The revision process of ISO/IEC 27001 and ISO/IEC 27002 is currently underway (the current version was published in 2013). Organizations that focus on a systematic approach to information security management have certainly registered this innovation.
ISO/IEC 27002 is again designed to provide a framework for information security management (similar to, for example: NIST CSF).
The main changes that the new version brings is the merging of measures into 4 groups:
1. Organizational arrangements
2. Personnel measures
3. Physical measures
4. Technical measures
There are also several areas that will require management and action (if applicable in the organization), such as:
Threat Management (Measure: Information related to information security threats should be collected and analyzed to create threat management.)
Information security when using cloud services (Measure: The processes for acquiring, using, managing and terminating cloud services should be designed in accordance with the organization's information security requirements.)
ICT readiness for business continuity (Measure: ICT readiness should be planned, implemented, maintained and tested on the basis of business continuity objectives and ICT continuity requirements.)
Physical security monitoring (Measure: Premises should be monitored continuously to prevent unauthorized physical access.)
Configuration Management (Measure: Configurations, including security, hardware, software, services, and network configurations, should be created, documented, implemented, monitored, and controlled)
Erasing information (Measure: Information stored in information systems and devices should be erased when it is no longer needed.)
Data masking (Measure: Data masking should be used in accordance with the organization's access control policy and business requirements, taking into account legislative requirements.)
Data leakage prevention (Measure: Measures to prevent data leakage should be applied to systems, networks and terminal equipment that process, store or transmit sensitive information.)
Monitoring activities (Measure: Networks, systems and applications should be monitored for unusual behavior and appropriate measures should be taken to evaluate potential information security incidents.)
Web filtering (Measure: Access to external websites should be controlled to reduce exposure to malicious content.)
Secure Encryption (Measure: Software development should be subject to secure encryption policies.)
The publication of the new standards is expected at the end of 2021 or at the beginning of 2022.
Subsequently, a transitional period will begin. During this period, new requirements will need to be implemented if your organization has a certified information security system.
Author: Martin Kašša, ISO/IEC 27001 auditor
(sources used: ISO/IEC DIS 27002 Information security, cybersecurity and privacy protection)
| Training name | Training duration | Venue | Price | The nearest date |
|---|---|---|---|---|
| Requirements of the standard / Training of internal auditors according to the ISO/IEC 27001:2022 standard |
1 day
|
Company in-house training | On request |
According to you
|
| TISAX - Trusted Information Security Assessment Exchange |
2 days
|
Company in-house training | On request |
According to you
|
| Cyber security and requirements of the ISO/IEC 27001 standard |
2 days
|
Company in-house training | On request |
According to you
|
AIAG members and Odette - together with established industry partners and stakeholders have decided to release a new version of MMOG/LE, in order to support the following objectives for a more stable and predictable supply chain.
More
ISO / IEC 17025 is a standard that applies to laboratories in various industries and ensures that standards for laboratory testing and calibration are followed in practice.
More
Recently, we have begun to accumulate events that we are not used to in our latitudes. Apart from the pandemic, we have certainly all caught a tornado in Moravia and other extreme weather events. ISO 22301 specifies business continuity requirements and rules and helps companies recover quickly from unforeseen events. Its aim is to prepare companies and protect them in the event of such an exceptional unforeseen event.
More
What is the difference between PSB and PSCR? Why is PSB no longer enough and what has changed? What training should you undergo?
More
