Professional Documents
Culture Documents
Changes in The 2022 Revision
Changes in The 2022 Revision
Changes in The 2022 Revision
to the 2013
revision changes in the main part of the standard are small and the changes in the Annex
Controls are moderate overall the changes in the main part of the standard that is in clauses four to 10
are mainly about aligning ISO 27,000 and one with other management standards like ISO 9001
If you have already implemented ISO 27,001 in your company the chances are that you’re already
compliant with these new 2022 requirements from the main part of the standard because they’re all
common sense regarding the changes in the Annex has changed its structure there are 11 new controls
some controls have emerged and some controls were renamed overall the number of controls has
decreased from 114 to 93 but this is considered a moderate change because most old controls have
stayed almost the same
4.2 to understanding the need and expectations of interested parties a new item C was added that
requires an analysis of which of the interested party requirements must be addressed through the isms
this means that not every requirement must be met only those that the company decides it does make
sense to comply with for example a company may decide not to comply with the requirement of a client
with whom it plans to terminate the agreement in the near future in clause
4.4 information security management system a phrase was added that requires planning for processes
and their interactions as part of the ims so when managing the ios a company must make sure it has all
security processes planned and that outputs from one process fits as inputs into other processes these
requirements are typically covered by writing security procedures or some other standards like iso 9000
and one it is common to create a process map that shows the interactions between processes creating
such a map for iso 27,000 and one is not mandatory however some companies might find it helpful in
clause
5.3 organization roles responsibilities and authorities a phrase was added to clarify that communication
of roles is done internally within the organization it makes it easier now because in the 2013 revision it
was unclear to whom this communication needs to go in
clause 6.2 information security objectives and planning to achieve them a new item D was added that
requires objectives to be monitored which basically means that they must be regularly checked
clause 6.3 planning of changes this is a completely new clause requiring that any change in the ims
needs to be done in a planned manner if a company already uses the risk treatment plan for
implementing or changing controls and the proofs any major change to the isms through the
management review then this is enough to comply with this new clause in
clause 7.4 communication item E was deleted which required setting up processes for communication
however if a company has already set such processes it can keep them it refines them useful if not such
processes can be discontinued in
clause 8.1 operational planning and control new requirements were added for establishing criteria for
security processes and for implementing processes according to those criteria in the same clause the
requirement to implement plans for achieving objectives was deleted 1 can interpret that the new
requirements for setting criteria for security processes and implementing them are a replacement for
this requirement that was deleted in reality this criteria could be implemented as specifications on how a
company expects expects its security processes to be performed for example criteria for the backup
process could mean that the backup needs to be performed let’s say every 12 hours using some specific
technology
clause 9.3 management review the new item 9.3 C was added that says the inputs from interesting
parties need to be about their needs and expectations and relevant to the isms simple since collecting
feedback from interested parties was already required in 2013 revision is only clarifies which kind of
input a company needs to focus on
Clause 10 improvements the subclauses have changed places so that now the first one is continually
proven 10.1 and the second one is nonconformity and corrective action
10.2 while the text of those clauses remain the same basically a company only needs to update the
references to those to those subclauses if it has them in in the document so these were all the changes
in the main part of the standard
Let’s understand how transition from the 2013 to the 2022 revision of the standard
Annex A ISO 27,001 provides a catalog of 93 security controls grouped into four sections these four
sections are numbered from a .5 to a .8 and they cover the following
A.5 organizational controls this section contains thirty seven controls that are used to increase the
security of organization processes and activities including management responsibilities handling of
assets excess rights and so on
A.6 people controlled this section covers eight controls that aim to increase security related to human
resources including hiring training and awareness and similar
a 7 physical controls this section covers 14 controls developed to increase the protection of information
against physical risks including protection of secure areas and protection of equipment and finally
a .8 technological controls this section covers 34 controls designed to increase the security of it and
communication systems focusing on operational systems software development and code management
each of these four sections present specific controls with a short description of what each control must
achieve
for example section 8 has a control named a dot 8 .13 information backup where the standard requires a
backup of your data software and systems to be performed regularly but also that the backups need to
be tested to make sure they work properly as mentioned earlier none of these 93 controls are
mandatory a company must choose which controls it finds applicable based on the results results of risk
treatment and taking into account the requirements of interested parties as you will see in further
lessons most of these controls are common sense so in a majority of cases company choose more than
90% of controls as applicable it might sound strange but iso 27,000 and one does not specify the details
of each control for example it does not specify which technology to use for the backup nor does it
specify how often to perform the backup this is because the standard is written in a way that enables it
to be implemented in any type or size of a company for example the backup in a large international bank
May look very different from a small retail shop what iso 27,000 and one does specify is that you have to
perform your risk assessment thoroughly and not only select controls based on the results of the risk
assessment but also decide how to implement those controls based on the risks you have back to the
backup example the higher the risks the more sophisticated technology you will use for the backup and
you will perform it a bit more frequently
typically you can implement controls from an Annex in several ways by writing policies and procedures
training people deploying some physical safeguards like reinforced doors or applying some technical
means like installing antivirus software more details about the Annex controls are given in
ISO 27,000 27,001 and two this standard has exactly the same controls as ISO 27,000 and one but with a
more detailed explanation of potential ways to implement controls it is important to remember that ISO
27,001 and two is not a mandatory standard therefore you do not need to implement controls described
there but it can give you useful guidance on what to do further iso 27002 says nothing about managing
your ISMS so company cannot get certified against iso 27,000 and two in other words ISO 27,001 is the
main standard you should focus on and you can use 27,002 only if you need some extra help
Annex in 27,001 is if it gives you a very good overview of which controls you can apply so that you don’t
forget some controls that would be important also the standard gives you the flexibility to choose only
the controls that you find applicable to your business and to implement them in a way that is
appropriate for your risks so that you don't have to waste resources on something that is not relevant to
you a more detailed low review of the sections and controls will be presented in the following lectures
People controls
Alexa this is a six people controls this section covers controls that are important prior to the employment
of new employees such as screening and defining terms of employment then controls that should be
taken into account during the employment such as security awareness and training and disciplinary
process and controls regarding the determination and change of employment the purpose of this section
is to introduce the security controls for the people that work for the organization these controls are
really important because statistics show that people working on behalf of the companies represent one
of the biggest threats to the security of the information and most commonly the harm they cause is
accidental not malicious here are some of the ways to implement these security controls
sign employment agreements with employees that include information security clauses
sign confidentiality or non disclosure agreements with external parties but also with employees they do
not have agreements with security cloud
regularly train people on how to perform security activities and make them aware of why security is
needed in the first place
introduce rules on how to work remotely in a secure way for example how to protect the laptop when
working at home who is allowed to access the hardware etc
introduce a disciplinary process for all employees that have committed information security breaches in
order to establish if this breach force intentional or not
Physical controls
Section A-7 physical controls covers two aspects securing the physical areas and securing the equipment
the purpose of securing the physical areas is to prevent unauthorized physical access and damage to the
information assets here are some of the ways to implement these controls securing your offices and
facilities by not allowing public access and allowing only designated employees to access highly sensitive
areas like for example a data center
protecting people offices and equipment from external and environmental threats such as fire floods
malicious attacks and similar
physical entry controls such as doors locked with keys or smart cards and reception desk for visitors
monitor who is entering secure areas by using swipe cards or cctv cameras and by the way this is
covered in control a .7 .4 physical security monitoring and this is the only new physical security control
in the 2022 revision of ISO 27,001 all the other controls are the same as in the old 2013 revision
when it comes to securing the equipment the purpose is to prevent loss damage or compromise of the
physical assets here are a couple of ways to implement these controls appropriate placement of the
equipment
for example placing computers away from sources of water to avoid possible damage protection of the
equipment from power failure for example using an uninterruptible power supply or our generators
protection of the cables from damage or interception for example placing the cables in closed cable
channels not having them spread around the office floors regular maintenance of the equipment to
prevent malfunction
defining strict rules for protecting the equipment when taken off premises for example when working
remotely
defining policy for clear desk and clear screen which could include that the user must be logged out
when not at the computer and that’s no sensitive paper documents are allowed to be at a desk when the
employee is not present
procedures for protecting removal or removal media and disposal of such media
defining strict rules for working in secured areas to avoid damaging the equipment this section is really
important because when talking about the information security companies tend to put too much
emphasis on it security neglecting other aspects such as physical security for example leaving a
computer with strong password but leaving but leaving it unattended and unlocked in a room where
some external parties have access is probably more riskier than having a computer with a weak
password in a locked room
Quiz
The purpose of the A.6 People controls section of Annex A is:
separate development testing and operational environment this means the development and testing of
new software should be made separately from the operational environment to avoid problems and to
decrease the risks of information being compromised due to software design flaws
select the testing data carefully avoid using real data containing personal or other confidential
information test if the security of the newly developed software fulfills all the information security
requirements that are previously defined and have a formal acceptance process for the software
for example you might check if the encryption is working as expected and then confirm it and confirm
this fact in a written way restrict and control access to program source code
for example only the development team will have access to the source code established procedures for
controlling the changes in the systems and software
for example by defining a strict approval process and limiting the changes to those that are necessary
QUIZ
The technological controls from ISO 27001 Annex A are focused on the direct protection of data
and information systems used.
True
False
Explanation
The technological controls from ISO 27001 Annex A are focused on the direct protection of data and
information systems used.
1. True – Correct!
2. False – Incorrect! Controls A.8.10 (Information deletion) and A.8.11 (Data masking) define
measures for data protection, while controls A.8.12 (Data leakage prevention), A.8.16 (Monitoring
activities), and A.23 (Web filtering) define measures for protection of information systems.
here are some of the ways to implement these controls not only for internal software development but
also if the software development is outsourced right the security development policy that will describe
rules and the responsibilities for this after the software development and the whole software
development life cycle specify information security requirements before the software is developed in
order to integrate security into the development process
secure architecture and engineering principles for example guidance on secure programming methods
user authentication techniques secure session control and data validation cover all the architectural
layers for example business data applications and technology
separate development testing and operational environments this means the development and testing of
new software should be made separately from the operational environment to avoid problems and to
decrease the risks of information being compromised due to software design flows
select the testing data carefully avoid using real data containing personal or other confidential
information test if the security of the newly developed software fulfills all the information security
requirements that were previously defined and have a formal acceptance process for the software
for example you might check if the encryption is working as expected and then confirm it and confirm
this fact in a written way restrict and control access to program source code for example only the
development team will have access to the source code establish procedures for controlling the changes
in the systems and software for example by defining a strict approval process and limiting the changes to
those that are necessary
QUIZ
To ensure that information security is integrated into the new information systems, companies should conduct
the following activities:
1. Test the security features of the new systems – Correct!
2. Document a Change Management Policy – Incorrect! The standard doesn’t specifically require
documenting this policy.
3. Make updates on information systems as soon as vulnerabilities are identified –
Incorrect! Modifications should be limited to those deemed necessary after a due risk analysis.
4. Identifying information security requirements for application services transactions is the job of the
company that produces the information system, not the company that buys it – Incorrect! The
information security requirements of different companies are different; that is why the company that buys a
new system needs to identify the unique set of information security features required for that particular
company.
for example restrict software installation introduce encryption anti-malware protection and so on define
how to access how to restrict access for privileged users to it systems for example or system
administrators
define how to limit access to regular users according to the access control policy for example by allowing
only system admins to open the access for these users
define how to limit the use of privileged utility programs for example these are pieces of software used
by administrators or software developers that can access a database directly without going through a
regular user interface
define how to implement authentication technologies for example how to introduce two factor
authentication on top of an existing password system define how to manage the capacity of IT systems
by regularly monitoring the use of it resources and making forecasts for future requirements
define how to protect against malware for example installation of an antimale anti malware software
prohibiting the use of unauthorized software and blacklisting of websites define how to backup your
data by deciding on the backup frequency the technology to use and how to test if the backups are
performed properly
define where and how to use encryption define which of your it systems need to cryptography the level
of protection and how to handle the cryptographic keys
define how software can be installed on operating systems which software is allowed who is allowed to
do this installation how the software needs to be tested and so on define how to protect networks by
logging and monitoring the activities in the network by restricting connections to the network
authenticating systems connected to the network and so on
define security of network services by defining and documenting documenting relevant security
parameters such as the implementation of Firewall and intrusion detection systems and monitoring of
the performance of network providers this can be documented by signing service level agreements with
providers
define how to segregate the networks by dividing the networks into smaller separate networks that are
easier to manage and protect synchronize clocks in it systems by using a single time source
prepare redundancies in your it systems by identifying the elements of the information systems that may
be disrupted and then preparing redundant information systems such as an additional servers to be used
in emergency situations this is often called IT disaster recovery
manage technical vulnerability by monitoring assets for technical vulnerabilities using automated tools
and performing penetration testing and by taking appropriate action to deal with a particular
vulnerability based on their criticality and level of risk
define security during audit testing for example how to ensure the systems and data will not be affected
by penetration testing lock user a log user activities system folds and other events and by regularly
reviewing them various vulnerabilities might be noticed and incidents prevented
QUIZ
Technological controls from ISO 27001 Annex A are those controls that are essential for ensuring secure
operations of the IT infrastructure of the company.
1. True – Correct!
2. False – Incorrect! Technological controls from ISO 27001 Annex A are operational security controls
crucial for ensuring secure IT operations, such as protection of malware, backup, logging, control of
operational software, network, etc.
Organizational a five covers organizational controls these controls define security roles and
responsibilities very often through policies and procedures organizational controls are important
because without them you would have a lot of technology without an idea of who needs to do what or
who is responsible for what the resulting chaos would of course significantly decrease the level of
security since this section has lots of controls 37 of them first I’m going to cover general organizational
controls and in further lessons I’ll cover organizational controls related to the handling of assets supplier
security handling incidents compliance and so on NXA are requires the development of detailed and
topic specific policies and in practice this could be an access control policy backup policy classification
policy teleworking policy encryption policy clear desk and clear screen policy and so on you can keep
these documents separate or you can try to merge them into a fewer number of documents typically a
smaller companies will have a fewer number of simpler documents whereas larger organizations will
have a larger number of more complex documents of course information security documents must be
regularly reviewed especially after changes in a company you can implement other organizational
controls in the following way the best way to define roles and responsibilities for all levels of employees
in a company is through policies and procedures some companies develop an extra responsibility matrix
for that purpose segregate the duties by separating activities that could be in a conflict of interest for
example the person writing the code should be different from the person reviewing the code for security
vulnerability maintain contact with relevant authorities these could be government agencies for instance
the data protection agency in case you need to report a personal data breach or if you suspect that the
law might be broken maintain contact with special interest groups such as membership in groups or
forums that can improve your security knowledge inform you about information security trends and best
practices groups that can give you access to information security advice and so on implement
information security in project management regardless of the type of a project you’re running by
conducting an information security risk assessment for the project and basically making sure that
information security is part of every phase of your project
Quiz
Information security should be addressed in every project, regardless of its type.
1. True – Correct!
2. False – Incorrect! Information security should be part of every phase of each project, internal and external.
According to ISO 27001, Annex A, information and assets should be managed by:
1. Defining a classification framework considering the levels Public, Internal, Confidential, and Top
Secret – Incorrect! The standard doesn’t prescribe specific levels of classification.
2. Defining expected behavior on the use of assets – Correct!
3. Implementing an asset management software – Incorrect! The standard doesn’t prescribe asset
management to be performed by a software tool.
4. By ensuring the former employee signs the Return of Asset form when leaving the organization –
Incorrect! The standard doesn’t prescribe a specific form to be signed.
1. True – Incorrect! Supplier agreements should be documented to make sure there is no misunderstanding
between the company and the supplier regarding their information security obligations.
2. False – Correct!
the 2022 revision of the standard has introduced another new control called a .5 .30 ict readiness for
business continuity the purpose of this control is to introduce various solutions and resources that will
enable a successful recovery for example preparing secondary locations replacements for the most
important people alternative service providers and similar