In February 2022, ISO 27002 “Information security, cybersecurity and privacy protection – Information security controls” was updated and replaces its predecessor from 2013 with the 2022 version. ISO 27002 is the guidance for implementing the requirements from ISO 27001 and consequently is not itself a certification standard. Certification continues to be based on the ISO 27001 standard.
The title of the standard has been changed (formerly: “Information technology – Security techniques – Code of practice for information security controls”), the structure of the controls has been changed, for example by assigning attributes to the individual controls and controls have been merged, the descriptions updated and controls deleted. These changes will be included in the ISO 27001 update and will be mandatory for future ISO 27001 certifications.
The following controls were added:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The structure has been significantly changed and now includes the following areas:
5. organizational controls
6. personnel controls
7. physical controls
8. technological controls
Let’s explicitly look at the changes related to Business Continuity Management (BCM). In ISO 27001:2013, BCM requirements are described in Annex A.17 “Information security aspects of business continuity management”: “The organization shall determine the requirements for information security and for maintaining information security management in adverse circumstances ( eg. crises and disasters), implement measures to maintain information security, and review and evaluate them.”
This vague and broadly interpretable description has been clarified in the now refreshed 27002:2022 standard: The requirements in Chapter 5 “Organizational controls” in the two controls 5.29 “Information security during disruption” and 5.30 ICT readiness for business continuity” are now more clearly formulated. The 27001 certification standard will also contain these chapters in its next update.
The first control picks up the requirements for ensuring information security to an appropriate extent during business disruptions from ISO 27001:2013. In the event of a business interruption, the requirements for information security objectives should be appropriately addressed based on the findings of the business impact analysis and risk assessment.
Control 5.30 “ICT readiness for business continuity” defines the business continuity management requirements for information security in much more specific terms. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA). Two key elements of disaster recovery are addressed. When assessing the Business Impact Analysis, the following points must be considered:
Recovery Time Objective (RTO) – How long can a business process/system be down? The Recovery Time Objective is the time taken from the moment of damage until business processes are fully restored (recovery of: Infrastructure – Data – Reprocessing of data – Resumption of activities) may elapse. The time period can vary from 0 minutes (systems must be available immediately) to several days (in some cases weeks).
Recovery Point Objective (RPO) – How much data loss can be accepted? The Recovery Point Objective is the time period between two backups, i.e. how much data/transactions can be lost between the last backup and the system failure. If no data loss is acceptable, the RPO is 0 seconds.
Based on the results of the BIA, contingency strategies are to be defined for the ICT resources with contingency options before during and after interruptions. Based on these strategies, contingency plans are to be developed, implemented and tested.
In doing so, it is required that the organization
- implement an adequate organizational structure to deal with business interruptions,
- have ICT contingency plans that are regularly tested and approved by management,
- have ICT plans that include performance and capacity specifications to meet the requirements from the BIA, as well as RTOs and RPOs.
The descriptions of the requirements of ISO 27002:2022 for business continuity management are described in much greater detail, particularly in Control 5.30, than in the current status of ISO 27001. A complete business continuity management system in accordance with ISO 22301 is not explicitly required, but a business impact analysis must be performed as the basis for ICT contingency plans and will then become a mandatory requirement for certification when the controls are adopted in the updated ISO 27001.
An article written by iugitas, published on 07 March 2022
Translated by Charlotte Ley