After almost a decade, ISO27001: 2013 is going to publish its new iteration of ISO27001:2022 in second (2nd) Quarter this year1. But prior to that, ISO27002: 2022 has already published its new iteration in this January 2022. So there will be some reflection for organizations that are already ISO27001: 2013 certified and those are about to be certified. Although the organization that are already certified in ISO 27001:2013 and continuing the surveillance, those will get a two-year transition period for migrating to a new version of standard, i.e. ISO 27001: 2022, so there will be plenty of time for this change. However, ISO27001: 2013 allows you to identify controls as appropriate from anywhere, provided that, controls are justified and aligned with Annex A2.
The ISO 27002: 2022:
It is said that, ISO 27001 goes hand in hand with its sister norms ISO 27002. The ISO 27002 is code of practice of ISO 27001. However, the terms “Code of Practice” has been dropped out in the new version ISO27002:20222. However, ISO 27001 give details for an organization practicing and maintaining in ISMS (Information Security Management System). The ISO 27002 give further elaborates on the such as example security control of ISO 27001 appendix. Organizations are allowed to receive security controls from anywhere, as long as, those controls are justified and similar to ISO 27001 appendix controls.
It is worth to mention here that, ISO 27002: 2022 groups into four chapters of its revised 93 controls. There were 114 controls grouped into fourteen chapters in ISO 27002:2013. These four chapters are four themes or domains, by which you can segregate controls easily. The four domains are:
• The Organizational 37 Controls (Chapter 5)
• The People controls 8 Controls (Chapter 6)
• The Technological 34 Controls (Chapter 7)
• The Physical 14 Controls (Chapter 8)
Furthermore, controls are attributed to 5 types, so that we can categorize and manage controls easily. The five attributes are:
• Control type (preventive, detective, corrective)
• Information security properties (confidentiality, integrity, availability)
• Cybersecurity concepts (identify, protect, detect, respond, recover)
• Operational capabilities (governance, asset management, etc.)
• Security domains (governance and ecosystem, protection, defence, resilience)
There are eleven completely new controls, those are aligning with data privacy and others emerging needs. Those are 2:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
In this article, we will further dig dive into people’s eight controls and focus into its relevancy with organization’s need. This is a continuous series that will follow on other chapters next articles.
The “People” 8 Controls:
1. Screening (6.1)
ISO 2700 emphasis to have policy for screening its employee, stuff, vendors related to information security management system. While developing screening policy, organization should take into account both local regulation, legislation and responsibilities of security employees, so that no inconsistency exist between them. It is needed to ensure that employees are trustworthy and competent. For some role, those handling with sensitive information, may have option for higher degree screening. However, all these should be recorded and documented appropriately.
2. Terms and conditions of employment (6.2)
To make aware of information security policy, related responsibility for maintaining information security, organization need to communicate the details with employees regularly. But at the commencement of work, organization can share requirements in the form of “Code of Conducts” or terms and conditions of employment mode. Organization now should make it mandatory for all employees that, they thoroughly go through and realize this security terms and conditions.
3. Information security awareness, education and training (6.3)
It is also needed that, employees maintain information security best practices and remains alert about new and emerging threats. So regular training, awareness and communication is mandatory. When an employee promoted and changes his/her role, training needed on new domain related information security and relevant best practices. For majority of the employees, training is very effective to combat social engineering, phishing attack, maintaining password policy, protecting adware, Trojan or malware. As cyber threats are continuously being sophisticated, no other alternatives than regular training, awareness and communication.
4.Disciplinary process (6.4)
There should have policy for disciplinary actions, if it is conformed that, information security rules and guidelines have been violated. But merely building and deploying policy is not sufficient, but make people aware of this is important. In the policy, should have clearly mentioned, the magnitude of disciplinary actions for repetitive incident, merely inadvertent incident. Employee should make aware of reporting security incident, otherwise, due to fear of plenary action, could avoid reporting.
5. Responsibilities after termination or change of employment (6.5)
Information security duties and responsibilities remains even after termination or change of employment. It is needed that, employee respect and maintains confidentiality of sensitive organization information after leaving the organization. To make this happen, confidentiality agreement could be incorporated into employee’s terms and conditions.
6.Confidentiality or Non-Disclosure Agreements (6.6)
In case of higher confidential or sensitive information, some terms of legal bindings can be enforced. This may include the duties and responsibilities for maintaining information confidentiality, the terms for violating the confidentiality, the penalties including applicable legal action, if the agreement is broken. This will ensure employee to observe confidentiality after a certain period of time, after leaving the organization.
7. Remote working (6.7)
Remote or home working is now gaining more popularity day by day. In recent pandemic time, more and more organization promoting remote work. However, the information security implication for remote working should be considered. A policy should be formulated, outlining the terms, when and where remote working is permitted, the equipment standard requirements, necessary provision and authorizations to information systems should be clearly pointed out the policy. Particularly, there should have mentioned restricting the use of third party networks, abstaining from connecting un-authorized devices to network, working in front of friends and families.
8. Information Security Event reporting (6.8)
Reporting is the first step fixing and preventing information security violation. After identifying incident or event, employee should report each and every event or incident through proper channel. This breach of information security ranges from human errors, malicious incident, suspected malfunctions, confidentiality breaches to violation of policies or country regulations. Therefore, employee needs a proper reporting channel. Also need to regular awareness for reporting, follow-up, rewarding will boost the reporting process.