ISO/IEC 27001:2022 is an updated version of the widely popular ISO/IEC 27001 standard for information security controls. The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) released the updated version in February 2022. It serves as a reference for generic information security controls, including implementation guidance, for organisations within the context of an information security management system (ISMS) based on the ISO/IEC 27001 standard for implementing information security controls based on internationally recognised best practices and developing organisation-specific information security management guidelines.
The updated version of ISO/IEC 27002 includes the introduction of 11 new controls. It is essential for IT auditors and security practitioners to understand the new controls and implement them as part of the changes made to this standard. Though it is not mandatory for every organisation to follow the guidelines of ISO/IEC 27001:2022, it is beneficial to understand and establish the controls where possible to strengthen information security within an organisation.
New ISO/IEC 27001:2022 controls introduced:
5.7 Threat Intelligence
According to ISO/IEC 27001:2022, "Information relating to information security threats should be collected and analysed to produce threat intelligence." It is crucial for enterprises to collect and analyse information about existing and/or emerging threats to facilitate informed actions and prevent threats from causing harm and reduce their impact. Red Piranha is one of the top contributors & the first organisation in the Oceanic region to be part of the Cyber Threat Alliance based out of Washington D.C. Our world-leading threat intelligence is fully integrated and operationalised. Organisations need to adopt a comprehensive security approach that includes the use of advanced threat detection tools, such as Threat Detection, Investigation & Response (TDIR) solutions, that can detect and respond to anomalous behaviour on the network.
5.23 Information Security for Use of Cloud Services
This is a preventive control to specify and manage information security for the use of cloud services. Organisations should establish topic-specific policies related to the use of cloud services and communicate them to all relevant interested parties. The use of cloud services may involve shared responsibility for information security and a collaborative effort between the cloud service provider (CSP) and the organisation acting as the cloud service customer (CSC).
5.30 ICT Readiness for Business Continuity
This is a corrective control intended to ensure the availability of an organisation's information and other associated assets during disruption. ICT readiness for business continuity ensures that an organisation's objectives can continue to be met during disruption.
7.4 Physical Security Monitoring
This is a preventive and detective control intended to detect and deter unauthorised physical access. It is required to monitor sensitive areas to enable only authorised people to access them.
8.9 Configuration Management
This is a preventive control to ensure that hardware, software, services, and networks function correctly with required security settings and that configuration is not altered by unauthorised or incorrect changes. The control must be documented, often done as a SOP or a process can be defined. Change to configuration must be logged and able to be audited.
8.10 Information Deletion
The purpose of this control is to limit unnecessary exposure of sensitive information and ensure compliance with legal, statutory, regulatory, and contractual requirements for information deletion. According to ISO/IEC 27001:2022, data stored in information systems, devices or other storage media must be deleted when no longer needed. To reduce the risk of unintentional or malicious disclosure of information, organisations must store sensitive information for no longer than necessary. A process must be defined that outlines which data should be erased, when and how it will be erased, and who is responsible for the erasure. Business, regulatory and/or contractual security requirements should also be considered.
While no documentation (such as policy, procedure) is required from an ISO perspective, organisations must have a disposal and destruction policy, acceptable usage policy, and security operations procedures in place that specifies how system administrators and other responsible personnel must delete sensitive information from their devices, servers, and networks. A data retention policy should also be created, which defines how long each category of information should be stored and when it should be erased.
8.11 Data Masking
This control limits the exposure of sensitive data, including Personally Identifiable Information (PII), and ensures compliance with legal, statutory, regulatory and contractual requirements. According to ISO/IEC 27001:2022, data masking should be used in accordance with the organisation's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Organisations can use several techniques to mask data, including anonymization, encryption, obfuscation and pseudonymization. Processes must be in place to determine which data should be masked, who can access which types of data, and which methods should be used to mask the data.
From an ISO perspective, this control must be documented. Organisations should have an access control policy that explicitly specifies the requirements for data masking. Organisations that require compliance with the EU General Data Protection Regulation (GDPR) or similar privacy regulations should also have a privacy policy, personal data protection policy and a data masking policy that details how data should be masked in the context of privacy regulations.
8.12 Data Leakage Prevention
This control is both a detective and a preventive control that helps organisations detect and prevent the unauthorised extraction and disclosure of information by individuals or systems. According to ISO/IEC 27001:2022, data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Organisations must identify, classify, monitor and act to prevent information from being leaked, including information in IT systems, networks, or devices. Enterprises can take various preventive measures to help avoid the unauthorised disclosure of sensitive information, and if such incidents do occur, detect them in a timely manner. Processes should be created to determine the sensitivity of data, assess the risk of various technologies, monitor channels with the potential of data leakage and define which technology should be used to block the exposure of sensitive data.
From an ISO perspective, no documentation (such as policy, procedure) is required. However, it is beneficial to establish rules related to data leakage prevention in information classification policies, security operating procedures, and acceptable use policies.
8.16 Monitoring Activities
This control is a detective and corrective control that helps enterprises detect anomalous behaviour and potential information security incidents. According to ISO/IEC 27001:2022, networks, systems, and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
Organisations can determine a scope and level for monitoring and maintain records of monitoring. Subjects of monitoring can include outbound and inbound network, system or application traffic, access to systems, servers or networking equipment, critical or administrator-level system and network.
From an ISO perspective, no documentation is required for some of these controls. However, it is recommended to include rules about threat intelligence in supplier security policies, incident management procedures, and security operating procedures. Similarly, it is best to include rules about cloud services in the supplier security policy and document the processes and procedures that specify the acquisition, use, management, and exit from cloud services.
In conclusion, understanding and implementing the updated controls introduced in ISO/IEC 27001:2022 can strengthen an organisation's information security. Organisations should take the necessary steps to ensure that their IT auditors and security practitioners are well-versed in the new controls and are actively implementing them to enhance their information security management systems. As always it is important to understand the risks your organisation might face and map those risks direct to controls, this allows you to focus in on risk mitigation and that is the outcome well all want to achieve.
Crystal Eye helps build out-of-the-box Incident Response ISMS policy and procedure that includes access to people, process and playbooks.
With our eCISO program (CISO services), you get a dedicated CISO complemented by remote consulting, with our cutting-edge technology Crystal Eye-Consolidated Security Platform that helps develop a detailed information security program and produce in-depth compliance reports.
Red Piranha is one of the few security organisations with ISO 27001, ISO 9001, and CREST certification to demonstrate that our processes, tools, and systems adhere to a recognised framework. As an official member of Team Defence Australia, we are committed to maintaining the highest standards of information security.
We take pride in our Australian-based cybersecurity products and services with a global presence servicing large and small clients and partners across multiple industry sectors Critical Infrastructure, Defence, Education, Financial Services, Government, Health, and Pharmaceutical.
To learn how you can effectively and efficiently implement the above ISO/IEC 27001:2022 controls, talk to our security experts.