ISO 27002

Partage

Cybersecurity experts are familiar with the ISO 27002 standard. Some are inspired by it to guarantee the health of their company’s information system or maintain ISO 27001 certification for their ISMS, while others consider it from a distance, seeing no interest in it for their organisation.

And yet, this standard is far from being reserved only for a certain category of companies, subject to specific regulations – especially since its update in 2022. In fact, it can help to improve the cybersecurity posture of any organisation… as long as you know how to use it and with what tools.

WHAT IS THE ISO 27002 STANDARD?

In essence, ISO 27002 is an international standard providing a set of guidelines and best practices for managing information security within organisations

What is the difference between ISO 27001 and ISO 27002?

The purpose of ISO 27001 is to provide companies of all sizes with a framework for implementing ISS governance. It proposes a pragmatic approach to information security management, based on a precise assessment of risks. It consists of a set of requirements that companies must meet in order to obtain certification – or that they can refer to in developing their own governance policy.

ISO 27002, on the other hand, is the toolbox of best practices on which 27001 is based. It consists of recommendations on the choice and deployment of the best security measures. Whether certified or not, the 27002 standard aims to improve a company’s cybersecurity posture.

However, it would be wrong to reduce ISO 27002 to a simple annex to ISO 27001, or to a guide to good practice for successful certification! Even if it was historically designed with this in mind, it is now considered as a strategic support for any entity wishing to maintain the security of its information system at a good level.

The new version, recently published, has been redesigned to incorporate all the risks associated with new technological developments and the threats that the IT world has encountered over the last 10 years: the explosion in teleworking, migration to the Cloud, use of multiple applications, etc.

This update makes ISO 27002 even more interesting to use, even for companies not concerned by ISO 27001 certification. It provides all the elements you need to build your own cybersecurity strategy, as well as the processes you need to follow to keep your IS in a good security posture.

Some examples of ISO 27002 applications
  • Banks and financial institutions

    A major bank using ISO 27002 can strengthen its information security measures in response to the growing threat of cyber attacks in the financial sector. By applying the standard’s controls, it puts in place :

    • strict access management policies;
    • continuous monitoring of systems ;
    • well-defined incident response procedures.

    The result: reduced risk of fraud and data theft, and greater customer confidence.

  • Hospitals and health establishments

    A hospital can adopt ISO 27002 to protect sensitive patient data. This includes:

    • implementing strict access controls ;
    • training staff in good safety practice;
    • the use of encryption to protect electronic medical records.

    The confidentiality of patient information is therefore preserved, and compliance with health data protection (HDS) regulations is facilitated.

  • E-commerce companies

    For an e-commerce business, implementing ISO 27002 helps to secure online transactions and protect customer information. It introduces controls such as :

    • encryption of payment data ;
    • regular safety audits ;
    • Penetration tests (pentests) to identify vulnerabilities.

    Such measures are a guarantee of protection against online fraud, and therefore an increase in consumer confidence.

  • Public administrations

    Local authorities (among others) can also benefit from ISO 27002 compliance! Role-based access management, systems monitoring to detect suspicious activities, implementation of business continuity plans… … All with the same (triple) objective:

    • protection of citizens’ personal data ;
    • improving the resilience of public services ;
    • compliance with data protection laws.
  • IT consulting firms

    An IT consulting firm, even more than other organisations, has a strong interest in adopting ISO 27002 to secure its clients’ information and its own internal systems. To achieve this, it involves:

    • implementing robust security policies;
    • conducting regular risk assessments;
    • ensuring continuous training for its staff on emerging threats.

    The advantages of such an approach are numerous: strengthening the security of clients’ information, improving the management of internal security risks, differentiating in the market as a security-conscious company…

  • Universities and educational institutions

    When thinking about cybersecurity, educational institutions do not often come to mind – yet they also face significant IT security challenges! For instance, a university can implement the ISO 27002 standard to protect academic and personal information of students and staff. This includes setting up access controls for information systems, password management policies, and procedures for responding to security incidents. Such measures help – among other things – to maintain or improve the institution’s reputation.

