The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 2....
ISO/IEC 27002:2022 — Information security, cybersecurity, and privacy protection
I. Introduction
As the sophistication and frequency of information security attacks continue to increase, the number of organizations being targeted from those attacks is also increasing, regardless of the organizations’ size, industry, location, or reputation. Hence, the need for following an effective approach for information security governance has become inevitable.
Organizations that rely only on incident response plans for addressing information security incidents are usually not successful in reducing these incidents and their impact. Instead, they should implement information security management systems (ISMSs) that integrate various policies, processes, procedures, and activities for ensuring and maintaining information security.
ISMSs enable the creation of standardized procedures to select and implement adequate information security controls and manage them effectively. An ISMS that is suitable to the organization’s mission and objectives helps in reducing the likelihood and impact of information security risks.
While ISO/IEC 27001 provides the requirements for establishing, implementing, maintaining, and improving an ISMS, ISO/IEC 27002 provides the controls for managing risks within that ISMS. These controls are based on internationally recognized best practices and can be implemented by organizations of all types and sizes.
II. Information Security, Cybersecurity, and Privacy Protection
Information Security
The importance of information security has increased significantly over the years as the number of organizations that collect, process, store, and transmit information daily and in many forms has also grown.
What is information security? This term refers to the actions that organizations take to prevent unauthorized access to, use, alteration, and destruction of information. This term is often used together with cybersecurity; however, they are not synonymous. While information security ensures the protection of different types of information, within and beyond the cyberspace, cybersecurity refers to the protection of organization’s data, devices, systems, and networks in cyberspace.
Information security is defined as the preservation of the confidentiality, integrity, and availability (commonly known as the CIA triad) of information. Regardless of the type of information, information security aims to ensure authorized access to data (confidentiality), authorized alteration of data (integrity), and timely accessibility (availability) to data.
Confidentiality refers to the protection of information from unauthorized access. Organizations ensuring the confidentiality of information keep important information private and ensure that the information is used only by authorized parties. Typical threats to the confidentiality of information are phishing, malware, password attacks, insider threats, man-in-the middle attacks, data mining, and eavesdropping attacks.
There are various controls that organizations can implement to ensure the confidentiality of their data, such as multi-factor authentication, encryption, the principle of least privilege, secure disposal of data, and physical access controls. Security controls for ensuring confidentiality should be selected based on the information classification and the potential business impact of its unauthorized disclosure.
Integrity refers to the protection of an organization’s information against unauthorized or accidental changes. Ensuring the integrity of information implies ensuring that information is accurate and authentic, and that it is not modified, accidentally or purposefully, when in storage, in process, or in transit. Common threats to the integrity of information include human errors, weak passwords, network and software vulnerabilities, poor configuration management, and unauthorized physical access to information processing facilities.
Security controls that help in mitigating these threats include, among others, appropriate access management, user trainings, hashing techniques, and digital signatures. Moreover, backup procedures are crucial for ensuring integrity since they enable organizations to restore information that has been altered.
Availability ensures that information is accessed by authorized individuals as required, when and where required, and by the person(s) requiring it. Some of the main challenges to the availability of information include Denial-of-Service attacks (DoS), technical failures, natural disasters, human errors, and insufficient communication bandwidth. In practice, availability of information can be ensured through appropriate resilient system architecture, backup procedures, capacity planning, incident management, maintenance of equipment, and business continuity planning.
For example, a bank, whose mobile banking application processes and collects personal data, should ensure that the data is protected from unauthorized access and modification and that it can be accessed by the users, e.g., when making transactions online. The CIA triad of financial transactions completed online can be improved as follows:
- Confidentiality: Implementing biometric authentication, such as fingerprints, to verify user identity, and cryptographic techniques to prevent traffic eavesdropping on network
- Integrity: Using hashing algorithms to authenticate data, i.e., to validate the message digest generated by the server which helps in determining if any data has been altered during transmission
- Availability: Ensuring that the mobile banking application has the required IT capacity resources to be accessible when and as needed
Traceability and non-repudiation are concepts that contribute toward ensuring information security, as well. Traceability refers to the ability of the organization to trace a message or activity and track down the originator of those messages and activities. Whereas, non-repudiation refers to the assurance that no party denies that they sent, received, or processed a message or that they signed the data, consequently, ensuring the integrity and authenticity of information.
