operational capabilities
- Asset Management
- Information protection
- Human Resource Security
- Physical Security, System and Network Security
- Application Security
- Secure Configuration
- Identify and Access Management
- Threat and Vulnerability Management
- Supplier Relationships Security
- Legal and Compliance
- Information Security Event Management
- Information Security Assurance
- Security domains
- Governance and Ecosystem
- Defence and Resilience.
These attributes will be really helpful for cyber security managers to review aspects of their security programmes, cross-referencing with other frameworks such as NIST’s Cybersecurity Framework, and answer questions like “do we have enough focus on detecting and correcting risk events?”
As an example, the web filtering control’s attributes tells us:
- It’s a preventative control meaning it’s a measure used to stop something from happening
- It helps to defend confidentiality, integrity and availability
- Its concept is to protect and is defined within the protection security domain
- Responsibility lies with those who operate system and network security.
How this will affect you
If you’re already ISO 27001 certified, it won’t affect you just yet, but it will on recertification. On recertification, or if you are just starting out towards ISO 27001 certification, you will need to:
- Align your Statement of Applicability (SoA) with the new controls. It could mean that you decide these security controls are applicable and some aren’t. You must provide justifications for both inclusion and exclusion of these
- For example, if your company works completely remote with no physical offices or locations, physical security monitoring may not be applicable to you
- Your information security risk treatment for your identified risks should be aligned with the updated controls
- Ensure your ISMS covers additional controls in documentation, such as policies, standards or procedures, to provide guidance on how the control(s) is operational.
NEXT: Thoughts on the updated ISO 27002. In my second blog post, “Thoughts on the updated ISO 27002”, I reflect on the new controls and whether the new version is appropriate considering the changes and progression in the technology industry and wider business.