20 August CPE ISO 27002 - Web Upload

Download as pdf or txt
Download as pdf or txt
You are on page 1of 34

ISO 27002:2022 new revision overview with ISO

27002:2013 comparison and certification process


Harisaiprasad K. CISA, APP, ISO 27001 LA, ISO 22301 LI, ISO 9001 LA, Six Sigma Green Belt

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved.
About me
Consultant in a private sector company. He has 14+ years
of experience in the industry, works in the area of SOX
audits and controls review. He has also conducted ISO
27001 audits, regulatory audits, third-party audits, internal
audits, IT audits, BCP reviews, user awareness training,
internal auditor training, risk assessments and
implemented ISO 27001, among other tasks. He is
currently ISACA New Delhi (India) Chapter leader and
social media chair. He is also a topic leader for the ISACA
Certified Information Systems Auditor (CISA ) online
forum and GLS task force member. He has spoken in
international conferences, published articles related to the
information security domain in the ISACA Now blog,
COBIT Focus, and in the ISACA Journal

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Contents
• Learning Objectives

• Introduction of ISO 27002:2022 standard

• Clauses & Controls

• Elements of Controls

• Comparison between ISO 27002:2013 and ISO


27002:2022

• Process of ISO 27001 certification

• Implementation of ISO 27001

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Learning Objectives

• Understand ISO 27002:2022 Standard

• Know the differences between the current version and previous version

• Have knowledge of implementing new controls, updating documentation based on merged


controls

• Help their organization process getting certified for ISO 27001

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Introduction to ISO 27002:2022

• ISO is specialized system for worldwide standardization. Standard provides guidelines for
Information security, cybersecurity and privacy protection of Information security controls

• Provides a generic mixture of organizational, people, physical and technological information


security controls derived from internationally recognized best practices

• Guidance document for an organisation for determining and implementing commonly


accepted information security controls

• Developing industry and organisation specific information security management guidelines

• Helps in developing controls necessary to ensure that the residual risk to the organization
meets its risk acceptance criteria

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Main changes to ISO 27002:2022

 Modified title “Information security, cybersecurity and privacy protection - Information security
controls”

 Changed structure with controls having simplified taxonomy, and associated attributes

 Some controls are merged, deleted, and new controls are introduced in Annex B

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Clauses and Controls

Clause Clause Name Number of Remarks


Number controls
5 Organisational 37 34 existing, 3 new

6 People 8 All existing

7 Physical controls 14 13 existing, 1 new

8 Technological controls 34 27 existing, 7 new

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
New Controls

Type of Control Control


Organisational Control 5.7 Threat intelligence
Organisational Control 5.23 Information security for use of cloud services
Organisational Control 5.30 ICT readiness for business continuity
Physical Control 7.4 Physical Security Monitoring
Technological Control 8.9 Configuration management
Technological Control 8.10 Information Deletion
Technological Control 8.11 Data masking
Technological Control 8.12 Data leakage prevention
Technological Control 8.16 Monitoring activities
Technological Control 8.23 Web filtering
Technological Control 8.28 Secure coding

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


6.2.2 Teleworking 6.7 Remote working
9.2.1 User registration and de-registration 5.16 Identity management
9.2.3 Management of privileged access rights 8.2 Privileged access rights
9.4.2 Secure log-on procedures 8.5 Secure authentication
9.4.5 Access control to program source code 8.4 Access to source code
7.3.1 Termination or change of employment 6.5 Responsibilities after termination or
responsibilities change of employment
11.1.1 Physical security perimeter 7.1 Physical security perimeters
11.2.6 Security of equipment and assets off- 7.9 Security of assets off-premises
premises
11.2.9 Clear desk and clear screen policy 7.7 Clear desk and clear screen
12.2.1 Controls against malware 8.7 Protection against malware

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls
ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control
12.7.1 Information systems audit 8.34 Protection of information systems during audit
controls testing
13.1.1 Network controls 8.20 Networks security
13.1.3 Segregation in networks 8.22 Segregation of networks
14.2.1 Secure development policy 8.25 Secure development life cycle
14.2.5 Secure system engineering 8.27 Secure system architecture and engineering
principles principles
14.3.1 Protection of test data 8.33 Test information
15.1.1 Information security policy for 5.19 Information security in supplier relationships
supplier relationships
15.1.2 Addressing security within 5.20 Addressing information security within supplier
supplier agreements agreements