Traceability in online transactions can be ensured by collecting and monitoring all logs of the mobile application to verify the activities and users’ requests. Non-repudiation, on the other hand, can be achieved through cryptographic controls, such as digital signatures.
Cybersecurity
Cybersecurity refers to the protection of digital information in computers, systems, and networks from cyberattacks. The number of cyberattacks has increased considerably in the recent years. According to CyberEdge’s published report in 2022, 85.3% of organizations that were part of the study claimed that their networks had been compromised from cyberattacks at least once during 2021. In addition, 27.9% of these organizations had experienced between 6 and 10 cyberattacks within the same period. These high percentages emphasize the importance of implementing effective cybersecurity solutions that enable organizations to continually monitor and prevent cyber attacks and reduce their impact.
Cybersecurity covers various categories including network security, application security, information security, operational security, disaster recovery and business continuity, and end-user education. Individuals with malicious intents may access the network of organizations by exploiting misconfigured firewalls, unsecured wireless routers, and infected laptops and ports.
Assets in the cloud and employees’ devices when implementing a bring-your-own-device (BYOD) policy or when working remotely are also potential targets of cyberattacks due to the lack of control from organizations. Some of the cyberthreats that organizations should be prepared for in 2022 include social engineering, ransomware, advanced persistent threats, disgruntled employees, supply chain attacks, operational technology (OT) security threats, and IoT-related threats.
In 2016, the European Union introduced the NIS (Network and Information Systems) Directive, a cybersecurity legislation, with the aim of increasing cybersecurity across EU countries. The directive was then enacted into EU member states’ laws. The NIS Directive will ensure that EU member states are prepared for cyberattacks and have established incident response teams. In addition, by establishing cooperation groups, it will enable the states to cooperate with one another and establish mechanisms through which information is exchanged more easily between them. Lastly, it will promote a culture of cybersecurity across the countries.
Privacy Protection
Privacy is considered a fundamental human right. As defined by EDPS (European Data Protection Supervisor), having privacy means “to be autonomous, in control of information about yourself, to be let alone.” The right to privacy is included, among others, in the UN Declaration of Human Rights, the European Convention of Human Rights, and the European Charter of Fundamental Rights. More than 150 nations have included the right to privacy in their national constitutions.
Data privacy protection relies on the effectiveness of information security controls. Some of today’s threats to privacy include online tracking, IoT attacks, and cyberattacks. Organizations that collect and process data should employ access control mechanisms, such as encryption and multi-factor authentication, to ensure the protection of one’s information privacy.
Considering the sensitivity of personal data, many governments have enforced laws and regulations to make sure that data processing is done with individuals’ consent. There are many data protection laws that regulate how personal data should be collected and processed.
For instance, General Data Protection Regulation (GDPR) is an EU regulation that aims to protect the data and privacy of individuals, also known as data subjects, who live within the European Economic Area (EEA) by introducing requirements for organizations processing or collecting the data related to those data subjects. The GDPR requires from organizations to encrypt the personal data of data subjects and peudonymise it so that it cannot be attributed to a particular person. In addition, organizations are required to ensure the confidentiality, integrity, and availability of the information they process, collect, and store. These requirements, among others, can be fulfilled by implementing an ISMS based on ISO/IEC 27001.
ISO has also released ISO/IEC 27701:2019 as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. The standard provides requirements and guidelines for establishing, implementing, and maintaining a privacy information management system (PIMS).
Breaches and Incidents
One of the most sophisticated cyberattacks in history is Stuxnet. Through the Stuxnet computer worm, Iran’s nuclear program was attacked after its Supervisory Control and Data Acquisition (SCADA) systems were targeted. This, as a result, caused considerable damage to the program. This attack demonstrates that any system can be compromised with enough determination and sophisticated tools.
