The revision process of ISO/IEC 27001 and ISO/IEC 27002 is currently underway (the current version was published in 2013). Organizations that focus on a systematic approach to information security management have certainly registered this innovation.
ISO/IEC 27002 is again designed to provide a framework for information security management (similar to, for example: NIST CSF).
The main changes that the new version brings is the merging of measures into 4 groups:
1. Organizational arrangements
2. Personnel measures
3. Physical measures
4. Technical measures
There are also several areas that will require management and action (if applicable in the organization), such as:
Threat Management (Measure: Information related to information security threats should be collected and analyzed to create threat management.)
Information security when using cloud services (Measure: The processes for acquiring, using, managing and terminating cloud services should be designed in accordance with the organization's information security requirements.)
ICT readiness for business continuity (Measure: ICT readiness should be planned, implemented, maintained and tested on the basis of business continuity objectives and ICT continuity requirements.)
Physical security monitoring (Measure: Premises should be monitored continuously to prevent unauthorized physical access.)
Configuration Management (Measure: Configurations, including security, hardware, software, services, and network configurations, should be created, documented, implemented, monitored, and controlled)
Erasing information (Measure: Information stored in information systems and devices should be erased when it is no longer needed.)
Data masking (Measure: Data masking should be used in accordance with the organization's access control policy and business requirements, taking into account legislative requirements.)
Data leakage prevention (Measure: Measures to prevent data leakage should be applied to systems, networks and terminal equipment that process, store or transmit sensitive information.)
Monitoring activities (Measure: Networks, systems and applications should be monitored for unusual behavior and appropriate measures should be taken to evaluate potential information security incidents.)
Web filtering (Measure: Access to external websites should be controlled to reduce exposure to malicious content.)
Secure Encryption (Measure: Software development should be subject to secure encryption policies.)
The publication of the new standards is expected at the end of 2021 or at the beginning of 2022.
Subsequently, a transitional period will begin. During this period, new requirements will need to be implemented if your organization has a certified information security system.
Author: Martin Kašša, ISO/IEC 27001 auditor
(sources used: ISO/IEC DIS 27002 Information security, cybersecurity and privacy protection)
Training name | Length of training | Available dates | Price | |
---|---|---|---|---|
Cyber security and requirements of the ISO/IEC 27001 standard |
2 days
|
According to you
|
On request | More about the training |
TISAX - Trusted Information Security Assessment Exchange |
2 days
|
According to you
|
On request | More about the training |
Requirements of the standard / Training of internal auditors according to the ISO/IEC 27001:2022 standard |
1 day
|
According to you
|
On request | More about the training |
Internal Auditor ISO/IEC 42001:2023 and ISO 19011 - Artificial Intelligence Management System |
2 days
|
According to you
|
On request | More about the training |
At the end of February this year, the European Commission issued a proposal to ease ESG reporting obligations. The aim of the proposal is to reduce the administrative burden on businesses associated with sustainability reporting. The proposal responds to the need to strengthen EU competitiveness and align regulation with the real opportunities for businesses.
AIAG members and Odette - together with established industry partners and stakeholders have decided to release a new version of MMOG/LE, in order to support the following objectives for a more stable and predictable supply chain.
ISO / IEC 17025 is a standard that applies to laboratories in various industries and ensures that standards for laboratory testing and calibration are followed in practice.