Changes in the 2022 revision of iso 27,000 and one are actually not that big when compared

to the 2013
revision changes in the main part of the standard are small and the changes in the Annex

Controls are moderate overall the changes in the main part of the standard that is in clauses four to 10
are mainly about aligning ISO 27,000 and one with other management standards like ISO 9001

If you have already implemented ISO 27,001 in your company the chances are that you’re already
compliant with these new 2022 requirements from the main part of the standard because they’re all
common sense regarding the changes in the Annex has changed its structure there are 11 new controls
some controls have emerged and some controls were renamed overall the number of controls has
decreased from 114 to 93 but this is considered a moderate change because most old controls have
stayed almost the same

4.2 to understanding the need and expectations of interested parties a new item C was added that
requires an analysis of which of the interested party requirements must be addressed through the isms
this means that not every requirement must be met only those that the company decides it does make
sense to comply with for example a company may decide not to comply with the requirement of a client
with whom it plans to terminate the agreement in the near future in clause

4.4 information security management system a phrase was added that requires planning for processes
and their interactions as part of the ims so when managing the ios a company must make sure it has all
security processes planned and that outputs from one process fits as inputs into other processes these
requirements are typically covered by writing security procedures or some other standards like iso 9000
and one it is common to create a process map that shows the interactions between processes creating
such a map for iso 27,000 and one is not mandatory however some companies might find it helpful in
clause

5.3 organization roles responsibilities and authorities a phrase was added to clarify that communication
of roles is done internally within the organization it makes it easier now because in the 2013 revision it
was unclear to whom this communication needs to go in

clause 6.2 information security objectives and planning to achieve them a new item D was added that
requires objectives to be monitored which basically means that they must be regularly checked

clause 6.3 planning of changes this is a completely new clause requiring that any change in the ims
needs to be done in a planned manner if a company already uses the risk treatment plan for
implementing or changing controls and the proofs any major change to the isms through the
management review then this is enough to comply with this new clause in

clause 7.4 communication item E was deleted which required setting up processes for communication
however if a company has already set such processes it can keep them it refines them useful if not such
processes can be discontinued in

clause 8.1 operational planning and control new requirements were added for establishing criteria for
security processes and for implementing processes according to those criteria in the same clause the
requirement to implement plans for achieving objectives was deleted 1 can interpret that the new
requirements for setting criteria for security processes and implementing them are a replacement for
this requirement that was deleted in reality this criteria could be implemented as specifications on how a
company expects expects its security processes to be performed for example criteria for the backup
process could mean that the backup needs to be performed let’s say every 12 hours using some specific
technology

clause 9.3 management review the new item 9.3 C was added that says the inputs from interesting
parties need to be about their needs and expectations and relevant to the isms simple since collecting
feedback from interested parties was already required in 2013 revision is only clarifies which kind of
input a company needs to focus on

Clause 10 improvements the subclauses have changed places so that now the first one is continually
proven 10.1 and the second one is nonconformity and corrective action

10.2 while the text of those clauses remain the same basically a company only needs to update the
references to those to those subclauses if it has them in in the document so these were all the changes
in the main part of the standard

Let’s understand how transition from the 2013 to the 2022 revision of the standard

Annex A ISO 27,001 provides a catalog of 93 security controls grouped into four sections these four
sections are numbered from a .5 to a .8 and they cover the following

A.5 organizational controls this section contains thirty seven controls that are used to increase the
security of organization processes and activities including management responsibilities handling of
assets excess rights and so on

A.6 people controlled this section covers eight controls that aim to increase security related to human
resources including hiring training and awareness and similar

a 7 physical controls this section covers 14 controls developed to increase the protection of information
against physical risks including protection of secure areas and protection of equipment and finally

a .8 technological controls this section covers 34 controls designed to increase the security of it and
communication systems focusing on operational systems software development and code management
each of these four sections present specific controls with a short description of what each control must
achieve

