Earlier this year, the ISO/IEC JTC 1/SC 27 released ISO27002:2022. This guidance document gives us some insight into what the new ISO 27001 standard will look like, and some good changes are coming! It appears that the number of Annex controls will drop from 114 to 93 and 11 of the Annex controls are a welcome, modern addition to information security and privacy concerns. ISMS Managers should purchase copies of ISO 27002:2022 and ISO 27001:2022 when available and review the controls carefully.
ISO27002:2022 Changes to Operations Management
Two of the 11 new controls fall under operation management:
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
Annex control 5.23 will require a thorough review and understanding of cloud service agreements and confirmation that a cloud service provider can address any compliance, regulatory or business requirements required of the systems or information being stored in their cloud. For ICT readiness, ISO 27002 requires Business Impact Assessments (BIAs) as part of your business continuity program. Be sure to template and plan BIA activities as you adopt the new standard if you don't already!
Three of the 11 new controls fall under information management:
- 5.7 Threat intelligence
- 8.10 Information deletion
- 8.11 Data masking
The organization must act on threats and changes to information entrusted to the organization. For threat intelligence, most organizations rely on a 3rd party provider. Don't be lulled into thinking that's enough, however! Internal operations should be part of threat intelligence reporting, as should the diligence to address the 3rd party's recommendations. For information deletion and data masking, document and monitor the requirements your business, regulatory, and legal have set down. On a scheduled basis, prove you do what they require.
Two of the 11 new controls fall under software and systems management:
- 8.28 Secure coding
- 8.9 Configuration management
Regardless of if your development teams are internal or external, imposing secure coding and configuration lifecycles is critical. For these controls, consider setting up required OWASP Top 10 training for all developers, formalize Functional Requirements Specifications (FRS) and add both internal and external security testing to your Integration and User Acceptance Testing (UAT) procedures.
Four of the 11 new controls fall under monitoring management:
- 8.16 Monitoring activities
- 8.12 Data leakage prevention
- 8.23 Web filtering
- 7.4 Physical security monitoring
These 4 controls increase formal requirements on monitoring activities that many firms already conduct. Most of these monitoring activities will be completed by 3rd party software such as monitored SIEM, CASB, proxies, or gateways. Should you use these tools, be sure to parse, process, and resolve the information you collect in a formal process. Collecting data and ignoring it, whether from a 3rd party report or your own logging systems may be worse than not monitoring at all!
Remember that implementing these controls should involve evaluating and updating your existing processes and not a quick document “checklist” fix.