[ad_1]
On February fifteenth, the Worldwide Group for Standardization (ISO), printed the newest replace to “ISO/IEC 27002 Data safety, cybersecurity and privateness safety — Data safety controls”. This newest normal is offered for private use from their website on ISO.org for CHF 198 (Swiss Francs) or, should you desire, US {dollars}, $200, on the ANSI.org webstore. I’ll additionally merely discuss with it as ISO 27002 as most individuals do.
I’ve been working with ISO 27002 controls because the 2005 model. It’s at all times fascinating to see the adjustments which can be made and what I must be adjusting to stick to the framework. Sadly, this additionally signifies that many organizations’ insurance policies and procedures must be up to date. ISO 27002:2013 was largely the identical because the 2005 model, besides it eliminated the controls round Danger Evaluation and Therapy. This time, the adjustments are rather more drastic to align and these adjustments are, briefly:
ISO 27002:2013 had 114 controls over 14 management domains
ISO 27002:2022 reorganized this into 93 controls with a taxonomy of 4 main classes (known as clauses):
Organizational Controls – 37 controls
Folks Controls – 8 controls
These cope with particular person individuals, equivalent to background checks
Bodily Controls – 14 controls
These discuss with bodily objects, equivalent to knowledge facilities and backup media
Technological Controls – 34 controls
These are involved with data safety expertise, equivalent to entry rights and authentication
After I initially checked out this, I preferred the way it appeared like how HIPAA was damaged down into Administrative, Bodily, and Technical. This simplification makes speaking to non-security people a lot simpler, although after all, the very detailed controls are nonetheless in place.
One other massive change is the inclusion of Attribute tables for every management. These are outlined in Appendix A, however usually let you know if the management is preventative, detective, or corrective, does the management cope with Confidentiality, Integrity, or Availability, what Cybersecurity ideas it covers: Determine, Shield, Detect, Reply, or Recuperate. Oh hey, these are the NIST CSF capabilities!
Lots of the controls from 2013 -> 2022 have been merged the place it made sense. When reviewing the adjustments to ISO 27002:2022, it turned clear that controls that have been beforehand “close to” one another are moved in all places. I made a decision to make use of Appendix B (included in the usual) to map out higher the place controls from ISO 27002:2013 have been moved to on this newest model.
Moreover, I discovered that though no controls have been dropped altogether, there have been 11 new controls added, displaying that the ISO 27002 framework continues to evolve and embrace present applied sciences and safety ideas. These new controls are famous in desk 1 beneath, and it’s clear these are more moderen safety applied sciences.
For probably the most half, there’s a “Many to 1” mapping. Because of this every 2013 management maps right into a single 2022 management. Generally a number of 2013 controls map right into a single 2022 management because it mixed related ideas right into a single management. That is the merging I referenced earlier. The map exhibits for every 2013 management the place to seek out it in 2022, but additionally for every 2022 management which 2015 controls are included. I prefer to hold my insurance policies very clearly aligned with the framework, so they’re trivially auditable, and this map will assist me re-use my 2013 paperwork.
This mapping is supplied within the linked “ISO 27002 2013-2022 MAP (Annex B).xlsx” file. As all of us transfer our instruments and documentation from ISO 27002:2013 to ISO 27002:2022, hopefully the mapping shall be helpful to assist information you on this course of and possibly shorten the time it takes you emigrate to the newest and biggest.
Desk 1
#
Management ID
Management Identify
1
5.7
Menace intelligence
2
5.23
Data safety to be used of cloud companies
3
5.30
ICT readiness for enterprise continuity
4
7.4
Bodily safety monitoring
5
8.9
Configuration administration
6
8.10
Data deletion
7
8.11
Knowledge masking
8
8.12
Knowledge leakage prevention
9
8.16
Monitoring actions
10
8.23
Internet filtering
11
8.28
Safe coding
[ad_2]