Due to framework and law changes, this appendix to the book is mandatory. I have also taken the opportunity to briefly introduce you to some quite relevant topics that I hadn’t touched upon in previous chapters, such as Vulnerability Assessment and Penetration Testing (VA/PT). I decided to divide this appendix into different topics.
The current version of ISO 27002 was issued in 2013 and is now hopelessly out of date. A great deal has changed in the last 8 years! Let’s hope we won’t have to wait another 8 years for the next edition.
As with the previous edition, ISO 27002 is meant to be independent in the sense that it may be utilized by organizations who are uninterested in ISO 27001 and just want a set of information security rules to implement inside their organization. In this regard, it is identical to other control frameworks, such as the CSA’s NIST CSF. Choose your poison!
The new version will go out possibly in the upcoming months where the only significant change is that Annex A will match the new ISO 27002. This introduces 11 new controls, which are as follows:
Note that the controls I’ve described previously are not the real ones. These are the controls’ names. The control descriptions are included in ISO 27002 and will be included in the new Annex A when ISO 27001 is updated. ISO 27002 also provides implementation guidelines for these measures. For better understanding here, I need to clarify that all of the standards in the ISO 27000 series have a specific focus: while ISO 27001 is designed to build the foundations of information security in your organization and devise its framework; ISO 27002 is designed to implement controls named in Annex A of ISO 27001.
I have already read a great deal on the internet about these new regulations, and one of the most common assertions is that organizations will be required to adopt them. This is not true in my opinion for several reasons:
However, do not trust anybody who says you must implement these new controls.
Each control is labeled in a variety of ways, such as whether it is preventative or remedial and whether it pertains to confidentiality, availability, or integrity. It remains to be seen whether this will be beneficial.
It features fewer controls (93 as opposed to 114), with some controls combined and others divided. In addition, it features a variety of additional contemporary measures, such as cloud security, threat intelligence, and web filtering; however, the fundamental concept remains the same. It is a collection of potential information security controls with implementation instructions for each control.
It depends; it attempts to cover certain current controls, such as those pertaining to the cloud. For the provided controls, some assistance is lacking, but the majority are superb.
No, and this is due to the two primary causes listed as follows.
There are 14 physical security controls, but only one cloud security control and 2 network security controls. There are further instances. This is just imbalanced.
Some of the most prevalent information security measures are buried in the extensive guidelines for other controls or are simply not addressed. There are no distinct controls for Firewall, IDS, Email security, MFA, VPN, WAF, Cyber Insurance, Wireless access, or Third-party library/software management, for instance. Some of them are not mentioned in the text.
Given the necessity of data validation in online applications, there are only a few controls and guidelines for validating data input.
There is just one control at a very high level for cloud computing, although I believe there should be numerous – for example, covering contracts, security obligations, tenant management, and service management. Yes, you may refer to ISO 27017; however, ISO 27002 should include at least the most typical cloud security rules on its own.
There are currently no adequate controls for business continuity management. There are some information security measures for business continuity planning, which are not the same thing. The lack of controls labeled Business Continuity Plan or Exercise Business Continuity Plans continues to perplex me. Yes, you may reference ISO 22301 for business continuity and disaster recovery management, but it makes no sense to me not to have these controls. Given the ubiquity of ransomware, there cannot be many organizations in the world that do not have at least one Business Continuity Plan, and this control is crucial from an information security standpoint.
Given that ISO 27002 is supposed to be utilized independently and fully apart from ISO 27001, it has relatively few governance rules, such as those pertaining to risk assessment, information security committee, and competences.
To be fair, ISO 27002 does state that organizations may need additional controls to enhance the ISO 27002 controls. Sadly, many organizations will not use ISO 27002 in this manner and will instead perceive it as a relatively complete collection of regularly used controls, which it is not!
Moreover, everyone will have their own opinions on what should be included in a list of frequently used information security rules.
If you are just beginning to implement ISO 27001, it may be beneficial to get a copy and use it as a guide for implementing your controls. However, use with caution, even if throughout 2023 there will probably be no need to re-certify your company for the new release, but simply renew it, as usual, according to the certification-cycle of your company (usually 2 years). However, I am about to suggest you some strategies.
If you have previously implemented ISO 27001, you do not need to take any more action; nonetheless, you may find this updated version of ISO 27002 interesting since it contains valuable implementation strategies for various controls – that is, as a kind of quality control for your work.
What must you do when the new Annex A is released with the new ISO 27001 version?
Your certifying body or registrar will inform you of the transition arrangements to the new version, although you will likely have 2 years to completely transfer to the new version.
Depending on your circumstances and your desired strategy, there are two primary transition strategies.
Why would you use this strategy?
This strategy is appropriate if you want to move to the latest version of ISO 27001 with little effort. In particular, you do not want to alter your risk assessment.
What is this strategy?
This strategy is predicated on continuing to use the previous ISO 27001:2013 Annex A rules. This is permissible since ISO 27001 enables controls to originate from any source, and you may pick the old Annex A controls as your source. Do not allow anybody to convince you that this is impossible. It can happen! The most important aspect of this technique is that it allows you to shift to the new edition of ISO 27001 without modifying your risk assessment.
To implement this strategy, you will need to do the following:
Why would you use this strategy?
This option is appropriate if your risk assessment includes references to the old Annex A controls and you are willing to make all the required adjustments to your Information Security Management System (ISMS) and risk assessment to eliminate all references to the old Annex A.
