The new version of ISO 27002 has recently released on February 15, 2022. This new version is restructured, and changes have been done within the controls. In this article, we will discuss key changes that have been bought in the standard in terms of structure, changes in the controls and a brief summary of the new controls.

Structure of the standard

The old standard had 14 sections which have been now reorganized into only four sections.
The new ISO 27002:2022 standard has 93 controls organized in these four sections and 2 Annexures:

• Clause 5 Organizational (37 controls)
• Clause 6 People (8 controls)
• Clause 7 Physical (14 controls)
• Clause 8 Technological (34 controls)
• Annexure A – Using attributes
• Annexure B – Correspondence with ISO 27002:2013

The number of controls in the new version is reduced to 93 from the earlier version, which had 114 controls. The reason for this change may be technological developments and an increased understanding of the application of security practices.

Elements of each control

Two new elements that have been added to the structure describe the attributes and purpose of the control. These elements make it easier for a reader to sort the controls and understand the purpose behind using the control. These are:

• Attribute table: This table define the attributes for each control (refer to section Control Attributes for more details)
• Purpose: Justification for the use of the control

Also, the standard has been simplified in terms of a number of subsections. In the earlier version, there were around 3 subsections; for example: under section ‘7, Human Security’, there was a subsection ‘7.1 Prior to Employment’ and then ‘7.1.1 Screening’. In the new standard, this is now depicted as ‘6 People Control > 6.1 Screening’.

Controls attributes

One of the most significant changes that have been done is the introduction of Control attributes. With the introduction of control attributes, a standardized way of sorting and filtering the controls is provided. This helps in easily identifying the requirements of different departments/groups in an organization.
A sample of how control attributes are depicted in the standard is given below:

Attributes options are described below:

• Control types: Preventive, Detective, and Corrective
• Information security properties: Confidentiality, Integrity, and Availability
• Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
• Operational capabilities: Asset management, Governance, Human resource security, Information protection, System and network security, Physical security, Application Security, Identity and access management, Secure configuration, Continuity, Legal and compliance, Supplier relationships security, Threat and vulnerability management, Information security event management, and Information security assurance
• Security domains: Governance and ecosystem, Protection, Defense, and Resilience

Renamed/Merged controls

23 controls have had their names changed. For example: Teleworking has been renamed “Remote working”.

57 controls have been merged into 24 controls. For example: Some of the logging and monitoring controls have been revised and combined into a new control titled “Monitoring activities”

Impact of changes to ISO 27002 on ISO 27000 series

• The ISO 27000 series is a group of standards that are based on an amalgam of best practices on overall Information security management systems (ISMS).
• ISO 27001 is one of the key standards that provide a framework for developing ISMS in organizations, and this is the standard to which the organizations get certified.
• ISO 27002 which we are discussing in this article, provides guidance on how organizations shall implement the controls given in ISO 27001 standard. ISO 27002 is key to the achievement of the ISO 27001 certification as it explains the implementation of the required controls.
• Due to the changes that have been now bought in ISO 27002, we can expect some changes to ISO 27001 as well soon.

New controls

11 new controls introduced in the standard are given below:

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

We will discuss these in detail in the next section.

Threat intelligence

Threat Intelligence has gained a lot of importance in recent years and is fast becoming vital to cybersecurity efforts put in by companies. ISO framework has now introduced Threat Intelligence as a new requirement setting a precedence for other standards and regulations to follow suit.

Threat Intelligence helps cybersecurity teams proactively prepare for upcoming threats. This is an important addition to ISO standards looking at how quickly and easily even low skilled threat actors can conduct successful Malware/ransomware campaigns these days.

Threat intelligence involves gathering and analysing information on cyberattacks that are currently running or may occur in future. By meeting this requirement, organizations gain a better understanding of the techniques and processes attackers use to gain access to networks. This helps organizations proactively plan methods to defend themselves against these attacks.

Information security for the use of cloud services

Cloud services have become an integral part of most businesses these days. These services provide access to various applications and resources, which reduces the cost required for establishing internal infrastructure or hardware. Cloud services are fully managed by cloud computing vendors and service providers.

It is important that information security requirements are considered while acquiring, using, managing or exiting cloud services. Information security is a shared responsibility between a cloud service provider and a cloud service customer. ISO framework requires that the organization these responsibilities shall be defined and implemented appropriately.

A cloud service agreement should address the confidentiality, integrity, availability and information handling requirements of the organization, with appropriate cloud service level objectives and cloud service qualitative objectives.

ICT readiness for business continuity

The old version of ISO 27002 addressed business continuity which required organizations to ensure information security to an appropriate extent in the event of business interruptions.

The new control "ICT readiness for business continuity" further expands on the requirements for business continuity for information security. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA).