for example section 8 has a control named a dot 8 .13 information backup where the standard requires a
backup of your data software and systems to be performed regularly but also that the backups need to
be tested to make sure they work properly as mentioned earlier none of these 93 controls are
mandatory a company must choose which controls it finds applicable based on the results results of risk
treatment and taking into account the requirements of interested parties as you will see in further
lessons most of these controls are common sense so in a majority of cases company choose more than
90% of controls as applicable it might sound strange but iso 27,000 and one does not specify the details
of each control for example it does not specify which technology to use for the backup nor does it

specify how often to perform the backup this is because the standard is written in a way that enables it
to be implemented in any type or size of a company for example the backup in a large international bank
May look very different from a small retail shop what iso 27,000 and one does specify is that you have to
perform your risk assessment thoroughly and not only select controls based on the results of the risk
assessment but also decide how to implement those controls based on the risks you have back to the
backup example the higher the risks the more sophisticated technology you will use for the backup and
you will perform it a bit more frequently

typically you can implement controls from an Annex in several ways by writing policies and procedures
training people deploying some physical safeguards like reinforced doors or applying some technical
means like installing antivirus software more details about the Annex controls are given in

ISO 27,000 27,001 and two this standard has exactly the same controls as ISO 27,000 and one but with a
more detailed explanation of potential ways to implement controls it is important to remember that ISO
27,001 and two is not a mandatory standard therefore you do not need to implement controls described
there but it can give you useful guidance on what to do further iso 27002 says nothing about managing
your ISMS so company cannot get certified against iso 27,000 and two in other words ISO 27,001 is the
main standard you should focus on and you can use 27,002 only if you need some extra help

the best thing about

Annex in 27,001 is if it gives you a very good overview of which controls you can apply so that you don’t
forget some controls that would be important also the standard gives you the flexibility to choose only
the controls that you find applicable to your business and to implement them in a way that is
appropriate for your risks so that you don't have to waste resources on something that is not relevant to
you a more detailed low review of the sections and controls will be presented in the following lectures

People controls
Alexa this is a six people controls this section covers controls that are important prior to the employment
of new employees such as screening and defining terms of employment then controls that should be
taken into account during the employment such as security awareness and training and disciplinary
process and controls regarding the determination and change of employment the purpose of this section
is to introduce the security controls for the people that work for the organization these controls are
really important because statistics show that people working on behalf of the companies represent one
of the biggest threats to the security of the information and most commonly the harm they cause is
accidental not malicious here are some of the ways to implement these security controls

sign employment agreements with employees that include information security clauses

sign confidentiality or non disclosure agreements with external parties but also with employees they do
not have agreements with security cloud

regularly train people on how to perform security activities and make them aware of why security is
needed in the first place

introduce rules on how to work remotely in a secure way for example how to protect the laptop when
working at home who is allowed to access the hardware etc

introduce a disciplinary process for all employees that have committed information security breaches in
order to establish if this breach force intentional or not

Physical controls
Section A-7 physical controls covers two aspects securing the physical areas and securing the equipment
the purpose of securing the physical areas is to prevent unauthorized physical access and damage to the
information assets here are some of the ways to implement these controls securing your offices and
facilities by not allowing public access and allowing only designated employees to access highly sensitive
areas like for example a data center

protecting people offices and equipment from external and environmental threats such as fire floods
malicious attacks and similar

physical entry controls such as doors locked with keys or smart cards and reception desk for visitors

monitor who is entering secure areas by using swipe cards or cctv cameras and by the way this is
covered in control a .7 .4 physical security monitoring and this is the only new physical security control
in the 2022 revision of ISO 27,001 all the other controls are the same as in the old 2013 revision

when it comes to securing the equipment the purpose is to prevent loss damage or compromise of the
physical assets here are a couple of ways to implement these controls appropriate placement of the
equipment

for example placing computers away from sources of water to avoid possible damage protection of the
equipment from power failure for example using an uninterruptible power supply or our generators

protection of the cables from damage or interception for example placing the cables in closed cable
channels not having them spread around the office floors regular maintenance of the equipment to
prevent malfunction

defining strict rules for protecting the equipment when taken off premises for example when working
remotely

defining policy for clear desk and clear screen which could include that the user must be logged out
when not at the computer and that’s no sensitive paper documents are allowed to be at a desk when the
employee is not present

procedures for protecting removal or removal media and disposal of such media

defining strict rules for working in secured areas to avoid damaging the equipment this section is really
important because when talking about the information security companies tend to put too much
emphasis on it security neglecting other aspects such as physical security for example leaving a
computer with strong password but leaving but leaving it unattended and unlocked in a room where
some external parties have access is probably more riskier than having a computer with a weak
password in a locked room

