ISO/IEC 27002:2022 Information security, cybersecurity and privacy pro…
Page Information
Contents
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection– Information security controls
1. What is ISO/IEC 27002:2022?
Security Management Systems (ISMS). It is used as a reference for determining and implementing controls for handling information security risks in the Information Security Management System (ISMS) based on ISO/IEC 27001. By complying with the ISO/IEC 27002 guidelines, businesses can take a proactive approach to cybersecurity risk management and protect sensitive information from unauthorized access and loss.
ISO/IEC 27002:2022 provides a general framework for organizational, business, business and information security controls derived from internationally recognized best practice participants. It can therefore be used as a guidance document for organizations determining and implementing information security controls to which they are generally authorized. It can also be used to develop industry- and organization-specific information security management guidelines, taking into account the specific information security risk environment. Organization- or environment-specific controls not included in this document may determine the risk assessment as needed.
2. ISO/IEC 27001:2022 and ISO/IEC 27002:2022
ISO/IEC 27001 outlines the requirements for ISMS, while ISO/IEC 27002 provides best practices and control objectives related to key cybersecurity aspects, including access control, encryption, human resource security, and incident response.
An appendix to ISO/IEC 27001: 2022 provides a table of information security controls that can be used to handle information security risks. Information security risk processing involves information security control.
- 1) Determine all controls required to implement the selected Information Security Risk Handling options.
- 2) Compare the determined controls to those in Appendix A and ensure that the required controls are not omitted.
- 3) Create a statement of applicability. (including whether the necessary controls and controls have been implemented)
3. Major changes to ISO/IEC 27001:2022
- - Restructuring existing controls minimizes the risk of data breaches, unauthorized access, and potential financial and reputational damage.
- - The revised standard reduced the number of security controls from 114 to 93.
- - 11 new controls were introduced, 24 controls were merged, and 58 controls were updated.
- - The control structure has been modified to introduce "attributes" and "purpose" for each control and no longer use "objective" for control groups.
4. Grouping of controls
A control is defined as a measure that modifies or maintains risk. Some of the controls in this document are controls that modify risk, while others maintain risk. Some controls describe the same generic measure in different risk contexts. The 2022 revised edition grouped four control areas.
- 1) Organizational controls
- 2) People controls
- 3) Physical controls
- 4) Technological controls
Each control is linked by five attributes, which can be used to filter, sort, and display various controls. Each attributes is as follows.
- 1) Control type : Control type is an attribute to view controls from the perspective of when and how the control modifies the risk with regard to the occurrence of an information security incident.
- Attribute values - Preventive, Detective, Corrective
-
- 2) Information security properties : Information security properties is an attribute to view controls from the perspective of which characteristic of information the control will contribute to preserving.
- Attribute values - Confidentiality, Integrity, Availability.
-
- 3) Cybersecurity concepts : Cybersecurity concepts is an attribute to view controls from the perspective of the association of controls to cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110.
- Attribute values - Identify, Protect, Detect, Respond, Recover.
-
- 4) Operational capabilities : Operational capabilities is an attribute to view controls from the practitioner’s perspective of information security capabilities.
- Attribute values - Governance, Asset_management, Information_protection, Human_resource_security, Physical_security, System_and_network_ security, Application_security, Secure_configuration, Identity_and_access_management, Threat_and_vulnerability_management, Continuity, Supplier_relationships_security, Legal_and_ compliance, Information_security_event_management , Information_security_assurance.
-
- 5) Security domains : Security domains is an attribute to view controls from the perspective of four information security domains. Each domain consists of the following.
- - Governance and Ecosystem : Information System Security Governance & Risk Management, Ecosystem cybersecurity management
- - Protection : IT Security Architecture, IT Security Administration, Identity and access management, IT Security Maintenance, Physical and environmental security
- - Defence : Detection, Computer Security Incident Management
- - Resilience : Continuity of operations, Crisis management
5. Added controls
- 1) Threat intelligence : Information relating to information security threats should be collected and analysed to produce threat intelligence.
- 2) Information security for use of cloud services : Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.
- 3) ICT readiness for business continuity : ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
- 4) Physical security monitoring : Premises should be continuously monitored for unauthorized physical access.
- 5) Configuration management : Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
- 6) Information deletion : Information stored in information systems, devices or in any other storage media should be deleted when no longer required.
- 7) Data masking : Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
- 8) Data leakage prevention : Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
- 9) Monitoring activities : Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
- 10) Web filtering : Access to external websites should be managed to reduce exposure to malicious content.
- 11) Secure coding : Secure coding principles should be applied to software development.
- PreviousISO 14644 Certification (Cleanroom and Related Control Environments) 24.01.19
- NextDelayed Enforcement of facility registration and product listing under MoCRA 23.12.27
Comment list
There are no registered comments.