New Requirements for ISO 27001 Certification: An In-Depth Instruction Guide
Changes to the upcoming ISO 27001 standard are due to be released shortly. This article describes major changes to the components of ISO 27001’s Annex Controls by analysing what new modules now exist in the ISO 27002:2022 standard.
DOES THIS APPLY TO ME?
These modules will quickly become standard components of risk questionnaires, and will become non-negotiable baseline security requirements when your business handles data, or provides services.
Organisations, whether ISO certified or not, should start building in these components into their information security management system (ISMS) from now. Start planning to implement these projects from now, as many of these require considerable time and resource allocation to be successfully implemented.
NEW MODULE: THREAT INTELLIGENCE
ISO 27002:2022 – Section 5.7
Organisations must now collect and analyse information relating to cyber security threats in order to produce threat intelligence. Threat intelligence deepens the organisation’s understanding of the business’s threat environment and identifies which mitigation actions are to be implemented against each threat.
The aim of integrating threat intelligence is to allow the company to further prevent potential cyber security incidents and mitigate the impact of threats to the business.
Businesses should divide their Threat Intelligence into three layers, as shown below:
THREAT INTELLIGENCE: THREE-LAYER MODEL
Organisations need to create a process for analysing threat intel, and integrate it into their information security risk management processes, preventative and detective controls and anti-malware solutions.
NEW MODULE: INFORMATION SECURITY FOR USE OF CLOUD SERVICES
ISO 27002:2022 – Section 5.23
Organisations should now include processes to ensure the acquisition, use, management and exit from cloud services are all in accordance with the business’s information security policies. The organisation should have clear processes in place for managing information security risks associated with the use of cloud services.
A risk assessment should be carried out for the use of any cloud service, and residual findings should be clearly identified and accepted by organisation management.
Cloud services share information security responsibilities between the provider and the customer; therefore, it is essential that they are clearly defined for both parties. In addition, an agreement should be reached between the cloud service provider and the organisation outlining provisions for the protection of the organisations data and availability of services.
NEW MODULE: ICT READINESS FOR BUSINESS CONTINUITY
ISO 27002:2022 – Section 5.30
Organisations need to factor in the availability of information and other associated assets during a disruption.
A business impact analysis (BIA) should be completed, in order to assess the impacts over time resulting from the disruption of business activities. BIAs should categorise the impact type, magnitude, and recovery time objective (RTO). Business continuity strategies should be identified based on the BIA’s results, that allow for execution before, during and after disruption.
Organisations should ensure there is adequate organisational structure in place to manage a disruption, and supported by personnel with the necessary authority and competence.
ICT continuity plans should be developed to detail response and recovery procedures during a service disruption. Management approval should be sought, and regular evaluation processes (exercises and tests) need to be scheduled.
NEW MODULE: PHYSICAL SECURITY MONITORING
ISO 27002:2022 – Section 7.4
Company premises should be constantly monitored for unauthorised physical access. This can be achieved by using a multi-faceted surveillance system, shown below:
Physical security controls should be regularly tested to ensure they function correctly. The design of the surveillance system should remain confidential, as disclosure can facilitate an undetected attack. The organisation must adhere to local laws regarding data protection, especially concerning the recording of personnel and video retention periods.
NEW MODULE: CONFIGURATION MANAGEMENT
ISO 27002:2022 – Section 8.9
Configuration of hardware, software, services, and networks, including security configurations should now be documented, implemented, monitored, and reviewed.
This must be done in order for organisations to ensure all systems are functioning correctly with required security measures and have not been altered by unauthorised or incorrect changes.
Companies would benefit from mapping out their configuration management program. Items to be considered when establishing mapping templates for the secure configuration of hardware, software, services, and networks include:
Additionally, a log should be kept of all configuration changes (e.g., a database containing all configuration changes, personnel who made the changes), should be securely stored and regularly monitored by a comprehensive set of system management tools (e.g., maintenance utilities, remote support).
NEW MODULE: INFORMATION DELETION
ISO 27002:2022 – Section 8.10
While not new to most organisations, ISO 27002 has explicitly formalised a requirement that information, especially sensitive records, should be deleted as soon they are no longer required. This reduces unnecessary vulnerability and helps organisations comply with increasing legislation regarding information deletion. In addition, results of deletion should be recorded as evidence (including when using a service supplier for information deletion).
Organisations should configure systems to automatically destroy information when no longer required, to delete obsolete versions, to use approved deletions methods to ensure specialist tools cannot recover data and use approved providers of disposal services.
NEW MODULE: DATA MASKING
ISO 27002:2022 – Section 8.11
When protecting sensitive data, organisations should consider hiding such data by implementing methods such as data masking, pseudonymisation or anonymisation.
NEW MODULE: DATA LEAKAGE PREVENTION
ISO 27002:2022 – Section 8.12
Organisations should now implement data leakage prevention (DLP) measures to any systems, networks and devices which transmit, store or process sensitive information that prevent the unauthorised disclosure and extraction of information by individuals or systems.
Organisations should also determine if user permissions must be restricted (such as copy/paste, screenshot privileges). Data leakage prevention tools typically involve monitoring personnel’s communication channels; the organisation should consider relevant legislation before implementing controls.
NEW MODULE: MONITORING ACTIVITIES
ISO 27002:2022 – Section 8.16
Organisations should ensure they are monitoring networks, systems, and applications in order to detect anomalous behaviour and potential information security incidents. The monitoring scope and level should be in accordance with business needs and security needs.
Monitoring systems should be configured against baseline parameters in order to determine anomalous behaviour. Behaviours may include unplanned termination of processes or applications, known attack characteristics (e.g., DoS), unusual system behaviour, and unauthorised access.
Dedicated incident response procedures and competent personnel should be allocated to respond to real-time alerts from the monitoring system.
NEW MODULE: WEB FILTERING
ISO 27002:2022 – Section 8.23
Organisations should look to restrict access to external websites in order to limit exposure to malicious content. Techniques include blocking IP addresses or domains of specific website: some browsers and anti-malware applications do this automatically.
Organisations should have previously developed policies for permissible use of online resources and provided training to personnel on organisation rules, contact points for raising security concerns, and exceptions to access restricted content for legitimate business purposes.
NEW MODULE: SECURE CODING
ISO 27002:2022 – Section 8.28
Formalised policies should be established regarding secure coding principles to limit the number of vulnerabilities when writing software.
These should also cover software components from third parties and open-source software. Secure coding principles during coding are now also requirements for ISO 27002 alignment. Before software is made operational, the attack surface and principles of least privilege should be evaluated; and the organisation should ensure that common programming errors have been mitigated.
After code has been made operational, updates should be securely packaged and deployed, reported vulnerabilities are to be handled immediately, and code should be protected from unauthorised access.
WHERE TO, FROM HERE?
Analyse your current cybersecurity systems and policies to assess how far down the track your company has implemented these modules. If your company has not implemented it, place it on your FY23 improvement roadmap.
At InfoTrust, we consult on ISO/IEC 27001 standards and can support you in implementing these standards and strengthen your security strategy. If you’d like to find out more about our security and advisory services, contact me directly or visit our website - https://www.infotrust.com.au/contact.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help