Quiz
The purpose of the A.6 People controls section of Annex A is:

 To punish people who don’t follow the rules

 To help the company to employ high-quality people
 To ensure that people working under the company understand and fulfill their information
security responsibilities
 To prevent information disclosure by employees
  The purpose of the A.6 People controls section of Annex A is:
 1. To punish people who don’t follow the rules – Incorrect! The disciplinary process is just one of
the possible controls from this section; it is not the purpose.
 2. To help the company to employ high-quality people – Incorrect! Only some of the controls refer
to activities done prior to employment.
 3. To ensure that people working under the company understand and fulfill their information
security responsibilities – Correct!
 4. To prevent information disclosure by employees – Incorrect! Only some of the controls refer to
activities to prevent information disclosure.

Technological controls – overview and new controls

Software development controls from nxa cover various security aspects including architecture life cycle
testing coding principles and so on these controls are important because they have a direct impact on
the confidentiality integrity and availability of the data processed by the software that is being
developed here are some of the ways to implement these controls not only for internal software
development but also if the software development is outsourced
Write the security development policy that will describe rules and responsibilities for this software
development and the whole software development life cycle specify information security requirements
before the software is developed in order to integrate security into the development process
define secure architecture and engineering principles for example guidance on secure programming
methods user authentication techniques secure session control and data validation cover all the
architectural layers for example business, data, applications and technology

separate development testing and operational environment this means the development and testing of
new software should be made separately from the operational environment to avoid problems and to
decrease the risks of information being compromised due to software design flaws
select the testing data carefully avoid using real data containing personal or other confidential
information test if the security of the newly developed software fulfills all the information security
requirements that are previously defined and have a formal acceptance process for the software
for example you might check if the encryption is working as expected and then confirm it and confirm
this fact in a written way restrict and control access to program source code
for example only the development team will have access to the source code established procedures for
controlling the changes in the systems and software
for example by defining a strict approval process and limiting the changes to those that are necessary

QUIZ
The technological controls from ISO 27001 Annex A are focused on the direct protection of data
and information systems used.
  True
 False

Explanation

 The technological controls from ISO 27001 Annex A are focused on the direct protection of data and
information systems used.
 1. True – Correct!
 2. False – Incorrect! Controls A.8.10 (Information deletion) and A.8.11 (Data masking) define
measures for data protection, while controls A.8.12 (Data leakage prevention), A.8.16 (Monitoring
activities), and A.23 (Web filtering) define measures for protection of information systems.

Technological controls – software development

Software development controls from AnnexA cover various security aspects including architecture life
cycle testing code in principles and so on these controls are important because they have a direct impact
on the confidentiality integrity and availability of the data processed by the software that is being
developed

here are some of the ways to implement these controls not only for internal software development but
also if the software development is outsourced right the security development policy that will describe
rules and the responsibilities for this after the software development and the whole software
development life cycle specify information security requirements before the software is developed in
order to integrate security into the development process

secure architecture and engineering principles for example guidance on secure programming methods
user authentication techniques secure session control and data validation cover all the architectural
layers for example business data applications and technology

separate development testing and operational environments this means the development and testing of
new software should be made separately from the operational environment to avoid problems and to
decrease the risks of information being compromised due to software design flows

select the testing data carefully avoid using real data containing personal or other confidential
information test if the security of the newly developed software fulfills all the information security
requirements that were previously defined and have a formal acceptance process for the software

for example you might check if the encryption is working as expected and then confirm it and confirm
this fact in a written way restrict and control access to program source code for example only the
development team will have access to the source code establish procedures for controlling the changes
in the systems and software for example by defining a strict approval process and limiting the changes to
those that are necessary

QUIZ
To ensure that information security is integrated into the new information systems, companies should conduct
the following activities:
1. Test the security features of the new systems – Correct!
2. Document a Change Management Policy – Incorrect! The standard doesn’t specifically require
documenting this policy.
3. Make updates on information systems as soon as vulnerabilities are identified –
Incorrect! Modifications should be limited to those deemed necessary after a due risk analysis.
4. Identifying information security requirements for application services transactions is the job of the
company that produces the information system, not the company that buys it – Incorrect! The
information security requirements of different companies are different; that is why the company that buys a
new system needs to identify the unique set of information security features required for that particular
company.

