To enforce a strong enterprise security posture, cyber professionals and IT auditors must strive to stay current with international best practices. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) recently updated their widely recognized standard ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection—Information security controls, and as such, it is important for practitioners to familiarize themselves with the changes, particularly the introduction of 11 new controls.
The first in this article series, “A Guide to the Updated ISO/IEC 27002:2022 Standard, Part 1,” was published in February 2023. Five of the 11 controls were introduced in Part 1; the remaining six controls are examined herein.
8.10 Information Deletion
This is a control that prevents unnecessary exposure of sensitive information and encourages compliance with legal, statutory, regulatory and contractual requirements for information deletion. According to ISO/IEC 27002:2022, “Information stored in information systems, devices or in any other storage media should be deleted when no longer required.” To reduce the risk of unintended or malicious disclosure of information, it is critical for organizations to store sensitive information for no longer than required. A process should be defined that specifies which data should be erased, when and how they will be erased, and who is responsible for the erasure, considering business, regulatory and/or contractual security requirements.
From an ISO perspective, no documentation (e.g., policy, procedure) is required. However, it is important to have a disposal and destruction policy, acceptable usage policy, and security operations procedures in place that specify how system administrators and other responsible personnel must delete sensitive information from their devices, servers, and networks. It is also important to have a data retention policy that defines how long each category of information should be stored and when it should be erased.
8. 11 Data Masking
This is a preventive control that limits the exposure of sensitive data, including personally identifiable information (PII), and encourages compliance with legal, statutory, regulatory and contractual requirements. According to ISO/IEC 27002:2022, “Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.” There are several techniques an organization can utilize to mask data:
- Anonymization—The process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data
- Encryption—The process of encoding information, during which the original representation of the information, known as plaintext, is converted into an alternative form known as ciphertext (ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information)
- Obfuscation—The obscuring of the intended meaning of communication by making the message difficult to understand
- Pseudonymization—A data management and de-identification procedure by which PII fields within a data record are replaced by one or more artificial identifiers (i.e., pseudonyms)
There must be processes in place that can be used to determine which data should be masked, who can access which types of data and which methods should be used to mask the data.
From an ISO perspective, this control must be documented. Organizations should have an access control policy that explicitly specifies the requirements for data masking. Organizations that require compliance with the EU General Data Protection Regulation (GDPR) or similar privacy regulations should also have a privacy policy, personal data protection policy and a data masking policy that details how data should be masked in the context of privacy regulations.
8.12 Data Leakage Prevention
This is both a detective control and a preventive control that is intended to help organizations detect and prevent the unauthorized extraction and disclosure of information by individuals or systems. According to ISO/IEC 27002:2022, “Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.” It is important for organizations to identify, classify, monitor and act to prevent information from being leaked. Enterprises can take various preventive measures to help avoid the unauthorized disclosure of sensitive information, and, if such incidents do occur, detect them in a timely manner. This includes information in IT systems, networks or devices. Organizations should create processes that determine the sensitivity of data, assess the risk of various technologies (e.g., risk of taking photos of sensitive information with a smartphone), monitor channels with the potential of data leakage and define which technology should be used to block the exposure of sensitive data.
From an ISO perspective, no documentation (e.g., policy, procedure) is required. But it is beneficial to establish rules related to data leakage prevention in information classification policies, security operating procedures and acceptable use policies.
8.16 Monitoring Activities
This is a detective and corrective control intended to help enterprises detect anomalous behavior and potential information security incidents. According to ISO/IEC 27002:2022, “Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.” Organizations can benefit from determining a scope and level for monitoring and maintaining records of monitoring.
Subjects of monitoring can include:
- Outbound and inbound network, system or application traffic
- Access to systems, servers or networking equipment
- Critical or administrator (admin)-level system and network configuration files
- Logs from security tools
- Use of resources and their performance
Organizations should also establish a baseline of normal behavior and monitor against this baseline for anomalies. Monitoring should be done in real time or in periodic intervals, subject to the organization’s needs and capabilities.
From an ISO perspective, no documentation (e.g., policy, procedure) is required. However, it is important to develop procedures that describe how to monitor systems and identify which personnel are responsible for monitoring and maintaining necessary records.
8.23 Web Filtering
This is a preventive control to protect systems from being compromised by malware and to prevent access to unauthorized web resources. According to ISO/IEC 27002:2022, “Access to external websites should be managed to reduce exposure to malicious content.” Organizations can block Internet Protocol (IP) addresses or domains of the suspicious websites to reduce the risk of personnel inadvertently accessing illegal information, viruses or phishing material. Web filtering can include a range of techniques including signatures, heuristics and/or the creation of a list of acceptable and unacceptable (i.e., prohibited) websites or domains. Organizations should establish rules for safe and appropriate use of online resources. Training should be provided to personnel on the secure and appropriate use of online resources including access to the web.
From an ISO perspective, no documentation (e.g., policy, procedure) is required, but it can be useful to develop a procedure that describes how web filtering is being performed.
8.28 Secure Coding
This is a preventive control that ensures that software is written securely, thereby reducing the number of its potential information security vulnerabilities. According to ISO/IEC 27002:2022, “Secure coding principles should be applied to software development.” Enterprises should establish and apply a minimum secure baseline and implement organization-wide processes to provide thorough governance of secure coding. Real-world threats should be monitored and information about software vulnerabilities gathered to guide the organization’s secure coding principles through continual improvement and learning. This helps ensure that secure coding practices are implemented to combat the quickly evolving threat landscape.
From an ISO perspective, no documentation (e.g., policy or procedure) is required. However, organizations are advised to include rules about secure coding in their software development policy.
Conclusion
The latest versions of the ISO/IEC 27001 and ISO/IEC 27002 standards reflect advancements in technology and industrial practices that are constantly evolving. The standards’ updated structures are an imperative step toward their simplification and ease of use. Though organizations have a grace period before which they must adopt the updated standards, it is advisable to proceed with the tasks required for alignment with the latest guidelines.
Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-CERTIFIED DATA PROTECTION OFFICER, ISO MS LEAD AUDITOR, ISO MS LEAD IMPLEMENTER
Is an analytical thinker, writer, certified trainer, global mentor, and advisor in the areas of information and communications technology (ICT) governance, cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is a certified data protection officer and was awarded Chief Information Security Officer (CISO) of the Year awards in 2021 and 2022, granted by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively. He was also named a 2022 Certified Trainer of the Year by the Professional Evaluation and Certification Board (PECB). He is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, cybersecurity, and data privacy. He volunteers at the global level of ISACA® in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com.