Update to ISO/IEC 27002 - Information security controls

Jeff Bennison at Rackspace Technology explains what the recent update to ISO/IEC 27002 (Information security, cybersecurity and privacy protection — Information security controls) means for organisations

Adherence to strong cyber security standards is as important as ever for companies in, and trying to sell to, highly regulated industries, such as financial services, government, and critical infrastructure.

Not only does it ensure they understand their organisational risk and keep their data safe, but it could make the difference when securing contracts with companies that demand cyber excellence across their supply chain.

As such, organisations must ensure they are keeping up to date with the latest standards and they don’t leave themselves exposed. Earlier this year, the ISO/IEC 27002 information security standard underwent a series of highly welcome updates that security teams now need to implement to remain compliant.

The standard is the associated document to ISO 27001, last revised in 2013, and gives detailed implementation guidance for these existing directives. Many of the new controls outlined in the update ensure businesses are adapting to the new security landscape.

For example, with the explosion of cloud in recent years, there was an impending need to implement controls around ‘Information security for the use of cloud services (5.2.3)’. ‘Data leakage prevention (8.12)’ and ‘Data masking (8.11)’ are also in direct response to recent breaches.

ISO/IEC 27001 and ISO/IEC 27002 have always been important for organisations to commit to and should be seen as a baseline to identify, measure and improve information security. However, what do these changes mean to businesses and how can they comply with the updated standard?

How does the update impact my organisation?

Let’s start by looking at the changes. Key revisions in the latest standard include:

• The phrase “Code of Practice” has been omitted from the title of the ISO/IEC 27002. This is to enable readers/implementors to understand its purpose as an ISO/IEC 27001 reference for control description and application.
• The number of controls has also been streamlined from 114 down to 93, with the remaining clauses now grouped into four clear sections – Organisational, People, Physical and Technological. Similarly, a total of 23 controls have been renamed to enable an easier understanding and implementing of them.
• 11 new controls have been added to reflect the changing security landscape. These include Threat intelligence, Information security for the use of cloud services, Data masking and Secure coding.

These changes address both the controls themselves and how to use and organise them. The Information Security Management System (ISMS) risk management process allows organisations to select controls to reduce organisational risk at will, from anywhere.

Obviously, the focus relies on the controls contained within ISO/IEC 27002. If an organisation selects controls from sources other than ISO/IEC 27002, they must be compared to ISO/IEC 27002 and any variance justified and documented. 

Any organisation currently certified to ISO/IEC 27001:2013 can continue referencing and selecting the controls within the current ISO/IEC 27002:2013. Alternatively, they have an option to utilise controls in the new version (as part of the Information Security Review process) if they wish.

Like any update to a standard there is a transition period. In this case that period is two years, which starts from the date of the release of the updated ISO/IEC 27001 – so there is plenty of time to plan.

Managing the update as a certified organisation

During the transition, certified organisations will need to perform a risk treatment review to ensure it is aligned with the document structure and new control numbering. They will also need to edit their Statement of Applicability ensuring new controls are accurately listed, and review and edit/update accordingly the ISMS documentation to reflect the changes. There may also be some documents which do not exist and need creating and implementing.

ISO/IEC 27001 is already document heavy, so this is the area which is likely to require the most effort. The new ISO/IEC 27002 includes an annex identifying the 2013 standard to ease the process of implementing the new version.

Ensuring a successful transition

Whether an organisation chooses to certify due to an internal desire to understand the risks it is facing or external pressure from due diligence/right to audit activity, managing this transition correctly is essential.

With ISO/IEC 27002, you can become uncompliant very quickly, but by engaging a third party to perform tasks like scope reviews, gap analysis, user awareness training or simply creating documentation, you can make this process far more seamless.

Effective implementation of these standards will help organisations to identify suitable and proportionate security controls within the process of setting up an ISMS, and enable them to achieve best practice in information security management. It will also help them to meet any legal, statutory, regulatory, and contractual requirements in relation to information security.

But ultimately, it will enable them to strengthen their risk management and reduce the likelihood of information security breaches.

Jeff Bennison is Director of Security Consulting, Professional Services EMEA at Rackspace Technology

Main image courtesy of iStockPhoto.com