Technological controls – operational security

Of controls describes how to implement security in day to day it activities these controls are important
because if security is not part of regular it operations then it will be very difficult to eliminate security
vulnerabilities here are some of the ways to implement these controls define which technologies need to
be used to protect data on laptops smartphones and other endpoint devices

for example restrict software installation introduce encryption anti-malware protection and so on define
how to access how to restrict access for privileged users to it systems for example or system
administrators

define how to limit access to regular users according to the access control policy for example by allowing
only system admins to open the access for these users

define how to limit the use of privileged utility programs for example these are pieces of software used
by administrators or software developers that can access a database directly without going through a
regular user interface

define how to implement authentication technologies for example how to introduce two factor
authentication on top of an existing password system define how to manage the capacity of IT systems
by regularly monitoring the use of it resources and making forecasts for future requirements

define how to protect against malware for example installation of an antimale anti malware software
prohibiting the use of unauthorized software and blacklisting of websites define how to backup your
data by deciding on the backup frequency the technology to use and how to test if the backups are
performed properly

define where and how to use encryption define which of your it systems need to cryptography the level
of protection and how to handle the cryptographic keys

define how software can be installed on operating systems which software is allowed who is allowed to
do this installation how the software needs to be tested and so on define how to protect networks by
logging and monitoring the activities in the network by restricting connections to the network
authenticating systems connected to the network and so on

define security of network services by defining and documenting documenting relevant security
parameters such as the implementation of Firewall and intrusion detection systems and monitoring of
the performance of network providers this can be documented by signing service level agreements with
providers

define how to segregate the networks by dividing the networks into smaller separate networks that are
easier to manage and protect synchronize clocks in it systems by using a single time source
prepare redundancies in your it systems by identifying the elements of the information systems that may
be disrupted and then preparing redundant information systems such as an additional servers to be used
in emergency situations this is often called IT disaster recovery

manage technical vulnerability by monitoring assets for technical vulnerabilities using automated tools
and performing penetration testing and by taking appropriate action to deal with a particular
vulnerability based on their criticality and level of risk

define security during audit testing for example how to ensure the systems and data will not be affected
by penetration testing lock user a log user activities system folds and other events and by regularly
reviewing them various vulnerabilities might be noticed and incidents prevented

QUIZ
Technological controls from ISO 27001 Annex A are those controls that are essential for ensuring secure
operations of the IT infrastructure of the company.
1. True – Correct!
2. False – Incorrect! Technological controls from ISO 27001 Annex A are operational security controls
crucial for ensuring secure IT operations, such as protection of malware, backup, logging, control of
operational software, network, etc.

Organizational controls – policies and responsibilities

Organizational a five covers organizational controls these controls define security roles and
responsibilities very often through policies and procedures organizational controls are important
because without them you would have a lot of technology without an idea of who needs to do what or
who is responsible for what the resulting chaos would of course significantly decrease the level of
security since this section has lots of controls 37 of them first I’m going to cover general organizational
controls and in further lessons I’ll cover organizational controls related to the handling of assets supplier
security handling incidents compliance and so on NXA are requires the development of detailed and
topic specific policies and in practice this could be an access control policy backup policy classification
policy teleworking policy encryption policy clear desk and clear screen policy and so on you can keep
these documents separate or you can try to merge them into a fewer number of documents typically a
smaller companies will have a fewer number of simpler documents whereas larger organizations will
have a larger number of more complex documents of course information security documents must be
regularly reviewed especially after changes in a company you can implement other organizational
controls in the following way the best way to define roles and responsibilities for all levels of employees
in a company is through policies and procedures some companies develop an extra responsibility matrix
for that purpose segregate the duties by separating activities that could be in a conflict of interest for
example the person writing the code should be different from the person reviewing the code for security
vulnerability maintain contact with relevant authorities these could be government agencies for instance
the data protection agency in case you need to report a personal data breach or if you suspect that the
law might be broken maintain contact with special interest groups such as membership in groups or
forums that can improve your security knowledge inform you about information security trends and best
practices groups that can give you access to information security advice and so on implement
information security in project management regardless of the type of a project you’re running by
conducting an information security risk assessment for the project and basically making sure that
information security is part of every phase of your project

Quiz
Information security should be addressed in every project, regardless of its type.
1. True – Correct!
2. False – Incorrect! Information security should be part of every phase of each project, internal and external.

