π New ISO 27002! What has changed?
First impressions thread ...
#iso27001 #iso27002 #infosec #ISMS #cybersecurity
Compared to the 2013 version, many of the existing controls were merged, bringing the number of controls down from 116 to 93. There are 11 new controls, none have been deleted. Excluding introductory matter and reference tables there are now 122 pages of control descriptions.
The controls are categorized into 4οΈβ£ chapters, corresponding with 'themes': organizational, people (concerning individuals), physical, and technological.
This is an improvement in readability over the former 14 chapters, which ranged from the very broad to the oddly specific.
The controls are divided over the 4 themes as follows: 37 Organizational controls, 34 Technological controls, 14 Physical controls and 8 People controls.
π·οΈ Each control has 5 associated attributes:
1) Control type: preventive, detective, corrective
2) Information security properties: confidentiality, integrity, availability
3) Cybersecurity concepts: identify, protect, detect, respond, recover
...
4) Operational capabilities: 15 in all, e.g.: asset mgt, application security, identity and access mgt.
5) Security domains: governance and ecosystem, protection, defence and resilience.
ISO's Cybersecurity concepts map to the 5 functions of the NIST Cybersecurity Framework. This may be practical in establishing compliance across regionsπͺπΊπΊπΈ, and possibly for deploying NIST tooling in environments where security is managed in accordance with the ISO standard.
The Operational capabilities roughly map to business/IT functions and will be helpful when assigning responsibilities during implementation, or for GRC managers and auditors in larger organizations to locate relevant interlocutors for different risk controls.
I don't see much practical use yet for the tagging with 'Information security properties', as 85% of the controls mitigate Confidentiality, Integrity Γ nd Availability risks.
Same goes for 'Control type': 9 out of 10 controls are preventive, about 1 in 7 (also) deal with detection or correction.
Looking at the Security domains attribute: governance and ecosystem controls cover the compliance function and the risk management process in its context, that one's clear to me. Not so the reasons for tagging a control with Protection or Defence ...
... for instance, 5.33 Protection of records gets Defence, while 5.34 Privacy and protection of PII gets Protection.
Controls tagged with Resilience are also a mixed bag, and a small one at that.
ποΈ ISO suggests using attributes for 'filtering and sorting' of controls in a spreadsheet or database β I'm working on this and will share it with you when ready! πͺ
ISO proposes to add 'organization-specific guidance or attributes' to the controls in such a matrix. As an example, ISO suggests connecting risk treatment plans to controls. This will facilitate compliance auditing, as the application of every control should be risk-based.
π On to the π controls! They are:
Threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, ...
... monitoring activities, web filtering and secure coding.
Almost all of them are closely related to controls already present in the 2013 version, but data masking and threat intelligence are new additions, and configuration management was hardly mentioned in 2013.
π‘ Threat intelligence is a material addition to the ISO 27001/27002 standard and will require additional activities in the risk management process. Of course, the threat landscape has changed considerably since 2013 and threat intelligence has become an industry of itself.
π§ Configuration management is an important part of Cloud Security Posture Management (CSPM), a rapidly growing market segment of tooling for reducing configuration mistakes and compliance risks in SaaS and PaaS environments.
ποΈ Data masking is a technique often deployed to maintain confidentiality of sensitive personal data (PII), to lower privacy risks in the light of legal frameworks such as GDPR.
π¨βπ« To conclude, the 27002:2022 improves on 2013 with ...
1) a more sensible chapter structure
2) a connection to the 5 functions of the NIST Framework
3) a proposed connection to Business and IT functions and security domains ...
4) the recognition that threat intelligence and configuration management have become essential in cybersecurity.
I hope this helps in making sense of the new ISO 27002. Will be following this up with related threads on specific chapters/controls and suggestions on the transition from the 2013 to the 2022 version.
Check the iso27diy.com website for additional resources!
Here is the unrolled version of this thread: typefully.com/u/iso27diy/t/tmI9PPX/
ISO 27001 Toolkit
@iso27diy
π§° Implement ISO 27001 yourself!π Get Certified π§ββοΈ Build Customer Trust π Accelerate Sales! #infosec #iso27001 by @richardk