In February 2022, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published the updated version of their widely popular standard ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection—Information security controls, which serves as a reference for generic information security controls including implementation guidance. This document is designed to be used by organizations within the context of an information security management system (ISMS) based on the ISO/IEC 27001 standard for implementing information security controls based on internationally recognized best practices and developing organization-specific information security management guidelines. Among other updates, modifications also include the addition and introduction of 11 new controls.
It is important that IT auditors and security practitioners understand the new controls and what is necessary for them to implement as part of the changes made to this standard. Though it is neither mandatory for every organization to follow the guidelines of ISO/IEC 27002:2022 nor it is required from a compliance point of view (because the controls may not be applicable if there are no related risk factors or legal, regulatory or contractual requirements), it is always beneficial to understand and establish the controls where possible to strengthen information security within an organization.
5.7 Threat Intelligence
Threat intelligence provides insight into an organization’s threat environment so that appropriate mitigating action can be taken. According to ISO/IEC 27002:2022, “Information relating to information security threats should be collected and analyzed to produce threat intelligence.” It is critical for enterprises to collect and analyze information about existing and/or emerging threats to facilitate informed actions and prevent threats from causing harm and reduce their impact. Organizations should also share intelligence with external organizations on a mutual basis to improve overall threat intelligence.
From an ISO perspective, no documentation is required; however, it is beneficial to include rules about threat intelligence in supplier security policies, incident management procedures and security operating procedures.
5.23 Information Security for Use of Cloud Services
This is a preventive control to specify and manage information security for the use of cloud services. According to ISO/IEC 27001:2022, “Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.” Organizations should establish topic-specific policies related to the use of cloud services and communicate them to all relevant interested parties. This can include defining and communicating how the enterprise intends to manage information security risk associated with the use of cloud services. The use of cloud services may involve shared responsibility for information security and a collaborative effort between the cloud service provider (CSP) and the organization acting as the cloud service customer (CSC). It is essential that the responsibilities of both the CSP and the CSC are defined and implemented appropriately. Specifics related to information security and public cloud services are described in the standard ISO/IEC 27017:2015. Specifics related to personally identifiable information (PII) protection in public clouds acting as PII processors are described in the standard ISO/IEC 27018:2019.
From an ISO perspective, no documentation is required; however, it is best to include rules about cloud services in the supplier security policy and document the processes and procedures that specify the acquisition, use, management and exit from cloud services.
5.30 ICT Readiness for Business Continuity
This is a corrective control with the purpose of ensuring the availability of an organization’s information and other associated assets during disruption. According to ISO/IEC 27002:2022, “[Information and communication technology] (ICT) readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.” ICT readiness for business continuity ensures that an organization’s objectives can continue to be met during disruption. Based on the outputs from the business impact analysis (BIA) and risk assessment involving ICT services, organizations should identify and select ICT continuity strategies that consider options for before, during and after disruption. Further guidance on business continuity management systems can be found in the ISO 22301:2019 and ISO 22313:2020 standards. Further guidance on BIA can be found in ISO/Technical Committee (TS) 22317:2021.
From an ISO perspective, no documentation is mandated; however, it is required to include the ICT readiness in the disaster recovery plan and internal audit reports. Furthermore, if an organization is implementing or has implemented ISO 22301 standards, it should document readiness through a BIA, business continuity strategy, business continuity plan (BCP), and a business continuity testing plan and report.
7.4 Physical Security Monitoring
This is a preventive and detective control intended to detect and deter unauthorized physical access. According to ISO/IEC 27002:2022, “Premises should be continuously monitored for unauthorized physical access.” It is required to monitor sensitive areas to enable only authorized people to access them. Physical premises should be monitored by devices such as surveillance systems, intruder alarms and/or video monitoring systems. The design of monitoring systems should remain confidential because disclosure could facilitate undetected break-ins. Monitoring systems must also be protected from unauthorized access to prevent surveillance information from being accessed by unauthorized persons or systems being disabled remotely. Any monitoring and recording mechanism should be used with consideration of local laws and regulations, including data and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods.
From an ISO perspective, no documentation is required.
8.9 Configuration Management
This is a preventive control to ensure that hardware, software, services and networks function correctly with required security settings and that configuration is not altered by unauthorized or incorrect changes. According to ISO/IEC 27002:2022, “Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.” It is necessary to define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (including cloud services) and networks, for newly installed systems and operational systems over their lifetime. Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes. Standard templates for secure configurations should be defined. Established configurations should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. Configurations should be monitored with a comprehensive set of system management tools and should be reviewed on a regular basis.
From an ISO perspective, this control must be documented. This can be documented as a standard operating procedure or a separate configuration process can be defined. Furthermore, all changes to configurations need to be logged to enable an audit trail.
Conclusion
ISO/IEC 27002:2022 reflects advancements in technology and industrial practices that are constantly evolving. The updates to the standard are imperative steps towards its simplification and ease of use.Though organizations do not have a deadline by which they must adopt the updated standard, it is advisable to proceed with the tasks required to align with the latest version.
Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-Certified Data Protection Officer, ISO MS Lead Auditor, ISO MS Lead Implementer
Is an analytical thinker, writer, certified trainer, global mentor, and advisor in the areas of information and communications technology (ICT) governance, cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is a certified data protection officer and was awarded Chief Information Security Officer (CISO) of the Year awards in 2021 and 2022, granted by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively. He was also named a 2022 Certified Trainer of the Year by the Professional Evaluation and Certification Board (PECB). He is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, cybersecurity, and data privacy. He volunteers at the global level of ISACA® in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com.