Furthermore, the Compilation of Many Breaches (COMB) is considered to be one of the largest data breaches of all time. It exposed more than 3.2 billion pairs of emails and passwords. This breach occurred in 2021 and affected nearly 70% of internet users around the world. Although the data leak did not technically include new information since it only comprised information that was obtained from previous breaches, the number of users affected by it makes the impact of the data breach significant.
Based on a survey with Canadian companies, 25% of those companies were victims of cyberattacks in 2021, which disclosed a wide range of personal and corporate data. In addition, the study showed that 56% of the affected companies had paid large sums of money, which was required by cybercriminals. Even though the number of companies that have experienced cyberattacks is very high, only 40% of them claimed to have organized training sessions regarding cyber- and information security.
In the recent years, operational technology (OT) organizations have also become targets of cyberattacks. According to a new research report, within a period of 36 months, 83% of organizations experienced an OT cybersecurity breach. Although the number of cyberattacks continues to grow, according to the study, many organizations (73%) do not take the risks of cyberattacks seriously, claiming that they will not experience an OT attack in the following year.
Furthermore, when it comes to cybersecurity threats, the lack of employee awareness and competence represents the biggest risk; thus, it is vital for every organization to take measures to prevent, detect, and respond to cyberattacks effectively by organizing training and awareness sessions for their employees.
III. What Is ISO/IEC 27002?
ISO/IEC 27002 integrates information security, cybersecurity, and privacy protection into a generic set of controls. These controls can be used by organizations as part of their information security risk management. It is up to organizations to determine which controls to implement, based on their needs and objectives, in order to ensure the protection of information.
This standard can be used as a guidance for identifying, assessing, reducing, and mitigating information security risks within an information security management system (ISMS). In addition, organizations can use the standard to determine the necessary controls for developing organization-specific guidelines.
IV. What Has Changed in ISO/IEC 27002:2022?
ISO/IEC 27002:2013 is a code of practice for information security controls. It provides guidelines for selecting, implementing, and managing information security controls taking into account the information security risk environment of organizations. The standard provides 114 security controls and 35 control objectives in 14 domains.
ISO/IEC 27002:2013 has been replaced by the third edition of the standard published in 2022. The main changes of ISO/IEC 27002:2022 are:
- The number of security controls has decreased from 114 to 93.
- A new categorization of security controls in four main themes has been introduced.
- The term “code of practice” has been removed.
- The standard now provides a comprehensive description of security controls using associated attributes.
The changes made in the new version of the standard aim to simplify the process of selecting security controls. However, the purpose of both versions remains the same. ISO/IEC 27002:2022 intends to serve as a reference set for organizations in selecting and implementing information security controls that are appropriate to their context.
Out of 93 controls in the new version of the standard, 11 are new, 23 controls have been renamed, one has been split into two sub-controls, 57 controls have been merged in 24, and 34 controls remain the same.
V. Overview of ISO/IEC 27002:2022
The controls are categorized into four themes, i.e., organizational, people, physical, and technological.
Organizational Controls
Clause 5 of ISO/IEC 27002 provides 37 organizational controls which introduce policies and procedures that tackle issues on an organizational level, such as the segregation of roles and responsibilities, management of information, and compliance with relevant laws and regulations. They also help organizations in preventing or addressing information security risks regarding the unauthorized use of assets, the unauthorized access to information, supplier relationships, cloud computing, etc.
People Controls
Clause 6 of ISO/IEC 27002 provides 8 people controls which are intended to help organizations in preventing and addressing risks related to individuals. These controls are related to the hiring process of employees, such as screening, termination or change of employment, the terms and conditions of employment, and nondisclosure agreements, the provision of awareness and training sessions and the disciplinary process when the employees are employed, and their roles and responsibilities as individuals working for the organization on site or remotely.
Physical Controls
Clause 7 of ISO/IEC 27002 provides 14 physical controls which are intended to help organizations ensure the physical protection of information assets and information processing facilities. These controls ensure, among others, the security of perimeters, entries, offices, rooms, facilities, equipment, cables, storage media, and utilities.
