How to Use ISO/IEC27002:2022 to Align Security Controls to Good Practice
ISO/IEC27002:2022 (the new version of good practice security controls) was released last month. I’ve began to think about why companies and organisations DON’T already use the security standards to follow good practice. Here is the case for using ISO27002 to align security controls.
My late father’s favourite saying was “If you’re going to do it, then do it right!”. It’s only recently that I began to accept the truth in that. Conventional thinking might lean towards, “Sure it’ll do”, or “Maybe later”. As the security community already knows “It’s much easier (better & cheaper) to build security into the design, than retro-fit it afterwards”.
What Does ISO27002 Do (1)?
Now, you might argue – “But we’ve got our company’s security controls already set. We can’t change them now”. (2) I fully understand, but aligning security controls to standards (the compliance versus certifying argument I’ll address later) doesn’t require you to change anything (assuming, of course, that they’re working). What the standards do (and I’m referring to 27002 specifically), is give you very useful guidance on:
- where you should be focusing your control budget (efficiency),
- what types of controls may be most appropriate to meet business objectives (value),
- what gaps might exist in your management of risk (effectiveness).
In my opinion, ISO/IEC27002:2022 is some of the best security advice that you can buy, and for €200, it’s excellent value for money. (3)
It’s important to remember that you don’t have to implement a range of new controls on day one. Companies can put a proper Information Security Management System in place over a number of months, or even years (at the pace that you are comfortable in addressing your business risks, and as your budget allows). Many of the controls in 27002 are “no cost” i.e. they’re just about having good processes in place, or about having comprehensive documentation in place, or having roles properly assigned.
I believe that this new release is far improved on the last (2013) version. It addresses many controls that were previously absent. I’d highly recommend it (particularly for SMEs and larger organisations that are thinking actively about risk).
Compliance versus Certification
OK, so I promised I’d address the Compliance versus Certification argument. The answer as to which one is better is “It Depends!”. Every organisation should strive to achieve compliance with the control guidance in 27002 at minimum. It just makes sense. I’d wager (specifically in relation to startups and SMEs (where Cloud is the primary information processing infrastructure) that most companies are already probably somewhere between 70% and 80% compliant with the control guidance of 27002.
What are the Changes to Control Areas?
That uplift of 20%-30% isn’t insignificant, but a gap analysis (4) will quickly indicate the areas that you might focus on, and will determine what might be involved in plugging those gaps. For companies that are already ISO/IEC27001:2013 certified the news is better – your uplift is likely to be in the range of 5% -10% of your existing controls. The standard covers these new controls:
- Threat intelligence
- Use of cloud services
- Readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The number of controls in the new version has reduced from 114 to 93, but no controls have been dropped (some have been merged). Guidance is broadly the same, but there are some subtle differences. For all businesses, using ISO27002 to align security controls will:
- greatly reduce the risk exposure (vulnerability & impact) of your company
- streamline your security processes (so that you’re not duplicating or being ineffective)
- integrate ‘doing it the right way’ into your company’s culture
- help staff understand why security controls are important (to the business, and to them personally)
From a personal point of view, I cannot understand why any business would choose not to use ISO27002 to align security controls to a standard (low cost => massive risk reduction). (5) In terms of certification: There’s only one reason to seek and achieve security certification, and that is that it benefits the business. This could relate to:
- Reputational impact
- Brand enhancing
- Creating competitive advantage,
- Building trust with your customers,
- Maintaining trust with your suppliers or partners
- Regulation or supervision (required in order to operate in that space)
If you’re already aligned, certification is easier than you might expect. It just involves an independent body auditing you to make sure you’re aligned/compliant with the Standard. Assessment involves a specially trained and regulated auditor checking to make sure you’re doing what you say. There’s a small cost for certification and supervision, but I’d argue that if you’re already compliant (6), why wouldn’t you maximise the opportunity of using it to your advantage.
Don’t be afraid of the standard. Using ISO27002 to Align Security Controls provides real value, and can help your organisation reduce its risk to a very manageable level with very little operational overhead. Cycubix works with companies of all sizes to extend in-house capabilities with the specific knowledge and expertise needed to support these compliance and certification efforts. Designed to build digital capabilities across Ireland, the Enterprise Ireland Digitalisation Voucher (valued €9000) can be applied to a review of cybersecurity risk and to work towards international security standards such as ISO/IEC27002:2022.
If you are interested in certifying ISO27001 or would like to align to the new ISO27002, then please reach out to us at [email protected] and we’d be delighted to follow up with you.