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


15.1.3 Information and communication 5.21 Managing information security in the ICT
technology supply chain supply chain

16.1.1 Responsibilities and procedures 5.24 Information security incident management


planning and preparation

16.1.4 Assessment of and decision on 5.25 Assessment and decision on information


information security events security events

18.1.4 Privacy and protection of 5.34 Privacy and protection of PII


personally identifiable information

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


5.1.1 Policies for information security 5.1 Policies for information security
5.1.2 Review of the policies for
information security
6.1.5 Info. Sec. in project management 5.8 Information security in project management
14.1.1 Information security requirements
analysis and specification
6.2.1 Mobile device policy 8.1 User end point devices
11.2.8 Unattended user equipment
8.1.1 Inventory of assets 5.9 Inventory of information and other associated
8.1.2 Ownership of assets assets
8.1.3 Acceptable use of assets 5.10 Acceptable use of information and other
8.2.3 Handling of assets associated assets

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


8.3.1 Management of removable media 7.10 Storage media
8.3.2 Disposal of media
8.3.3 Physical media transfer
11.2.5 Removal of assets
9.1.1 Access control policy 5.15 Access control
9.1.2 Access to networks and network
services
9.2.2 User access provisioning 5.18 Access rights
9.2.5 Review of user access rights
9.2.6 Removal or adjustment of access
rights

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


9.2.4 Management of secret authentication 5.17 Authentication information
information of users
9.3.1 Use of secret authentication information
9.4.3 Password management system
10.1.1 Policy on the use of cryptographic controls 8.24 Use of cryptography
10.1.2 Key management
11.1.2 Physical entry controls 7.2 Physical entry
11.1.6 Delivery and loading areas

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


12.1.2 Change management 8.32 Change management
14.2.2 System change control procedures
14.2.3 Technical review of applications after
operating platform changes
14.2.4 Restrictions on changes to software
packages
12.1.4 Separation of development, testing 8.31 Separation of development, test and
and operational environments production environments
14.2.6 Secure development environment

12.4.1 Event logging 8.15 Logging


12.4.2 Protection of log information
12.4.3 Administrator and operator logs

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


12.5.1 Installation of software on 8.19 Installation of software on operational
operational systems systems
12.6.2 Restrictions on software installation

12.6.1 Management of technical 8.8 Management of technical vulnerabilities


vulnerabilities
18.2.3 Technical compliance review
13.2.1 Information transfer policies and 5.14 Information transfer
procedures
13.2.2 Agreements on information transfer
13.2.3 Electronic messaging

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


14.1.2 Securing application services on public 8.26 Application security requirements
networks
14.1.3 Protecting application services
transactions
14.2.8 System security testing 8.29 Security testing in development and
14.2.9 System acceptance testing acceptance
15.2.1 Monitoring and review of supplier 5.22 Monitoring, review and change
services management of supplier services
15.2.2 Managing changes to supplier services
16.1.2 Reporting information security events 6.8 Information security event reporting
16.1.3 Reporting information security
weaknesses

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls

ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control


17.1.1 Planning information security 5.29 Information security during disruption
continuity
17.1.2 Implementing information security
continuity
17.1.3 Verify, review and evaluate
information security continuity

18.1.1 Identification of applicable legislation 5.31 Legal, statutory, regulatory and contractual
and contractual requirements requirements
18.1.5 Regulation of cryptographic controls
18.2.2 Compliance with security policies 5.36 Conformance with policies, rules and
and standards standards for information security
18.2.3 Technical compliance review

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Split Controls

There is only one control that was split: 18.2.3 Technical compliance review
was split into 5.36 Conformance with policies, rules and standards for
information security and 8.8 Management of technical vulnerabilities.

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Elements of each control

New Elements – Attribute Table

S.No Attributes Control


1 Control types Preventive, Detective, and Corrective
2 Info. Sec. properties Confidentiality, Integrity, and Availability
3 Cybersecurity concepts Identify, Protect, Detect, Respond, and Recover
4 Operational Capabilities Governance, Asset mgmt., Info. protection, HR sec., Physical
sec., S/m & network sec., Application sec., Sec. configuration,
IAM, Threat and vulnerability management, Continuity,
Supplier relationships sec., Legal and compliance, Info. Sec.
event management, and Info. Sec. assurance
5 Security domains Governance and ecosystem, Protection, Defense, and
Resilience

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Status of already existing elements in ISO 27002:2013

The elements that already existed in the ISO 27002:2013 & remain in this new revision are:

• Control title: The name of the control.

