The ISO/IEC 27002
got its long-overdue revamp
and now it’s got a structure you need to know about.
If you’re not familiar with this name,
don’t worry too much!
The ISO/IEC 27002 is a standard
that is part of the ISO/IEC 27000 family.
These are developed by the ISO (International Organization for Standardization)
and the IEC (International Electrotechnical Commission).
As such,
ISO/IEC 27002 is an information security standard
that provides a recognized framework
for information security management best practices.
The last time the industry had seen an update on this standard
was back in 2013,
when the second version came out.
This year,
in February,
the third version was published
and everyone who cares about cybersecurity is super excited
to know what’s new there.
Here,
we’ll give you a short summary.

What’s new

Let’s start with the title.
It reads Information security, cybersecurity and privacy protection.
So this new iteration not only deals with information security,
like the previous one,
but also cybersecurity and privacy,
and that’s clear from the very beginning.
This interest in these two concepts reveals
what (at least part of) the rationale is for issuing this third version.
Namely,
ISO/IEC 27002 is catching up to NIST’s Framework
for Improving Critical Infrastructure Cybersecurity,
as well as the growing attention to privacy protection.
Indeed,
we have mentioned elsewhere
that the increasing prioritization of privacy is pushing more organizations
to comply with modern privacy laws,
such as the LGPD and the CCPA.
Ultimately,
something the new iteration of ISO/IEC 27002 offers
is the possibility of navigating more easily between various other frameworks
and standards.

Now we can move on to the structure.
The past edition grouped security controls into 14 clauses,
whereas the new edition groups them into four themes:
organizational, people, physical and technological controls.
The previous version’s clauses
and this new version’s themes
are listed in Figure 1.
These themes’ names are interestingly reminiscent
of the four entities
(or parties)
that NIST mentions in some of its documents.
In fact,
it has been suggested
that impact on these entities is to be taken into consideration
when conducting risk assessments.
This could facilitate finding common ground between ISO and NIST.
However,
a case could be made
that the organizational theme is a “catch-all group”
that houses controls
that don’t fit too well in the remaining themes.
In that sense,
maybe the intention is good
but the reference between themes
and entities is not as perfect as one would probably wish.

Remarkably,
the 2013 version’s 114 security controls went through merging
and updating processes
to create this year’s version.
Now we’ve got 93 security controls,
of which 82 come from the previous version
—58 updated, and 24 merged—
and 11 are new.
The following are the new ones:

• Threat intelligence

• Information security for use of cloud services

• ICT [information and communications technology] readiness
  for business continuity

• Physical security monitoring

• Configuration management

• Information deletion

• Data masking

• Data leakage prevention

• Monitoring activities

• Web filtering

• Secure coding

As could be easily guessed,
the first three belong to the organizational theme;
the fourth, to the physical theme;
and the rest, to the technological theme.
Let us just say
that one of the most interesting controls in this list is the second one,
referring to cloud computing.
Indeed,
this control reminds us just how badly the ISO/IEC 27002 needed an update.
We have stated elsewhere
that cloud adoption grew last year,
and this is expected to go on this year.
Moving down the list to the technological-themed controls,
we can see that some of them suit privacy regulation requirements,
again,
showcasing privacy protection as a priority.

Another helpful addition of this iteration is
that each control is characterized by values of a set of attributes:

• Control type (preventive, detective and/or corrective)

• Information security properties (confidentiality, integrity and availability)

• Cybersecurity concepts (identify, protect, detect, respond and recover)

• Operational capabilities (e.g., governance, asset management,
  information protection)

• Security domains (governance and ecosystem, protection, defense,
  and resilience)

What catches the eye immediately are the cybersecurity concepts,
whose values refer to the functions
taken into account by the NIST cybersecurity standard.
As stated by this standard,
these functions,
considered together,
“provide a high-level,
strategic view
of the lifecycle of an organization’s management of cybersecurity risk.”
The attributes we see in this new version inform
about the applications of controls,
reflecting their complexities more vividly.
However,
it has been suggested
that the assignment of some of these attributes could be arbitrary and,
if done more accurately,
“the standard would become unwieldy.”

Finally,
the previous version mentioned objectives
that each control would help to achieve.
So,
if an objective is accepted by an organization,
they could refer to controls related to that objective
and implement them to mitigate risk.
In this year’s version,
objectives transformed into purposes.
The idea is pretty much the same,
although there is criticism
that purposes don’t reference the organization’s information risks
the controls aim to mitigate
as clearly as objectives did.

How does the new version affect organizations?

Organizations around the world seek to be certified
as compliant with security standards.
When it comes to the ISO/IEC 27000 family,
the standard that can be used
worldwide “as the basis for formal compliance assessment
by accredited certification auditors”
is the ISO/IEC 27001:2013.

In turn,
what the ISO/IEC 27002 does
is provide information about the security controls
that organizations can implement according to their needs
and the risks they have identified.
In short,
the new version shouldn’t impact auditing
and the fact it’s now published doesn’t mean
ISO/IEC 27001-certified organizations are getting their certification revoked.
What it does mean for organizations is an opportunity
to update their security controls
and find out what new controls they should be implementing.

At Fluid Attacks,
we use the ISO/IEC 27001:2013
and the ISO/IEC 27002:2022
as a reference
for our assessments of organizations systems’ security vulnerabilities.
Contact us!

Caution:
Many major details from the new standard are missing in this blog post.
Having read this post in no way substitutes
for careful reading of the ISO/IEC 27002:2022.
For your purposes other than personal,
we recommend that you purchase and read the
full text.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/iso-iec-27002-2022/