New in Information Security: An In-Depth Look at ISO 27001 and 27002

By Ian Bowell, Head of Information Security – EMEA

Information security attacks continue to impact organizations around the world and there is no sign that the frequency, variety or scope of breach events will decrease any time soon. To meet the challenge of changing risks, a well-known standard in cybersecurity compliance has been recently updated, as anticipated for some time.

The ISO 27001 is the international standard for Information Security management from the International Organization for Standardization. Currently utilizing definitions from 2013 documents with updates in 2014 and 2015, it is the central framework for implementation requirements in an ISMS (Information Security Management System). Organizations can certify to ISO 27001 leveraging the management standard to achieve compliance. The new third edition of the ISO 27002 released in 2021 introduces a code of practice for security controls which compliments the requirements of ISO 27001.

The implementation, certification and compliance with ISO 27001 and 27702 present new opportunities for revenue growth. By aligning your data security with ISO standards, your organization stands out as operating according to international best practices. Investors, stakeholders as well as new and existing clientele can rest assured your organization’s data is secure using ISO standards.

To be clear, the ISO 27001 is the standard against which organizations are certified. ISO 27002 provides the supplementary detail for the selection, implementation and management of information security controls.

The differences indicate the new and updated ways in which an organization must address and manage information security in order to become ISO 27001 certified in the near future. Organizations must recertify every three years, with annual surveillance audits, allowing for a conversion period when a new standard is released. If the ISO 27002 results in a new recertification process in 2021 or 2022, organizations will have the option to recertify to the old 2013 standard allowing time to update the associated processes according to the new ISO 27002 controls. By 2024 or 2025 all organizations will be using the new standard, but those keen to update will do so much sooner.

The ISO works to ensure consistency across all their standards in different areas of business such as manufacturing, supply chain and financial services. If your organization has other ISO certifications such as risk management, financial management, etc., it is likely that those standards will update to condense older processes or add new requirements. The key to managing ISO certification is to address multiple standards with an interrelated consistent process to minimize repetitive or conflicting processes between updates.

As information security is one of the key business practices these days, and of great concern to modern businesses and their executive boards, it is not surprising that ISO 27002 leads the way to revision.

But enough of the context, and on to the controls themselves – what has changed?

Information Security controls are now in 4 categories:

Section 5. Organizational controls

Section 6. People controls

Section 7. Physical controls

Section 8. Technological controls

This significantly reduces the current 14 categories, and as noted above, provides more consistency and commonality with other ISO standards.

The total number of controls in ISO 27002 has reduced overall from 114 to 93 and sixteen legacy controls have been removed.

Reflecting the ever-changing cybersecurity landscape, twelve new controls have been introduced as follows:

  • Threat intelligence
  • Information security for use of cloud services
  • Data leakage prevention
  • Information deletion and data obfuscation, or masking, for privacy
  • Business continuity readiness
  • Identity management
  • Physical security monitoring
  • Endpoint security for user devices
  • Configuration management
  • Web filtering
  • Secure coding

In a further development of the often-quoted CIA security properties of Confidentiality, Integrity and Availability, the new ISO 27001 details new attributes to ease classification and management.  Controls are assigned a type such as Preventive, Detective, Corrective, with Information Security properties CIA as before.

Identify, Protect, Detect, Respond and Recover are used as key concepts for information security, and operational capabilities have been assigned as continuity, physical security, Information security event management.

At Edge, we provide a defense in depth approach, with various products and layers of cybersecurity to address upcoming changes from the ISO. With many of these controls in place already, we look forward to matching our processes and controls to the newest standard.

There are many more details and the full document can be purchased from the ISO here https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:dis:ed-3:v1:en

We look forward to doing so ourselves to further digest and apply the standard when we recertify. Whether the new standard will be available when we recertify ourselves in 2022 remains to be seen.

And thanks to Rushabh Mehta for the analysis of the new ISO 27002.