• Control: A description of what needs to be accomplished to be compliant with the control.

• Guidance: Tips on how the control should be implemented.

• Other information: Complementary information to understand the control and references


to other documents for consultation.

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Control Layout

• Control title
• Attribute table
• Control
• Purpose
• Guidance
• other information

ISO 27002 Control Control Info. Sec. Cybersec. Opertnal. Security


Control Name Type Properties Concepts Capabilities Domains
Identifier
5.30 ICT Corrective Availability Respond Continuity Resilience
readiness
for BC

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Sample – Control 5.5 Contact with Authorities

Control Type Info. Sec. Cybersecurity Operational Security


Properties concepts Capabilities Domains
Preventive Confidentiality Identify & Protect Governance Defence
Corrective Integrity Respond & Resilience
Availability Recover

Control: The organisation should establish and maintain contact with relevant authorities

Purpose: To ensure appropriate flow of information takes place with respect to information
security between the organisation and relevant legal, regulatory and supervisory authorities

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Sample – Control 5.5 Contact with Authorities

Guidance: The organisation should specify when and by whom authorities (eg., law enforcement,
regulatory bodies, supervisory authorities) should be contacted and how identified information
security incidents should be reported in a timely manner.
Contact with authorities should also be used to facilitate the understanding about the current and
upcoming expectations of these authorities (eg., application information security regulations)
Other information Organisations under attack can request authorities to take action against the
attack source.

Maintaining such contacts can be requirement to support information security incident


management (see 5.24 to 5.28) or the contingency planning and business continuity process (see
5.29 and 5.30). Contacts with regulatory bodies are also useful to anticipate and prepare for
upcoming changes in relevant laws or regulations that affect the organisations. Contacts with
other authorities include utilities, emergency services, electricity suppliers and health and safety
(eg., fire departments (in connection with business continuity), telecommunication providers (in
connection with line routing and availability) and water suppliers (in connection wit cooling
facilities for equipment)

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Using Attributes – Annex A

• Select what an organisation wants to view

• Add/delete attributes as suitable

• Approach that is useful for navigating the controls relation to events


risk scenarios, risk treatment plan, compliance requirements, etc.,

• Useful in tools (GRC, spreadsheets, reports)

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison

S.No ISO 27002:2013 ISO 27002:2022


1 Information technology - Security Information security, cybersecurity and privacy
techniques - Code of practice for protection - Information security controls
information security controls
2 Assets associated with information Information and other assets
and information processing facilities Primary assets
Information
Organisation assets business processes and activities
Supporting assets (on which primary assets
rely)
Assets • Hardware, software, Network, Personnel,
Site, organisations structure

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison

S.No ISO 27002:2013 ISO 27002:2022


3 Through a risk assessment, threats Information security specific risk assessment
to assets are identified
4 14 Control clauses, 114 controls 4 Clauses, 93 controls

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison

ISO 27002:2013 ISO 27002:2022

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Process of ISO 27001 certification
• Gap Analysis
• Documentation
• Implementation
• Awareness training
• Selecting Certification body
• Operation
• Records and metrics
• Pre-assessment
• Internal Audit
• Corrective action plan
• Management review
• Stage 1 & Stage 2 Audit
• Certification
• Surveillance audits (annual)
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Implementation of ISO 27001

• Risk assessment along with justification of exclusion of controls

• Requirements

• Agility

• Roles and responsibilities defined

• Metrics

• Continual improvements

• Reporting

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Road Ahead

• Gap assessment with the control of ISO 27002:2022 with that


of your organisation

• Audit you processes based on the new controls, document their


status and determine requirements of implementation

• Update and get approval of Statement of Applicability, risk


assessment, process procedures and metrics

• Get certified with revised standard within the grace period

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
References

 ISO 27001:2013 - Information technology — Security techniques — Information


security management systems — Requirements

 ISO 27002:2013 - Information technology — Security techniques — Code of practice for


information security controls

 ISO 27002:2022 - Information security, cybersecurity and privacy protection — Information


security controls

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Questions ?

Contact: [email protected]

https://www.linkedin.com/in/harisaiprasad-k-cisa-app-b4225015/

Thank You !

Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon

You might also like