ISO 27002:2022 Update – Annex Controls Explained (1/2)

Part 1 of 2 
Authors: Shannon-Louise Huxley – GRC Consultant, Steve Rowe – GRC Consultant
The release of the ISO 27002:2022 update brings a restructure of the standard and several new controls. This post aims to provide a breakdown of these new elements and how best practices can be applied to meet the controls’ objectives. This is the first of two parts that first looks at the following section 5 and section 7 controls of ISO 27002:2022 general guidelines. Section 8 controls will be in the part 2.
In this post, we will be covering:

  • Threat Intelligence (5.7)
  • Information Security for Use of Cloud Services (5.23)
  • Physical Monitoring (7.4)

For an overview of all the changes to ISO 27002:2022, you can also refer to ISO 27002 Update 2022 – Summary of Changes.

Threat Intelligence (5.7)

Threat intelligence is data that is collected about existing or emerging cyber threats that have been processed and analysed to provide awareness of an organisation’s threat environment so that the appropriate mitigation actions can be taken.  Threat intelligence is often provided by independent providers or advisors, government agencies, or collaborative threat intelligence groups.
Threat intelligence should be analysed and used:

  • To include information gathered from threat intelligence sources into an organisation’s information security risk management processes.
  • As input into technical preventive and detective controls like firewalls, intrusion detection or prevention systems, or anti-malware solutions.
  • As input into information security test processes and techniques.

Information Security for Use of Cloud Services (5.23)

Everyone wants to feel that their information is safe in the cloud, whether you are a business or a customer. With increased high-profile hacking incidents and tighter legal and regulatory obligations, it is vital to ensure that information is stored and monitored correctly in the cloud. The ISO 27002:2022 update has recognised the need for a specific control requirement, calling for a ‘topic-specific’ policy to manage the process from the selection of service, use and management through to the exit strategy.
Example controls for use of cloud services:

  • Robust supplier engagement and assessment processes
  • Ensuring you understand and regularly review your Shared Responsibility Model and contractual agreements (including Service Levels Agreements (SLAs))
  • Strong security awareness, especially around topics such as malware and phishing risks etc.
  • IT solutions such as firewalls, antivirus, encryption methods, internet security tools, mobile device security, intrusion detection tools etc.
  • Implement and communicate a strong password policy

Physical Monitoring (7.4)

Physical security monitoring aims to keep unwanted guests out of your premises and ultimately to protect your assets and information from unauthorised tampering or from being stolen.
Firstly, protection measures should be designed to grant access to or protect valuable assets. Secondly, monitoring controls should be selected to ensure these protection measures are not breached or abused. These controls can either be sourced externally through third parties or implemented internally but should be based on risk and the value of the asset they are aiming to protect. Too much or too little control can be equally as expensive to an organisation if not evaluated appropriately.
Example controls for physical monitoring:

  • Video monitoring systems such as CCTV.
  • On-duty or patrol guards.
  • Intruder detection systems such as alarms or motion sensors.
  • Access control systems to grant authorised personal access such as pin, card, or bio-metric identification systems.
  • Effective visitor processes including signing in and out visitors, escorting visitors around areas, and authorising specialist contractor access.

Preparing for ISO 27001:2022 Certification

Although no action needs to be taken today, the ISO 27002:2022 update general guidelines present a great opportunity for organisations to start reviewing and updating their internal controls. Doing so now, ahead of the anticipated ISO 27001:2022 update, will enable organisations to more efficiently implement best practices to achieve compliance in the future.
Being prepared is key to cyber security compliance success. As your long-term cyber security partner, Dionach are here to aid a pain free transition to ISO 27001:2022.

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]

Related Posts

Cyber Security in the Finance Sector: Protecting Sensitive Financial Data

The financial sector has long been a prime target for cyber criminals due to the vast amounts of sensitive data it holds, including personal identification information (PII), financial records, and payment card data. As digital banking services grow and financial institutions embrace technological advancements, the attack surface expands, making robust cyber security measures critical for […]
AdobeStock_476014459

Dionach Partnership with the UK Space Agency Enhances Cyber Security of Space SMEs

Cyber security consultancy Dionach have signed a contract extension with the UK Space Agency to accelerate cyber security within UK Space companies. Dionach, a leading cybersecurity consultancy, has signed a contract extension with the UK space agency to help SMEs within the Space Sector improve their cyber security practices and achieve Cyber Essentials Plus certification. […]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call