Technological Controls
Clause 8 of ISO/IEC 27002 provides 34 technological controls which are intended to help organizations protect their information systems against unauthorized access or change, infrastructure overload, and malicious attacks. They cover security aspects during the development of information systems, as well as those related to outsourcing. Moreover, they help organizations in ensuring adequate protection of test information and information systems during audit testing.
New Controls
To have a better understanding of the updated controls, the following list illustrates the new controls introduced in ISO/IEC 27002:2022.
Organizational controls | Physical controls | Technological controls |
5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
|
7.4 Physical security monitoring |
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
|
Control Layout
In the updated version of ISO/IEC 27002, controls are associated with additional elements that provide more information on the controls and their purpose and enable organizations to select and implement the appropriate controls. The layout of each control is described in the table below:
Control layout | |
Control title | The short name of the control |
Attribute table | Provides the value(s) of each attribute for the given control |
Control | Provides the control |
Purpose | Explains the importance of implementing the control |
Guidance | Provides additional information on how the control should be implemented |
Other information | Provides additional information regarding the control and other related documents or references |
The attribute table is intended to help organizations in selecting information security controls based on their business needs and requirements.
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
The control type can be preventive, detective, or corrective, depending on when and how the control modifies risk. | Information security properties can have one of the following values: confidentiality, integrity, and availability, depending on which of them is preserved through the implementation of the control. | This attribute may have one of the values: identify, protect, detect, respond, and recover. They associate ISO/IEC 27002 controls with ISO/IEC TS 27110 cybersecurity concepts. |
Operational capabilities show the perspective of 15 information security capabilities:
governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, and information security assurance.
|
There are four security domains that each contain specific subdomains: governance and ecosystem, protection, defence, and resilience. |
VI. Mapping between ISO/IEC 27002:2013 and ISO/IEC 27002:2022
Instead of 14 control categories in ISO/IEC 27002:2013, ISO/IEC 27002:2022 groups the information security controls into four categories. Most controls are merged from the 2013 version of the standard. For example, control 5.15 Access control consists of control 9.1.1 Access control policy and 9.1.2 Access to networks and network services. Annex B of the standard provides a detailed mapping of ISO/IEC 27002:2022 and ISO/IEC 27002:2013 controls.
The table below provides the mapping of control categories in ISO/IEC 27002:2013 and those in ISO/IEC 27002:2022.
ISO/IEC 27002:2013 control categories | ISO/IEC 27002:2022 control categories | |||
Organizational controls | People controls | Physical controls | Technological controls | |
Clause 5 Information security policies | x | |||
Clause 6 Organization of information security | x | x | x | |
Clause 7 Human resource security | x | x | ||
Clause 8 Asset management | x | x | ||
Clause 9 Access control | x | x | ||
Clause 10 Cryptography | x | |||
Clause 11 Physical and environmental security | x | x | ||
Clause 12 Operations security | x | x | ||
Clause 13 Communications security | x | x | x | |
Clause 14 System acquisition, development and maintenance | x | x | ||
Clause 15 Supplier relationships | x | |||
Clause 16 Information security incident management | x | x | ||
Clause 17 Information security aspects of business continuity management | x | x | ||
Clause 18 Compliance | x | x |
VII. Benefits of Implementing ISO/IEC 27002 Controls
There are numerous benefits that derive from the implementation of ISO/IEC 27002 controls for information security risks, including:
- Improvement of the organization’s information security and cybersecurity
- Protection of the organization’s sensitive information and intellectual property
- Protection of the organization’s information processing facilities
- Reduction of information security risk levels within the organization
- Better management of information security incidents and business continuity
- Effective management of logs and records
- Compliance with policies and best practices for information security
- Compliance with legal, statutory, regulatory, and contractual requirements
VIII. How Will ISO/IEC 27002:2022 Impact ISO/IEC 27001?
ISO/IEC 27002 is a supplementary document that provides guidance on the implementation of ISO/IEC 27001 Annex A controls. Therefore, the release of the new version of ISO/IEC 27002 will be followed by an update of ISO/IEC 27001.