Based on the outputs from the BIA and risk assessment involving ICT services, the organization shall identify and select ICT continuity strategies that consider options for before, during and after the disruption.

The new version requires a business impact analysis as a basis for ICT emergency planning.

7.4 Physical security monitoring

This control requires an organization to ensure that the premises are continuously monitored for any unauthorized physical access. This can be done by monitoring the physical premises through surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider.

This control requires that access to the buildings that house critical systems should be monitored to detect any unauthorised access or suspicious behaviour. The monitoring systems should be kept protected from unauthorised access and the design of these systems should be kept confidential.

The standard also requires that the company takes care of any local laws or regulations including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods. For example, This may require a company to carry out a data protection impact assessment (DPIA) for camera surveillance to comply with GDPR requirements.

8.9 Configuration management

This new control requires that an organization manage the security configuration of hardware, software, services and networks to ensure a proper level of security and to avoid any unauthorized changes. This requires that the configuration is established, documented, implemented, monitored, and reviewed.

To implement this control, organizations need to define and implement processes and tools to enforce the defined configurations including security configurations for hardware, software, services and networks, for newly installed systems as well as for operational systems over their lifetime.

The organization shall also document procedures and assign roles and responsibilities clearly so that there is no ambiguity whenever configuration changes are made. Standard templates shall be defined and reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced.

This control requires proper documentation of configurations and maintenance of logs whenever there are configuration changes. Any changes to configuration shall follow the change management process. Configurations should be monitored and reviewed on a regular basis.

8.10 Information deletion

This control requires an organization to delete information when no longer required. The purpose of this control is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. The information could be stored in information systems, devices or in any other storage media or cloud services.

To comply with this clause, an organization need to establish a process that defines what data needs to be deleted and what are the methods of deletion and responsibilities.

You may need to use tools for secure deletion of sensitive information, which may be mandated by contractual or legal requirements, or as per internal risk assessments done by the organization.

Where cloud services are used, the organization’s processes should ensure that the deletion methods provided by cloud service providers are acceptable. Similarly, in the case of the transfer of equipment to vendors, sensitive information should be protected by removing auxiliary storage such as hard drives and memory before equipment leaves the organization's premises.

8.11 Data masking

This control requires an organization to use data masking in addition to access control to ensure sensitive data is not exposed. This new control is added because of a number of regulations that apply to managing personal data which would primarily be the sensitive data in an organization, but this could include other categories of sensitive data as well.

To comply with the requirement, an organization need to use anonymization or pseudonymization to mask data if this is required by regulations. An organization may also use other methods such as encryption, nulling or deleting characters, varying numbers and dates, replacing values with hash, etc.

8.12 Data leakage prevention

This control requires that an organization apply various data leakage methods to avoid any unauthorized disclosure or extraction of information by individuals or systems. In the event of data leakage, the organization shall have processes in place to detect these in a timely manner. These measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

To comply with these requirements, organizations need to proactively apply measures to avoid any data leakage. Data leakage prevention tools shall be put in place to identify and monitor sensitive information, detect any disclosures of sensitive information and block user actions or network transmissions that expose sensitive information.

Measures can include the implementation of tools to prevent data leakage, for example restricting copy and paste, disabling download to removable storage devices, encryption, email quarantine, etc.

8.16 Monitoring activities

This control requires an organization to monitor its IT systems, networks, and applications to identify any unrecognized activities and take appropriate actions to evaluate potential information security incidents.

The monitoring systems could include outbound and inbound networks, system and application traffic, access to systems, servers, networking equipment, logs from security tools, event logs relating to system and network activity, etc.

An organization should define procedures to respond to positive indicators from the monitoring system in a timely manner and also to identify and address false positives. The purpose is to minimize the effect of adverse events on information security and fine-tune the monitoring software to reduce the number of future false positives.

8.23 Web filtering

This control requires an organization to manage access to certain websites to reduce exposure to malicious content. This will not only protect your systems from being compromised by malware but also prevent users from using illegal materials from the Internet.

To comply with this requirement of the standard, an organization can block access to certain IP addresses, use browsers or anti-malware software, establish rules for safe and appropriate use of online resources, etc.

Also important for compliance with this clause is that organizations create awareness among the employees on the dangers of using the Internet, provide them with the guidelines for safe use, contact points for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons, etc.

8.28 Secure coding

This control requires an organization to develop secure coding principles and apply them in software development. When secure coding is inbuilt into software, you have reduced the risk of vulnerabilities.

Some of the ways this can be achieved are by separating development, test and production environments, providing guidance on the security in the software development life cycle, embedding security requirements in specification, design, security checkpoints, security testing, etc.