ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely new ones were added to keep up with new and emerging technology.
As a reminder, ISO 27002 (Information security, cybersecurity and privacy protection — Information security controls) is a guidance document which provides further best practice advice to strengthen your IT Security.
Today, Steve Mason explains the changes made to the 2022 version of ISO 27002, gives a summary of the 11 new controls and gives examples of some key considerations and actions you can take to implement them.
[01:28] A brief summary of the changes to ISO 27002:2022, including new controls, new structure and attribute types
[05:30] Controls in ISO 27002 now have a defined purpose to avoid misinterpretation
[06:29] A summary of the 11 new controls by name and category
[08:10] Threat intelligence – What tools do you have in place to identify threats? How do you monitor your threat intelligence effectiveness?
[11:20] Information Security use of Cloud Services – A reminder that ISO 27017 covers this in more detail! Do you have a cloud policy in place? Does it align with your clients security requirements?
[13:10] ICT readiness for Business Continuity – Focus on recovery of IT services following a disaster. Do you have Business Impact Assessments in place? If you’re certified to ISO 22301 – this area is most likely covered
[14:36] Physical Security monitoring – Are you monitoring physical security? i.e. keycard access, CCTV ect
[16:23] Configuration Management – Are you IT systems working well together? Do you have an established configuration for passwords? (i.e. how many characters, alpha numerical, symbols ect)
[18:13] Information Deletion – If data needs to be deleted, that it’s deleted in a secure manor and can’t be recovered.
[21:48] Data Masking – Make sure that any data that shouldn’t be shared is masked in some way i.e. obfuscated or anonymized.
[23:31] Data Leakage – Put measures in place to stop data being leaked through i.e. USB’s, people sending business information to personal email addresses ect
[26:55] Monitoring Activities – You could monitor network traffic, software access ect. Be selective in your monitoring, only do so if it will be of benefit to the business.
[28:04] Web Filtering – Ensure that employees can’t access any nefarious / high risk websites that could cause a security breach
[30:15] Secure Coding – Make sure that coding is done securely – making sure that any software developed is secure and free of as many vulnerabilities as possible.
Download our ISO 27002 changes Quick Guide here:
Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!
We’d love to hear your views and comments about the ISO Show, here’s how:
Subscribe to keep up-to-date with our latest episodes: