ISO 27001, the International Standard for Information Security Management Systems (ISMS’) is one of the most popular and fastest growing ISO requirements or certification standards in the world. However, it is accompanied by over 60 other standards in the ISO 27000 information security family. In URM’s opinion, one of the most valuable, versatile and often overlooked standards is ISO/IEC 27002:2022, titled ‘Information security, cybersecurity and privacy protection — Information security controls’. In this blog, we aim to provide an overview of the key aspects of the Standard, including the new ‘attributes’ and how ISO 27002 can be used to best effect by your organisation to improve your information security practices.
What is ISO 27002?
The first thing to note is that is that ISO 27002 is a guidance standard, not a requirements standard, therefore no certification can be achieved against it, and it works alongside the ISO 27001 certification Standard. ISO 27002 provides a perfect reference for those organisations looking for practical guidance on determining and implementing information security controls from Annex A of ISO 27001.
ISO 27002 has been designed to be applicable to organisations of all types and sizes and to help them determine and implement information security controls. The ISO 27001 Annex A Controls are widely regarded as a summary of industry best practices or measures which assist you in protecting your information assets. However, some organisations may be unsure which controls are appropriate and relevant to them, and this is where ISO 27002 comes in. It helps you determine which controls are applicable to you by categorising them within different themes and attributes before going on to advise on implementing the controls.
The information security controls within ISO 27002:2022 are split into 4 main clauses (5-8) which are aligned with the 4 themes identified in Annex A – ‘Information security controls reference’ of ISO 27001. The 4 themes are ‘People’ for the controls that concern personnel, ‘Physical’ if the controls concern physical objects, ‘Technological’ if they concern technology, and ‘Organisational’ for all remaining controls.
In addition, within ISO 27002 there are also 5 attributes associated with each control. These attributes are; Control types, Information security properties, Cybersecurity concepts, Operational capabilities and Security domains.
Purpose of the ISO 27002 Attributes
The purpose of ISO 27002 Attributes is to enhance and facilitate the implementation, assessment, and comparison of security controls within an organisation's information security management system (ISMS). The framework of control attributes can help you/organisations categorise, manage, and interpret information security controls more effectively by providing additional context and allowing you to align them with organisational goals, risk management practices, and compliance needs.
- With the Control types attribute, you can classify the role and function of the security control in terms of its action or nature. As an example, with information security incidents, you can identify which controls are preventive, detective and corrective when dealing with an incident. By understanding the control type, organisations are better able to implement a balanced approach to security, ensuring they can prevent, detect, and respond to incidents appropriately.
- Information security properties aligns each control with the fundamental information security principles of confidentiality, integrity and availability (CIA). Such attributes help organisations to choose controls that meet specific security objectives based on the nature of the information being protected and ensure they align with key business requirements. To learn more about these principles, see our blog on What is the CIA Security Triad? Confidentiality, Integrity, and Availability Explained.
- The Cybersecurity concepts attribute is aligned with the NIST Cybersecurity Framework, and helps organisations map controls to different phases of cybersecurity, such as identify, protect, detect, respond and recover, with the goal of ensuring comprehensive coverage across the entire incident lifecycle.
- The Operational capabilities attribute emphasises the organisational context and helps align controls with the capabilities that are necessary to manage and operate a secure environment. As such, operational activities or practices that controls can be linked with can be used to view controls from an organisational perspective, such as governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management and information security assurance.
- The Security domains work together to provide a comprehensive approach to information security, covering protection measures, defence against threats, recovery strategies, and oversight of security practices across internal and external environments. Protection ensures proactive measures are in place to prevent data loss or compromise. Defence focuses on safeguarding against attacks by implementing defensive layers of security. Resilience ensures the organisation can recover quickly from disruptions and minimise damage whilst Governance and Ecosystem ensures security is properly managed, including relationships with third parties, and aligns with organisational and regulatory requirements
ISO 27002 uses the above 5 attributes because they are considered generic and can, therefore, fit all types of organisations.
How can attributes be applied?
How, then, are these attribute values applied to the controls? We will use the example of Annex A Control 6.3 Information security awareness, education and training, as this control has universal appeal to virtually every organisation. In ISO 27001 and ISO 27002, Control 6.3 sits within the ‘people’ themed controls. Its ‘Control type’ attribute value is ‘Preventative’, as ensuring that personnel are aware of and trained in information security is a means of preventing information security incidents from occurring. Its ‘Information security properties’ values include ‘confidentiality, integrity and availability’ as an organisation’s people will be exposed to corporate information that requires maintenance of its availability, its integrity and its confidentiality. The ‘Cybersecurity concepts’ attribute value of Control 6.3 is ‘Protect’, as training and awareness in staff play a pivotal role in protecting the organisation’s information assets and they will require training on how best to carry out that role. The ‘Operational capabilities’ attribute value of Control 6.3 is ‘Human resource security’ which is to be expected of a ‘people’ themed control. The ‘Security domains’ attribute value for Control 6.3 is ‘Governance and Ecosystem’ as an organisation’s information security awareness, education and training programme forms a key part of their governance and risk management, and the individuals involved are stakeholders of the organisation’s information and therefore part of the information security ecosystem.
What is the value of ISO 27002?
