11 New controls introduced in the ISO 27002 2022

Our August newsletter outlined the changes delivered in the new 2022 version of ISO 27002. 

In terms of the recommended controls the overall count in the 2022 revision has 21 less controls than before and 24 of the original controls have been merged.  However, 11 new controls have also been introduced, let’s take a brief look at those new controls.

New Control – Title and reference number

• A.5.7 Threat intelligence
• A.5.23 Information security for use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

Control overview

A.5.7 - Threat intelligence – organisations need to be are aware of their threat environment so that they can put the right tools in place to collect and analyse threats, which will help them take the appropriate action to protect their information security.

A.5.23 - Information security use of cloud services – Have you put a cloud policy into action? – an organisation needs to consider managing the cloud usage from service introduction, ongoing service operation and service exit. ISO 27017 covers this topic in more detail and ISO 27017 is a mapping option for PMaaS clients.

A.5.30 - ICT readiness for business continuity – What is your ICT readiness for business continuity in the event of a disaster? Consider overall business processes and your ability to recover the necessary operational capabilities.

A.7.4 - Physical security monitoring – Increased emphasis on the use of physical security - alarm and monitoring systems to prevent unauthorised physical access.

A.8.9 - Configuration management – Are your IT systems, software, services and networks implemented and working correctly? – to ensure they are and not readily altered all implemented configurations should be secured, monitored, documented and reviewed.

A.8.10 - Information deletion – To minimise the risk of old data or information you hold being exposed, it should be deleted from servers, endpoint devices and storage media. This will also minimise any compliance or contractual issues regarding the exposure of information and its deletion.

A.8.11 - Data masking – A recommendation to use data masking techniques such as anonymisation and pseudonymisation, to improve your protection of sensitive data and limit issues arising from unauthorised access.

A.8.12 - Data leakage – If your organisation processes, stores or transmits sensitive information then it should put measures in place to detect and stop data being leaked, extracted or disclosed from your systems, networks and devices.

A.8.16 - Monitoring activities – Monitoring should be in place for systems, applications and networks to detect anomalous behaviour and take action to assess any potential security incidents.

A.8.23 - Web filtering – Management of employee access to external websites to limit exposure to malicious content which ultimately could cause your systems to be compromised.

A.8.28 - Secure coding – Software development work should be done using secure coding techniques which will help reduce the number of security vulnerabilities in the software.

Many organizations use ISO 27001 and ISO 27002 as the foundation of their information security management system. Before adapting your security controls to the reflect the new controls guidance in ISO 27002 it is well worth conducting a gap analysis to determine and discuss the differences. This will then allow you to consider which of the new controls should be a priority on your implementation schedule and determine the investment required to put them in place.

Click Here to read about how we help Rother District Council address the challenge of developing, delivering and maintaining IT policies and ensure they are aligned to recognised best practice guidance such as ISO 27002, CE+ and more.

Speak to our team about your best practice in IT policy content. Contact us today.