As cybersecurity threats and attacks increase by leaps and bounds, the International Organization of Standardization (ISO) has developed and periodically updates information security frameworks to provide guidance on the implementation of controls to protect information assets.
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls is one of them. It provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environments.
ISO/IEC 27002 is designed to be used by organizations that intend to:
- Select controls within the process of implementing an information security management system (ISMS) based on ISO/IEC 27001
- Implement commonly accepted information security controls
- Develop their own information security management guidelines
This article aims to provide an insight into the new updates of ISO/IEC 27002 Information security, cybersecurity and privacy protection — Information security controls. It also highlights the importance of a new requirement and presents its impact on organizations seeking to implement an ISMS against ISO/IEC 27001:2013.
ISO 27002: An introduction
The ISO 27000 family of ISO standards is closely tied to cybersecurity resilience. ISO/IEC 27001 is a central part of this family. Annex A of ISO/IEC 27001 presents various security controls to help meet the key requirements of the standard.
ISO/IEC 27002 provides guidelines on the implementation of controls of ISO/IEC 27001, Annex A. Unlike ISO/IEC 27001, organizations cannot be certified against ISO/IEC 27002.
Like all other ISO publications, ISO/IEC 27002 is reviewed periodically to remain up-to-date with its ever-changing industry. The new version is currently under development by the ISO Technical Committee: ISO/IEC JTC 1/SC 27 (Information security, cybersecurity, and privacy protection) and will soon be published in January 2022.
The expected changes
The newest version is expected to have an updated structure. It is expected to contain four chapters in contrast to 14 of the previous version. The chapters are as follows:
- People controls (8)
- Organizational controls (37)
- Technological controls (34)
- Physical controls (14)
The updated version is expected to have 93 controls, while its predecessor had 114. The majority of controls (61) remain unchanged. There are 11 new controls added, 3 have been deleted, and 48 have been consolidated.
The 93 controls are each tagged with the set of five ‘attributes’ below:
- Control type: preventive, detective, and/or corrective
- Information security properties: “Confidentiality,” “Integrity,” and/or “Availability”
- Cybersecurity concepts: “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”
- Operational capabilities: governance, asset management, information protection human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, and information security assurance
- Security domains: governance and ecosystem, protection, defense, and resilience
The following controls have been introduced in the new version of ISO/IEC 27002:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Information deletion
- Configuration management
- Secure coding
- Web filtering
- Monitoring services
- Data leakage prevention
- Data masking
New and important addition: Threat intelligence
The new version of ISO/IEC 27002 should be implemented to the fullest extent possible to mitigate known risks and avoid cybersecurity attacks. The new controls have been added by considering the newly emerging threat landscape. One update we think is really important is the changes regarding threat intelligence.
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionoriented advice about an existing or emerging threat. It is contextual information that enables organizations to take proactive actions that can prevent, or at least mitigate, cyberattacks. It can be used to make informed decisions and responses to a threat.
Threat intelligence is about information; about potential attackers, their intents, motivations, and capabilities, and about possible Indicators of Compromise (IoC). This information can help cybersecurity professionals make faster, more informed security decisions and prepare for cyberattacks.
Threat intelligence is at pole position in the list of new controls. It provides information to security analysts regarding threats that have targeted or will target the organization. All information security experts agree that any data compromise can be devastating and must be avoided at all costs.
The updated version of ISO/IEC 27002 that will be published, will provide new guidance on threat intelligence controls and how their effective implementation and proper maintenance can help security leaders implement and maintain an effective ISMS based on ISO 27001.
This can be done through the preparation, identification, and prevention of cybersecurity threats that can compromise valuable corporate information assets and sensitive data, such as personally identifiable information (PII), protected health information/electronically protected health information (PHI/ePHI), card holder data (CHD), and any regulated, business, confidential/high-risk data.
Implementing a cyber threat intelligence tool can effectively address these issues and strengthen organizations’ security postures by:
- Revealing the actors’ intent and capability, as well as their tactics, motivations, techniques, and procedures (TTPs)
- Helping them understand the relevant actions that can be taken to neutralize them
- Revealing previously unknown threats and promoting proactive decision-making
- Integrating disparate bits of data to provide timely warnings and actionable information
All information security experts agree that any data compromise can be devastating and must be avoided at all costs.
For executive boards, C-level executives, and information security managers, implementing the relevant controls will help them understand cyber threats and make data-driven decisions to mitigate the impact of those risks based on the implementation of the threat intelligence lifecycle. There are different versions of intelligence cycles, but the goal is always the same: guide the cybersecurity team through the development and execution of an effective threat intelligence program.
Impact on compliance
An update to ISO/IEC 27002 will inevitably affect the set of controls in ISO/IEC 27001. It is therefore expected that these changes will be reflected in Annex A of ISO/ IEC 27001 after the official publication of the updated ISO/IEC 27002 in Q1 2022. There is currently no impact on organizations that already maintain a certified ISMS based on ISO/IEC 27001. The requirement has never been that only ISO/IEC 27001 Annex A controls must be utilized – it only needs to be fulfilled, at a minimum, by demonstrating the implemented controls effectively align with the Annex A control objectives Any additional controls (PCI, HIPPA/ HITRUST, SOC, etc.) deemed effective should be considered and applied to mitigate the identified risks.
In this case, the threat intelligence requirement will oblige organizations to plan and budget for a solution that can assist with the ongoing operational mitigation plans, unless they decide to outsource these processes to the third party. But with so many types of threat intelligence services and products available, finding the right one to meet their objectives can be challenging. Most importantly, organizations will have to demonstrate how they can scale their threat intelligence investment over time.
This can be very complicated when advantages and challenges of integrating threat intelligence with existing security solutions are not clearly understood.
The new requirements in ISO 27002 updated version will help drive some of these decisions, as threat intelligence helps organizations of all shapes and sizes process threat data to better understand their attackers, respond faster to incidents, and proactively be ahead of a threat actor’s next move. This information helps smaller organizations achieve a level of protection that would otherwise be out of reach. On the other hand, organizations with large security teams can reduce the cost and required skills by leveraging external threat intelligence and make their analysts more effective.
The best way to gain the most value from the new version of ISO 27002, that is expected to be published is to use its controls to fulfill the requirements of ISO/IEC 27001 and gain certification. With an effective risk management approach and controls implementation, organizations can steer cybersecurity strategies by continuously monitoring and improving their ISMS to protect their assets, information and data. This will ultimately help organizations protect their reputation, retain customers, and increase profits!