Reading time: ~ 4 min.
The Information Security: the controls set by the new ISO 27002:2022 standard
The International Organization for Standardization (ISO) has recently released the updated version of the guideline for the application of the operational controls for the ISO/IEC standard 27002:2022, also known as the «Information security, cybersecurity and privacy protection - Information security controls».
The ISO 27002 standard recognizes 4 large groups (clauses or themes) of operational controls:
- Organization Controls (aspects related to the organization)
- People Controls (details on single individual)
- Physical Controls (objects and aspects related to physical & environmental matters)
- Technological Controls (aspects related to the technology)
- The control type («when and how control changes risk» perspective);
- The information security properties (integrity, availability and confidentiality perspectives);
- The cybersecurity concepts (application of controls to information security perspective);
- The operational capabilities (information security operations perspective);
- The security domains (governance, protection, defense and resilience perspectives).
To better understand the way ISO 27002:2022 standard refers to the controls, you can take a look at this infographic:
A closer look at attributes of the controls set by the ISO 27002:2022 standard on Information Security
As we already suggested on the previous paragraph, the new ISO 27002:2022 standard on Information security, cybersecurity and privacy protection - Information Security Controls sets 4 macroscopic groups of operational controls.
Let's take a closer look at each of which, considering the 5 attributes and how they affect the way you can put them in perspective.
1. The Control Type attribute on ISO 27002:2022 standard
The first ISO 27002:2022 standard control attribute we are going to analyse - according to our infographic - is the «Control Type» one.
This one sets the way you can look at the controls from a perspective of «when and how the control modifies the risk» with regard to the occurence of an information security incident.
- Preventive (the control that is intended to prevent the occurrence of an information security incident);
- Detective (the control acts when an information security incident occurs);
- Corrective (the control acts after an information security incident occurs).
2. The Information Security Properties controls attribute according to ISO 27002:2022 standard
The second of the controls attributes set by the ISO 27002:2022 standard we take into consideration is the «Information Security Properties» one.
In this case, the attribute set a point of view of the controls according to the perspective of
«which characteristic of information the control will contribute to preserving».
The attribute values consist of:
Confidentiality;
Integrity;
Availability.
3. The cybersecurity concepts controls attribute set by ISO 27002:2022 standard
The third of all the controls attributes recognised by the ISO 27002:2022 standard we are considering is the «Cybersecurity concepts» one.
This attribute suggests the way you can view the controls from a perspective of «the association of controls to cybersecurity concepts», as defined in the cybersecurity framework described in the ISO/IEC TS 27110.
In this case, the attribute value consist of:
- Identify;
- Protect;
- Detect;
- Respond;
- Recover.
4. The ISO 27002:2022 operational capabilites controls attribute
The fourth attribute of the updated version of ISO 27002:2022 standard we are going to consider is the «operational capabilities» one.
This attribute helps us to view the controls from a «practioner's perspective of information security capabilities».
In this case, the attribute values are:
- Governance;
- Asset Management;
- Information Protection;
- Human Resource Security;
- Physical Security, System and Network Security;
- Application Security;
- Secure Configuration;
- Identity and Access Management;
- Threat and Vulnerability Management;
- Continuity;
- Supplier Relationships Security;
- Legal and Compliance;
- Information Security Event Management;
- Information Security Assurance.
5. The security domains controls attribute according to ISO 27002:2022 standard
The last of all the ISO 27002:2022 standard controls attributes we are going to mention is the one known as «Security domains».
This attribute provides us a controls view according to the «perspective of four information security domains», which are:
- «Governance & Ecosystem» that includes the «Information System Security Governance & Risk Management» and the «Ecosystem cybersecurity management» (considering also the internal & external stakeholders);
- «Protection» that considers all these topics: «IT Security Architecture», «IT Security Administration», «Identity and access management», «IT Security Maintenance» and «Physical and environmental security»;
- «Defence»that contains the «Detection» and «Computer Security Incident Management» matters;
- «Resilience» that includes «Continuity of operations» and «Crisis management».
- Governance_and_Ecosystem
- Protection;
- Defence and Resilience.
Our «breakdown» on ISO 27002:2022 Organizational, People, Physical and Technological Controls
At the ending stage of our overview on the new ISO 27002:2022 standard on «Information security, cybersecurity and privacy protection - Information security controls» we'd like to provide you our breakdown on Organizational, People, Physical and Technological controls.
If you want to download our breakdown document, subscribe to our newsletter. Every month we update you with all the most relevant topics for our ICT Service Management professional community and we give you some preview of «what is happening behind the scenes».