Organizational controls – information and asset management

Iso 27,000 and one requires setting the rules for identifying assets which include hardware and software
but also documents and other information these controls are important because without them you
wouldn’t know which assets you have how to use them securely nor how to protect them these controls
could be implemented by creating an inventory of assets this can be done easily if you can if you use the
asset based risk assessment because you will already have a list of all assets you should also define the
owner of each asset in other words the person who is responsible for handling and maintenance of each
of those assets define how the assets and especially the documents are classified and labeled you can
use the levels like internal confidential and top secret for labeling and for classification defining the
acceptable use of assets the company must define rules for how assets should be used taking into
account risks and classification levels and write the policy for that purpose these rules can vary from
technical for example how to perform the backup all the way to organizational for example how to
request to use an asset outside of the company’s premises defining the process for returning assets the
standard requires all the assets owned by the company to be returned when the employment contract is
terminated

According to ISO 27001, Annex A, information and assets should be managed by:
1. Defining a classification framework considering the levels Public, Internal, Confidential, and Top
Secret – Incorrect! The standard doesn’t prescribe specific levels of classification.
2. Defining expected behavior on the use of assets – Correct!
3. Implementing an asset management software – Incorrect! The standard doesn’t prescribe asset
management to be performed by a software tool.
4. By ensuring the former employee signs the Return of Asset form when leaving the organization –
Incorrect! The standard doesn’t prescribe a specific form to be signed.

Organizational controls – operational security

This these controls are important because very often security is breached if regular tasks are performed
in a way that is not prescribed which causes several people to perform those in a different way And some
of them lead to a security breach here are some ways to implement those controls write an access
control policy that will define the rules on who approves the access for employees and for 3rd party
define how the access is provisioned on a technical level who is responsible for opening accounts how to
adjust user rights when a person changes their role in a company and how the access is removed define
how the users will be identified for example with a unique username for logging into an application or
biometric reader when entering a secure area define how the users will login securely to their account
for example with passwords and two factor authentication they find rules on how information can be
transferred to other organizations for example we find how to protect personal data if it is transferred to
a processor how to protect communication via email and so on sign agreements with 3rd parties with
whom the information is exchanged this is covered in more detail in the lesson that speaks about
supplier security nxa requires you to document operating procedures for your it systems as mentioned
earlier you can decide how many of these documents to write and how detail they are but the fact is
that they must be written down because of the following you want to make sure everyone has
understood the rules in the same way if the rules are presented only verbally there is always a risk that
someone will understand them in the wrong way or that someone will forget about it you integrate
security in handling of it systems this is important because very often security comes as an afterthought
instead of being a regular part of everyday activities

According to ISO 27001, Annex A, operational security should be managed by:

1. Defining rules that will forbid access by third parties – Incorrect! Third-parties may also have access to
the organization’s information, and such access also needs to be managed.
2. Defining how information can be transferred between organizations – Correct!
3. Documenting procedures focusing only on employees from the IT department –
Incorrect! Documented procedures need to be understood the same way by users of all levels.
4. Having security documents not related to regular IT processes – Incorrect! Information security needs
to be embedded in regular IT processes and performed on a regular basis.

