Part 1 of 2 Authors: Shannon-Louise Huxley – GRC Consultant, Steve Rowe – GRC Consultant The release of the ISO 27002:2022 update brings a restructure of the standard and several new controls. This post aims to provide a breakdown of these new elements and how best practices can be applied to meet the controls’ objectives. This is the first of two parts that first looks at the following section 5 and section 7 controls of ISO 27002:2022 general guidelines. Section 8 controls will be in the part 2. In this post, we will be covering:
- Threat Intelligence (5.7)
- Information Security for Use of Cloud Services (5.23)
- Physical Monitoring (7.4)
Threat Intelligence (5.7)Threat intelligence is data that is collected about existing or emerging cyber threats that have been processed and analysed to provide awareness of an organisation’s threat environment so that the appropriate mitigation actions can be taken. Threat intelligence is often provided by independent providers or advisors, government agencies, or collaborative threat intelligence groups. Threat intelligence should be analysed and used:
- To include information gathered from threat intelligence sources into an organisation’s information security risk management processes.
- As input into technical preventive and detective controls like firewalls, intrusion detection or prevention systems, or anti-malware solutions.
- As input into information security test processes and techniques.
Information Security for Use of Cloud Services (5.23)Everyone wants to feel that their information is safe in the cloud, whether you are a business or a customer. With increased high-profile hacking incidents and tighter legal and regulatory obligations, it is vital to ensure that information is stored and monitored correctly in the cloud. The ISO 27002:2022 update has recognised the need for a specific control requirement, calling for a ‘topic-specific’ policy to manage the process from the selection of service, use and management through to the exit strategy. Example controls for use of cloud services:
- Robust supplier engagement and assessment processes
- Ensuring you understand and regularly review your Shared Responsibility Model and contractual agreements (including Service Levels Agreements (SLAs))
- Strong security awareness, especially around topics such as malware and phishing risks etc.
- IT solutions such as firewalls, antivirus, encryption methods, internet security tools, mobile device security, intrusion detection tools etc.
- Implement and communicate a strong password policy
Physical Monitoring (7.4)Physical security monitoring aims to keep unwanted guests out of your premises and ultimately to protect your assets and information from unauthorised tampering or from being stolen. Firstly, protection measures should be designed to grant access to or protect valuable assets. Secondly, monitoring controls should be selected to ensure these protection measures are not breached or abused. These controls can either be sourced externally through third parties or implemented internally but should be based on risk and the value of the asset they are aiming to protect. Too much or too little control can be equally as expensive to an organisation if not evaluated appropriately. Example controls for physical monitoring:
- Video monitoring systems such as CCTV.
- On-duty or patrol guards.
- Intruder detection systems such as alarms or motion sensors.
- Access control systems to grant authorised personal access such as pin, card, or bio-metric identification systems.
- Effective visitor processes including signing in and out visitors, escorting visitors around areas, and authorising specialist contractor access.