Whilst ISO 27001 simply defines the requirements for an ISMS that is conformant to the Standard, ISO 27002 provides guidance on the implementation of Annex A Controls from ISO 27001, describing what each control is, its purpose and explaining how and why a control should be implemented. The control attributes table included in ISO 27002 can significantly lighten the load when it comes to determining the relevance and applicability of different controls, and for selecting those that are found to be relevant. The attributes can be used in conjunction with each other to create a shortlist of controls that you can implement to meet a given purpose, e.g., if you are looking to increase your defences against confidentiality related attacks, combining ‘prevent’ and ‘confidentiality’ will provide you with a more focused list of controls for consideration. Attributes can also be used should you want to check the balance of your established controls. For example, you can use it to check whether you have implemented adequate controls to detect information security events and not just those to prevent information security incidents.
Different ways of using ISO 27002
There are a number of different ways that ISO 27002 can be utilised. As discussed above, its primary purpose is to guide your implementation of the Annex A Control set from ISO 27001. For example, the opening organisational control, 5.1 Polices for information security, states that information security policy and topic-specific policies should be defined, however many organisations may struggle to determine which other topic-specific policies are required beyond their information security policy. Within the guidance for Control 5.1, ISO 27002 lists several examples of topics that could be considered within a documented policy, such as access control, asset management, network security, backup, and information classification and handling. This guidance not only provides practical examples of the type of information security policies required, but also encourages the organisation to consider a whether a topic-specific policy is required or if the topic is already incorporated elsewhere.
Internal and external auditors of ISMS’ can also use ISO 27002 to their advantage, particularly if they are auditing an ISO 27001 certified ISMS. The guidance provided for each Annex A Control can be used by auditors to develop questions to ask during an audit, especially if the auditee has struggled to fully understand the importance of the control, or they have implemented a control based on previous experience and have not considered a more holistic approach.
ISO 27002 can also act as a guide for continual improvement of your organisation’s ISMS by considering the ‘other information’ guidance for the implementation and management of the Annex A Controls. You may not consider the ‘other information’ sections in the early stages of maintaining an ISMS, but, along with the performance evaluation, the additional guidance can provide opportunity to develop and enhance the effectiveness of an organisation’s ISMS after it has been established.
Using the attributes table provided in ISO 27002, you can also consider and categorise the controls through an alternative lens to the 4-theme approach used in Annex A of ISO 27001, which may be more useful and relevant to your organisation’s unique needs. For example, if your organisation prefers to be less risk adverse, then you may choose to focus more on the controls with a control type of ‘Corrective’. These alternative categories for the controls may prove beneficial when delivering feedback to senior management, who potentially require less detail about the controls but are responsive to a set of control types or cybersecurity concepts.
Closing thoughts
ISO 27002 is an extremely valuable tool for any organisation looking to establish and implement an ISO 27001-conformant/certified ISMS. While ISO 27001 is focused on defining what you need to have in place to conform to the Standard, ISO 27002 works in conjunction with this by providing further information on how conformance can be achieved. As well as providing implementation guidance that is informed by best practice, ISO 27002 can assist you to select appropriate and applicable controls, and to effectively manage controls after they have been implemented. As such, we would always strongly recommend purchasing ISO 27002 and thoroughly considering its guidance in your efforts to achieve and maintain ISO 27001 certification.
How URM can help?
Consultancy
Whilst ISO 27002 contains useful guidance that will be of great assistance in your efforts to conform or certify to ISO 27001, many organisations find benefit in enlisting the help of an ISO 27001 consultant to support their development, establishment, implementation and maintenance of an ISMS that is conformant to the requirements of ISO 27001. Having assisted over 400 organisations to achieve and maintain certification to ISO 27001 over the previous 2 decades, without a single failed certification project, URM is ideally positioned to offer advice, guidance and practical support as you look to conform or certify to the Standard.
Our ISO 27001 consultants can assist with every stage of the ISMS’ development, including conducting gap analysis of your current security practices against the Standard’s requirements, and identifying any areas which need further attention. Using our proven risk assessment tool, Abriska 27001, we can also help you to conduct your risk assessment, identifying potential threats to your information assets and the likelihood and impact of them occurring. Once the risk assessment is complete, URM’s consultant will work with you to develop and implement policies, processes and ISMS infrastructure which balance the requirements of the Standard with your organsiation’s culture and requirements.
Once your ISMS has been implemented, our consultants can conduct an ISO 27001 internal audit on your behalf as a final check of its effectiveness, functionality and conformance to the Standard ahead of any external assessments. URM also offers a range of audit services, including the planning and implementing of a full 3-year ISO 27001 audit programme, and conducting more specific audits against any aspect of the ISMS or specific controls.
Training
As well as our consultancy services, URM has a long history of delivering information security training and is one of the UK’s most trusted training providers. For those at the beginning of their ISO 27001 journey, our Introduction to ISO 27001 Course provides essential guidance on the Standard and on improving information security more generally. Meanwhile, if you are looking to transition an ISMS to the 2022 version of ISO 27001, URM’s ISO/IEC 27001:2022 Transition Course will explore changes to the Standard in its latest iteration and how to transition. This is complimented by our ISO 27002:2022 Control Migration Course, which covers the differences between ISO 27002:2013 and ISO 27002:2022, how to implement the new controls, updating your risk assessment and Statement of Applicability (SoA), and much more.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link
There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001.
Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.