What is this strategy?
This method eliminates any references to the old ISO 27001:2013 Annex A controls from your ISMS and replaces them with the new Annex A controls. This strategy is much more labor-intensive than the previous method.
The General Data Protection Regulation (GDPR) Enforcement Tracker by CMS Law provides a summary of the fines and penalties that EU data protection authorities have issued as a result of the EU’s GDPR. This list will be updated as often as we can. The software is alive on GitHub (to be compiled according to your needs) and all the explanations and linking are at https://www.enforcementtracker.com/.
The GDPR-CARPA, proposed last year by the Luxembourg authority, is a sort of certification for entities to prove that they are GDPR-compliant. The GDPR scheme sets the EDPB authority (European Data Protection Board) as the Central European authority for the whole GDPR process, and then every member state has its own local government authority. The compliance is done via an audit, and, even if at the moment, the certification is just a draft, it could be really interesting, because it would allow any certified entity to be chosen by another one (imagine a data processor). See more details here: https://edpb.europa.eu/news/national-news/2022/cnpd-adopts-certification-mechanism-gdpr-carpa_en.
The plethora of websites that use traffic monitoring services, such as AdSense Analytics (but also Google Fonts, if used in an online mode – i.e., if not downloaded and used offline) need to be, according to the European data protection board, set aside in favor of alternative services.
Some of these, using a nerdy metaphor, call home – I mean, send the requests to Mountain View (Google’s home) without proper authorization.
US President Joe Biden has signed the long-awaited Executive Order that is intended to uphold the Court of Justice of the European Union (CJEU) earlier rulings, more than six months after an agreement in principle between the US and the EU. This aims to get around restrictions on data transfers between the EU and the US. The Executive Order from Biden appears to fall short of both requirements.
In past chapters, there were references to risk management and how to deal with vulnerability, among other things. What happens quite often, in terms of vulnerabilities in a company, is related to a technological gap, in which the most relevant (and therefore unsecure aspects, is related to missing updates. In this case, vulnerability management is the only thing you can do to have a clear view of the company perimeter.
VA (short for Vulnerability Assessment) is a methodical analysis of an information system’s security flaws. It assesses the system’s susceptibility to known vulnerabilities, gives severity ratings to those vulnerabilities, and advises remedy or mitigation as necessary.
Among the risks that may be averted by VA are as follows:
Various forms of VA exist. They consist of the following:
So, if you are ready to fire up your VA machine, it’s time to go, even if I would strongly recommend you ask for help (either internal or external). In the case of external assessment, the company that you are dealing with must sign a Non-Disclosure Agreement (NDA), because they can see security issues that should not be divulged. I also suggest you give the testers all the information you can in terms of your company infrastructure: no one tells you clearly, but if they go blind, there’s a risk that they can break some appliances and since they didn’t know what kind of asset they were dealing with, it’s your fault.
The purpose of this step is to compile an exhaustive list of an application’s vulnerabilities. Security analysts evaluate the security of apps, servers, and other systems by scanning them using automated technologies or by manually testing and analyzing them. Additionally, analysts use vulnerability databases, vendor vulnerability notifications, asset management systems, and threat intelligence feeds to uncover security flaws.
The purpose of this phase is to discover the underlying cause and origin of the vulnerabilities identified in the first step.
It entails identifying the system components accountable for each vulnerability and the vulnerability’s fundamental cause. For example, an outdated version of an open source library might be the underlying cause of a vulnerability. This gives a clear avenue for repair – the library’s upgrade.
The purpose of this phase is to rank vulnerabilities by importance. It entails security experts awarding a ranking or severity score to each vulnerability based on the following criteria:
The purpose of this phase is to close security holes. Typically, security personnel, development teams, and operations teams collaborate to find the most effective method of repair or mitigation of each risk.
Specific corrective measures may include the following:
VA cannot be a one-time occurrence. Organizations must operationalize and regularly repeat this process for it to be successful. DevSecOps, the practice of fostering collaboration between security, operations, and development teams, is equally crucial.
The purpose of VA tools is to automatically detect new and current threats that potentially attack your application. Examples of instruments include the following:
PT (short for Penetration Testing, or Pentesting) involves approved, simulated assaults undertaken to assess the security of a computer system. Penetration testers use the same tools, strategies, and procedures as attackers to identify and illustrate the commercial repercussions of a system’s vulnerabilities. Typically, PT replicates a number of assaults that potentially affect a company. It can determine whether a system is resilient enough to survive assaults from authorized and unauthenticated positions, as well as from a variety of system roles. With the appropriate scope, PT may probe every facet of a system.
Ideally, software and systems would be created with the intention of avoiding serious security vulnerabilities. PT gives insight into the extent to which this objective was met. PT may help a company do the following:
Depending on the objectives of PT, testers are granted varying degrees of access to or knowledge about the target system. In certain instances, the PT team adopts a single strategy from the outset. Occasionally, the testing team modifies its approach as its understanding of the system grows throughout PT. There are three access levels for PT:
Penetration testers imitate assaults by adversaries with malicious intent. To do this, they normally implement the following steps:
An exhaustive approach to PT is required for optimum risk management. This requires testing every aspect of the environment:
As the frequency and severity of security breaches continue to rise, companies have never had a greater need for insight into their ability to resist assaults. For compliance with regulations such as the PCI DSS and HIPAA, frequent PT is required. Keeping these factors in mind, the following are the advantages and disadvantages of this sort of defect-finding approach.