Changes to the upcoming ISO 27001 standard are due to be released shortly. This article describes major changes to the components of ISO 27001’s Annex Controls by analysing what new modules now exist in the ISO 27002:2022 standard.
These modules will quickly become standard components of risk questionnaires, and will become non-negotiable baseline security requirements when your business handles data, or provides services.
Organisations, whether ISO certified or not, should start building in these components into their information security management system (ISMS) from now. Start planning to implement these projects from now, as many of these require considerable time and resource allocation to be successfully implemented.
ISO 27002:2022 – Section 5.7
Organisations must now collect and analyse information relating to cyber security threats in order to produce threat intelligence. Threat intelligence deepens the organisation’s understanding of the business’s threat environment and identifies which mitigation actions are to be implemented against each threat.
The aim of integrating threat intelligence is to allow the company to further prevent potential cyber security incidents and mitigate the impact of threats to the business.
Businesses should divide their Threat Intelligence into three layers, as shown below:
Organisations need to create a process for analysing threat intel, and integrate it into their information security risk management processes, preventative and detective controls and anti-malware solutions.
ISO 27002:2022 – Section 5.23
Organisations should now include processes to ensure the acquisition, use, management and exit from cloud services are all in accordance with the business’s information security policies. The organisation should have clear processes in place for managing information security risks associated with the use of cloud services.
A risk assessment should be carried out for the use of any cloud service, and residual findings should be clearly identified and accepted by organisation management.
Cloud services share information security responsibilities between the provider and the customer; therefore, it is essential that they are clearly defined for both parties. In addition, an agreement should be reached between the cloud service provider and the organisation outlining provisions for the protection of the organisations data and availability of services.
ISO 27002:2022 – Section 5.30
Organisations need to factor in the availability of information and other associated assets during a disruption.
A business impact analysis (BIA) should be completed, in order to assess the impacts over time resulting from the disruption of business activities. BIAs should categorise the impact type, magnitude, and recovery time objective (RTO). Business continuity strategies should be identified based on the BIA’s results, that allow for execution before, during and after disruption.
Organisations should ensure there is adequate organisational structure in place to manage a disruption, and supported by personnel with the necessary authority and competence.
ICT continuity plans should be developed to detail response and recovery procedures during a service disruption. Management approval should be sought, and regular evaluation processes (exercises and tests) need to be scheduled.
ISO 27002:2022 – Section 7.4
Company premises should be constantly monitored for unauthorised physical access. This can be achieved by using a multi-faceted surveillance system, shown below:
Physical security controls should be regularly tested to ensure they function correctly. The design of the surveillance system should remain confidential, as disclosure can facilitate an undetected attack. The organisation must adhere to local laws regarding data protection, especially concerning the recording of personnel and video retention periods.
ISO 27002:2022 – Section 8.9
Configuration of hardware, software, services, and networks, including security configurations should now be documented, implemented, monitored, and reviewed.
This must be done in order for organisations to ensure all systems are functioning correctly with required security measures and have not been altered by unauthorised or incorrect changes.
Companies would benefit from mapping out their configuration management program. Items to be considered when establishing mapping templates for the secure configuration of hardware, software, services, and networks include:
Additionally, a log should be kept of all configuration changes (e.g., a database containing all configuration changes, personnel who made the changes), should be securely stored and regularly monitored by a comprehensive set of system management tools (e.g., maintenance utilities, remote support).
ISO 27002:2022 – Section 8.10
While not new to most organisations, ISO 27002 has explicitly formalised a requirement that information, especially sensitive records, should be deleted as soon they are no longer required. This reduces unnecessary vulnerability and helps organisations comply with increasing legislation regarding information deletion. In addition, results of deletion should be recorded as evidence (including when using a service supplier for information deletion).
Organisations should configure systems to automatically destroy information when no longer required, to delete obsolete versions, to use approved deletions methods to ensure specialist tools cannot recover data and use approved providers of disposal services.
ISO 27002:2022 – Section 8.11
When protecting sensitive data, organisations should consider hiding such data by implementing methods such as data masking, pseudonymisation or anonymisation.
ISO 27002:2022 – Section 8.12
Organisations should now implement data leakage prevention (DLP) measures to any systems, networks and devices which transmit, store or process sensitive information that prevent the unauthorised disclosure and extraction of information by individuals or systems.
Organisations should also determine if user permissions must be restricted (such as copy/paste, screenshot privileges). Data leakage prevention tools typically involve monitoring personnel’s communication channels; the organisation should consider relevant legislation before implementing controls.
ISO 27002:2022 – Section 8.16
Organisations should ensure they are monitoring networks, systems, and applications in order to detect anomalous behaviour and potential information security incidents. The monitoring scope and level should be in accordance with business needs and security needs.
Monitoring systems should be configured against baseline parameters in order to determine anomalous behaviour. Behaviours may include unplanned termination of processes or applications, known attack characteristics (e.g., DoS), unusual system behaviour, and unauthorised access.
Dedicated incident response procedures and competent personnel should be allocated to respond to real-time alerts from the monitoring system.
ISO 27002:2022 – Section 8.23
Organisations should look to restrict access to external websites in order to limit exposure to malicious content. Techniques include blocking IP addresses or domains of specific website: some browsers and anti-malware applications do this automatically.
Organisations should have previously developed policies for permissible use of online resources and provided training to personnel on organisation rules, contact points for raising security concerns, and exceptions to access restricted content for legitimate business purposes.
ISO 27002:2022 – Section 8.28
Formalised policies should be established regarding secure coding principles to limit the number of vulnerabilities when writing software.
These should also cover software components from third parties and open-source software. Secure coding principles during coding are now also requirements for ISO 27002 alignment. Before software is made operational, the attack surface and principles of least privilege should be evaluated; and the organisation should ensure that common programming errors have been mitigated.
After code has been made operational, updates should be securely packaged and deployed, reported vulnerabilities are to be handled immediately, and code should be protected from unauthorised access.
Analyse your current cyber security systems and policies to assess how far down the track your company has implemented these modules. If your company has not implemented it, place it on your FY23 improvement roadmap.
At Infotrust, we consult on ISO/IEC 27001 standards and can support you in implementing these standards and strengthen your security strategy. If you’d like to find out more about our security and advisory services, contact us here- https://www.infotrust.com.au/contact.