With the increasing use of technology and the world becoming more digital, organizations have collected more and more personal data to help them better understand their customers. While this data is a valuable asset for an organization to generate revenue, organizations also have a responsibility to protect this data against security incidents and data breaches. Therefore, implementing security controls to protect personal data stored within an organization is important to safeguard information, track foreseeable threats, follow industry best practices, improve an organization’s reputation, save on costs, and help meet compliance with standards like ISO/IEC 27002:2022—Information Security, Cybersecurity And Privacy Protection – Information Security Controls.
The ISO/IEC 27002:2022 Standard for Information Security Controls
ISO/IEC 27002:2022 provides a reference set of generic information security controls including implementation guidance for policies, rules, processes, procedures, organizational structures, and software and hardware functions. The organization should define, implement, monitor, review and improve these security controls where necessary to meet its specific security and business objectives. Controls in the standard refer to measures that modify or maintain a risk. It is found that 84% of users are more loyal to companies with strong security controls and hence implementing security controls is not just beneficial to safeguard data but also to retain customers. Moreover, ISO/IEC 27002:2022 is specifically designed to be used by organizations:
- Within the context of an information security management system (ISMS) based on ISO/IEC 27001
- For implementing information security controls based on internationally recognized best practices
- For developing organization-specific information security management guidelines
Implementing a Successful Information Security Management System (ISMS)
Organizations of all types and sizes (including public and private sector, commercial and non-profit) create, collect, process, store, transmit, and dispose of information in many forms, including electronic, physical, and verbal (e.g. conversations and presentations). Implementing a successful information security management system (ISMS) provides assurance to the organization’s management and other interested parties that their information and other associated assets are kept reasonably secure and protected against threats and harm. An effective ISMS therefore enables the organization to achieve its stated business objectives and can be achieved via following the implementation guidance detailed in ISO/IEC 27002:2022.
An ISO/IEC 27001 ISMS takes a holistic, coordinated view of the organization’s information security risks in order to determine and implement a comprehensive suite of information security controls within the overall framework of a coherent management system. To better understand how ISO/IEC 27002:2022 is different from ISO/IEC 27001:2022, check out Changes in the New ISO/IEC 27001 and ISO/IEC 27002 and ISO/IEC 27001:2022 – Information Security Systems.
What Are the Information Security Requirements in ISO/IEC 27002:2022?
ISO/IEC 27002:2022 maintains that there are three main sources of information security requirements that help determine security controls:
1. Risk Assessment
The assessment of risks to the organization, taking into account the organization’s overall business strategy and objectives. Determining controls is dependent on the organization’s decisions following a risk assessment.
2. Legislation and Regulations
The legal, statutory, regulatory, and contractual requirements that an organization and its interested parties (trading partners, service providers, etc.) have to comply with and their sociocultural environment. The determination of controls should also take into consideration all relevant national and international legislation and regulations.
3. Life Cycle Considerations
The set of principles, objectives, and business requirements for all the steps of the life cycle of information that an organization has developed to support its operations. In other words, information has a life cycle, from creation to disposal. The value of, and risks to, information can vary throughout this life cycle (e.g. unauthorized disclosure or theft of a company’s financial accounts); therefore, information security remains important to some extent at all stages. New system development projects and changes to existing systems provide opportunities to improve security controls while taking into account the organization’s risks and lessons learned from incidents during the life cycle of information.
What Are Types of Controls in ISO/IEC 27002:2022?
The primary objective of data security controls is to protect and safeguard an organization’s data, thereby reducing the risk of data breach and enforcing policies and best practices. Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. ISO/IEC 27002:2022 provides a generic mixture of organizational, people, physical, and technological information security controls derived from internationally recognized best practices:
- Policies for information security
- Information security roles and responsibilities
- Contact with authorities
- Inventory of information and other associated assets
- Labelling of information
- Access control
- Threat intelligence
- Information transfer
- Access rights
- Monitoring, review, and change management of supplier services
- Information security for use of cloud services
- Collection of evidence
- ICT readiness for business continuity
- Protection of records
- Contact with authorities
- Information backup
- Networks security
- Data masking
- Intellectual property rights
- Web filtering
- Secure Coding
ISO/IEC 27002:2022—Information Security, Cybersecurity And Privacy Protection – Information Security Controls [also adopted by INCITS as American National Standard INCITS/ISO/IEC 27002:2022 (2022)—Information Security, Cybersecurity And Privacy Protection – Information Security Controls] is available on the ANSI Webstore, as well as in a multitude of packages, such as:
- ISO/IEC 27000 Information Technology Security Techniques Collection
- Protected Health Information Security Management Package
- IT Theft Security Techniques Package
- Information Security Package
- Information Technology Compliance Management Package
Accreditation for ISO/IEC 27001 ISMS CBs
In order to demonstrate adherence to ISO/IEC 27001, organizations can achieve certification to the requirements of the international standard. Management systems certification bodies (CBs), like those that certify organizations to ISO/IEC 27001, maintain an elevated level of trust through accreditation by the ANSI National Accreditation Board (ANAB).
Learn about Accreditation for ISO/IEC 27001 Information Security Management Systems Certification Bodies here or search for an ANAB accredited ISO/IEC 27001 Certification Body here.