Organizational controls – supplier security

Another type of organizational controls are those related to supplier security they describe requirements
for setting security when dealing with suppliers as well as monitoring the supplier services supplier
relationship controls are important because these days more and more data are being processed and
stored with 3rd parties and the protection of such data is becoming an increasingly significantly security
issue
as mentioned earlier in this course companies to which you outsource part of your operations should
also be considered as suppliers when working with suppliers and partners you can set up a policy that
includes the following methods for assessing the risks related to suppliers these risks drive all other
items
for example what is the risk of loss of data or risk of unauthorized access defining what kind of access
your suppliers can have to your it systems and ways to monitor their access defining security
requirements or suppliers when they handle or process your data minimum information security
requirements that should be included in the supplier contract
you can implement other controls in the following way related to supplier security document the
security requirements in agreement with suppliers for example who is authorized to access which data
address the risks specifically related to ID services by specifying which it safeguards to use in the
agreement monitoring review of the supplier services to ensure that they comply with security
requirements in the agreements you signed with them
one way to monitor supplier service is to request the supplier to give you regular service reports that you
can review these reports and check if the level of their service is as set in the agreement
for example if your agreement with your intern provider states that you will have 99.98% availability of
Internet throughout the month you can check from their monthly service report if availability was really
above the debt level for that particular month
there is also a new control in the 2022 revision of the standard which did not exist in the old 2013
revision of the standard it is called 8.5 .23 information security for use of cloud services we can consider
this control to be supplier control because it requires that the process is set up for acquiring and
managing cloud services provided by 3rd parties
Security requirements can be agreed upon verbally with suppliers.

1. True – Incorrect! Supplier agreements should be documented to make sure there is no misunderstanding
between the company and the supplier regarding their information security obligations.
2. False – Correct!

Organizational controls – incidents and business continuity

If you are not prepared for incident chances, are they will happen more often you’ll recover harder from
them and they will cost you much more in other words preparing for incidents reduces the chances they
will happen
The next group of controls in Annex A explain how to deal with threats events incidents and larger
disruptions these controls are important because if you are not prepared for incidents chances are they
will happen more often you’ll recover harder from them and they will cost you much more in other
words preparing for incidents reduces the chances they will happen and their impact if they do happen
before going into details about the controls
let’s explain some basic terms weakness is considered to be a flaw or a weak point in a company’s
information systems and services for example inadequate controls for stopping hacker attacks
Threat is an activity or other events that could endanger the confidentiality integrity or availability of
your information for example someone planning a hyper attack event is an identified occurrence in the
information system service or network indicating a possible reach of information security
for example an unsuccessful hacker attack incident is a single or a series of unwanted or unexpected
events events that can compromise the confidentiality integrity or availability of the information
for example a successful hacker attack that has brought down some of your systems disruption is a major
incident that stops the operations of a company causing large damage for example a successful hacker
attack that has brought down your main it systems for several days and has locked your crucial data
the basic idea of managing information security weaknesses and events is to prevent incidents from
happening in the first place for example if a company is aware of the new type of hacker attack and that
they have inadequate controls for stopping such an attack then they can implement additional controls
to decrease the possibility of a successful attack this is why the 2022 has introduced
a new control a .5 .7 threat Intelligence that requires collecting all rebel and all relevant data and
proactively addressing threads here are some of the ways to manage incidents define the processes and
responsibilities
for example who needs to report an incident to whom how they are prioritized and escalated and what
kind of response plans will be used define the criteria for categorizing events
for example define that only events that create damage greater than let’s say 100 US dollars will be
classified as incidents define the plans on how to respond to incidents for example a response plan for
an earthquake will be very different from the response plan for a hacker attack define how the incidents
are logged and how to collect evidence this is both for internal purposes and for potential legal
proceedings of an incident define how to learn from incidents
for example conclude which kind of changes in the organization or technology could improve the
response to our next similar incident to implement business continuity you should plan how to continue
your information security activities if a disruption happens this can be done by identifying which
activities need to be continued planning how to respond to disruptions by writing disaster recovery or
other detailed plans where you specify all the needed steps and by performing exercising and testing in
order to improve those plans

the 2022 revision of the standard has introduced another new control called a .5 .30 ict readiness for
business continuity the purpose of this control is to introduce various solutions and resources that will
enable a successful recovery for example preparing secondary locations replacements for the most
important people alternative service providers and similar

Management of information security incidents includes learning from the incidents.

1. True – Correct!
2. False – Incorrect! Knowledge gained from analyzing and resolving incidents should be used for learning
from the incidents and reducing the chance of them reoccurring.