Part 1 of 2
Authors: Shannon-Louise Huxley – GRC Consultant, Steve Rowe – GRC Consultant
The release of the ISO 27002:2022 update brings a restructure of the standard and several new controls. This post aims to provide a breakdown of these new elements and how best practices can be applied to meet the controls’ objectives. This is the first of two parts that first looks at the following section 5 and section 7 controls of ISO 27002:2022 general guidelines. Section 8 controls will be in the part 2.
In this post, we will be covering:
- Threat Intelligence (5.7)
- Information Security for Use of Cloud Services (5.23)
- Physical Monitoring (7.4)
For an overview of all the changes to ISO 27002:2022, you can also refer to ISO 27002 Update 2022 – Summary of Changes.
Threat Intelligence (5.7)
Threat intelligence is data that is collected about existing or emerging cyber threats that have been processed and analysed to provide awareness of an organisation’s threat environment so that the appropriate mitigation actions can be taken. Threat intelligence is often provided by independent providers or advisors, government agencies, or collaborative threat intelligence groups.
Threat intelligence should be analysed and used:
- To include information gathered from threat intelligence sources into an organisation’s information security risk management processes.
- As input into technical preventive and detective controls like firewalls, intrusion detection or prevention systems, or anti-malware solutions.
- As input into information security test processes and techniques.
Information Security for Use of Cloud Services (5.23)
Everyone wants to feel that their information is safe in the cloud, whether you are a business or a customer. With increased high-profile hacking incidents and tighter legal and regulatory obligations, it is vital to ensure that information is stored and monitored correctly in the cloud. The ISO 27002:2022 update has recognised the need for a specific control requirement, calling for a ‘topic-specific’ policy to manage the process from the selection of service, use and management through to the exit strategy.
Example controls for use of cloud services:
- Robust supplier engagement and assessment processes
- Ensuring you understand and regularly review your Shared Responsibility Model and contractual agreements (including Service Levels Agreements (SLAs))
- Strong security awareness, especially around topics such as malware and phishing risks etc.
- IT solutions such as firewalls, antivirus, encryption methods, internet security tools, mobile device security, intrusion detection tools etc.
- Implement and communicate a strong password policy
Physical Monitoring (7.4)
Physical security monitoring aims to keep unwanted guests out of your premises and ultimately to protect your assets and information from unauthorised tampering or from being stolen.
Firstly, protection measures should be designed to grant access to or protect valuable assets. Secondly, monitoring controls should be selected to ensure these protection measures are not breached or abused. These controls can either be sourced externally through third parties or implemented internally but should be based on risk and the value of the asset they are aiming to protect. Too much or too little control can be equally as expensive to an organisation if not evaluated appropriately.
Example controls for physical monitoring:
- Video monitoring systems such as CCTV.
- On-duty or patrol guards.
- Intruder detection systems such as alarms or motion sensors.
- Access control systems to grant authorised personal access such as pin, card, or bio-metric identification systems.
- Effective visitor processes including signing in and out visitors, escorting visitors around areas, and authorising specialist contractor access.
Preparing for ISO 27001:2022 Certification
Although no action needs to be taken today, the ISO 27002:2022 update general guidelines present a great opportunity for organisations to start reviewing and updating their internal controls. Doing so now, ahead of the anticipated ISO 27001:2022 update, will enable organisations to more efficiently implement best practices to achieve compliance in the future.
Being prepared is key to cyber security compliance success. As your long-term cyber security partner, Dionach are here to aid a pain free transition to ISO 27001:2022.