Annex A of ISO/IEC 27001 will be updated to reflect the changes of controls in ISO/IEC 27002 and ensure consistency between both standards, whereas the main requirements of ISO/IEC 27001 in clauses 4 to 10 will remain the same. Organizations that are already certified against ISO/IEC 27001 will be affected only after the update of ISO/IEC 27001. Organizations will be provided with a period of time to adjust to the changes made in ISO/IEC 27001.
Some actions that organizations can take to effectively incorporate new controls of the updated Annex A in their ISMSs include the following:
- Conduct a gap analysis to analyze their existing system
- Update the list of the information security risks introduced by the implementation of the new controls
- Document an updated Statement of Applicability
- Implement controls to ensure compliance with the new requirements
- Ensure the next internal audit includes the review of the new requirements
IX. Conclusion
The increase of cyberattacks and the sophistication of information technology through which these attacks are undertaken have introduced the need for establishing and implementing secure ISMSs and implementing information security controls that help in preventing these attacks and other events threatening organizations’ information security, cybersecurity, and privacy.
Organizations should focus more on prevention rather than response and mitigation measures. A proactive approach toward information security is essential in addressing information security risks that are specific to organizations’ contexts. Hence, having well-established processes and implementing effective information security controls will help organizations in mitigating information security risks.
The implementation of ISO/IEC 27002:2022 controls helps organizations in managing information security risks within an ISMS. Furthermore, by providing information security best practices, ISO/IEC 27002 contributes in creating more secure digital ecosystems.
Authors:
Arta Haxhixhemajli
Era Mustafa
Ernis Kabashi
Contributors:
Achetoui El Mehdi (Morocco)
Alessio Resmini, Bl4ckswan S.r.l. (Italy)
Carl Carpenter, Arrakis Consulting (United States)
Djellza Krasniqi
Dominique Bourra, FIDENS (France)
Fjolla Muhadri
Gresa Shala
Hamid Seghiouer, Performances Qualité Inc. (Canada)
Jan Carroll, Fortify Institute (Ireland)
John Nii Djan, Innovare (Ghana)
Matthieu Billaux, Seela (France)
Michel Fosse, LGS (Canada)
Michael Papenhagen, B+W it solutions GmbH (Germany)
Mike Thompson, Vital Advisory Pty Ltd (New Zealand)
Olivier Lévy, KYRON (France)
Patrick Bochart (Belgium)
Stella Simiyu, Sentinel Africa (Kenya)
1 CyberEdge Group. “2022 Cyberthreat Defense Report.” CyberEdge Group. Accessed April 30, 2022. https://cyber-edge.com/wp-content/uploads/2022/11/CyberEdge-2022-CDR-Report.pdf
2 European Data Protection Supervisor. “Data Protection.” EDPS. Accessed May 5, 2022. https://edps.europa.eu/data-protection/data-protection_en
3 Constitute. Accessed May 5, 2022. https://www.constituteproject.org/constitutions?lang=en&status=in_force&status=is_draft
4 Wolford, Ben. “What Is GDPR, the EU’s New Data Protection Law?” GDPR.EU. Accessed May 5, 2022. https://www.itgovernance.co.uk/gdpr-and-iso-27001
5 IT Governance. “ISO 27001 and the GDPR.” IT Governance. Accessed May 27, 2022. https://www.itgovernance.co.uk/gdpr-and-iso-27001
6 Kushner, David. “The Real Story of Stuxnet.” IEEE Spectrum 20, no. 3 (2013): 48-53. doi:10.1109/MSPEC.2013.6471059.
7 Meyer, Bernard. “COMB: Largest Breach of All Time Leaked Online with 3.2 billion records.” Cybernews. Last modified February 12, 2021. https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/
8 The Canadian Press. “A Quarter of Canadian Companies Have Been Victims of a Cyber Attack in 2021: Survey.” CTV News. Last modified February 7, 2022. https://montreal.ctvnews.ca/a-quarter-of-canadian-companies-have-been-victims-of-a-cyber-attack-in-2021-survey-1.5770718
9 Skybox Security. “Cybersecrity Risk Underestimated by Operational Technology Organizations.” Skybox Security. Accessed May 26, 2022. https://www.skyboxsecurity.com/resources/report/cybersecurity-risk-underestimated-by-operational-technology-organizations/