ISO 27002: THE NEW FEATURES OF THE 2022 VERSION

In its 2022 version, ISO 27002 has been improved to provide greater clarity in the measures to be considered and more relevance to the technological developments the world has seen in recent years. Remote work, cloud computing, BYOD (bring your own device), and the increase and evolution of cyber threats have prompted the International Organization for Standardization to rethink the structure of the document.

This new version offers a streamlined structure, with a significant reduction in controls compared to the 2013 version. However, the major innovation of 2022 is the creation of attributes. This concept, highly praised by experts, provides a standardised way to sort and filter controls, allowing for different views based on individual needs.

Bonus: these attributes tend to facilitate the integration of ISO 27002:2022 controls with other similar security frameworks, such as NIST risk management.

ISO 27002: BENEFITS AND CHALLENGES

What are the advantages of the ISO 27002 standard?

Also known as the “Code of Practice for Information Security Management,” ISO 27002 offers numerous advantages to organisations that adopt it.

  • #1 Improve its security posture

    The ISO 27002 standard provides a framework of best practices for information security management. It essentially helps organisations protect their information assets against various threats – which is its primary goal. By assisting them in identifying, assessing, and managing their cyber risks, ISO 27002 enables organisations to implement appropriate measures and controls to mitigate these risks.

  • #2 Ensure regulatory compliance

    Many regulations and laws require specific information security management measures. ISO 27002 helps organisations comply with these legal and regulatory requirements, thereby reducing the risk of sanctions and fines. ISO 27002 is also designed to be used in conjunction with ISO/IEC 27001; their combination allows organisations to establish and maintain a coherent and effective ISMS.

  • #3 Inspire confidence

    Adopting ISO 27002 demonstrates to clients, partners, and stakeholders that the organisation takes cybersecurity seriously. This can enhance trust and improve the company’s reputation.

  • #4 Optimise processes and company culture

    The ISO 27002 standard encourages the use of effective processes and practices to manage cybersecurity. The result is better resource management and potentially reduced costs associated with security incidents. The goal is also to promote a security culture within the company by raising awareness and training employees in good cyber practices. Last but not least, ISO 27002 encourages organisations to continuously review and improve their information security practices, ensuring that controls remain effective in the face of evolving threats.

Implementation Challenges

While this standard can assist CISOs, one of its major characteristics is its comprehensiveness – which involves a significant volume of data to process. However, a cybersecurity strategy includes other elements, such as implementation planning, monitoring, verification of action implementation, and controls – all of which can impact the expected level of security.

Using a tool like Excel can be considered for managing this project. However, it will quickly become inadequate when faced with the amount of information to handle (consolidating, reporting), and may even hinder the effective management of the security policy and endanger the company. This observation also applies to “home-made” tools.

OPTIMISE THE MANAGEMENT OF YOUR ISO 27002 COMPLIANCE

CISOs or ISMS managers mostly use a (perhaps excessively) large number of files (Excel, Word, etc.) to manage their governance, particularly their compliance with ISO 27002. In a study published in 2021 by IDG for ReliaQuest, 70% of CISOs reported that security management had become so time-consuming that it limited their ability to protect their company.

It is in this context, and to assist them daily in organising and managing their cybersecurity, that next-generation GRC solutions (such as Tenacy!) have been developed. These solutions centralise, measure, and interconnect all cybersecurity management processes. They have the advantage of integrating all ISO 27002 measures into a single administration console.

Attribute Management

The purpose of the “attributes” introduced by ISO 27002:2022 is to help organisations select their areas for improvement based on their own policies or to facilitate reporting.

However, in practice, this can be tedious for a CISO using “home-made” tools. Even a pivot table expert might not be able to:

  • integrate all the elements that make up ISO 27002:2022 into a single Excel file;
  • add interconnections to make it “intelligent”;
  • de le maintenir dans le temps.

By switching to a GRC solution, the CISO benefits from the power of an “intelligent” tool capable of aligning actions with strategy. They can, for example, determine their level of compliance based on the chosen attribute and their action plan in just a few clicks.

They will then have a precise view of the progress and impact of the measures implemented on their organisation’s cybersecurity posture, enabling them to make informed decisions.

To discover how Tenacy can help you manage your ISO 27002 compliance, book your demo of the platform today!

I book a demo