Satellite comms system is helping Ukraine stay online

Read More

On February 15th, the International Organization for Standardization (ISO), published the latest update to “ISO/IEC 27002 Information security, cybersecurity and privacy protection — Information security controls”. This latest standard is available for personal use from their site on ISO.org for CHF 198 (Swiss Francs) or, if you prefer, US dollars, $200, at the ANSI.org webstore. I’ll also simply refer to it as ISO 27002 as most people do.

I’ve been working with ISO 27002 controls since the 2005 version. It’s always interesting to see the changes that are made and what I need to be adjusting to adhere to the framework. Unfortunately, this also means that many organizations’ policies and procedures have to be updated. ISO 27002:2013 was mostly the same as the 2005 version, except it removed the controls around Risk Assessment and Treatment. This time, the changes are much more drastic to align and these changes are, in short:

ISO 27002:2013 had 114 controls over 14 control domains
ISO 27002:2022 reorganized this into 93 controls with a taxonomy of 4 primary categories (referred to as clauses):

Organizational Controls – 37 controls

The catchall clause

People Controls – 8 controls

These deal with individual people, such as background checks

Physical Controls – 14 controls

These refer to physical objects, such as data centers and backup media

Technological Controls – 34 controls

These are concerned with information security technology, such as access rights and authentication

When I initially looked at this, I liked how it looked like how HIPAA was broken down into Administrative, Physical, and Technical. This simplification makes talking to non-security folk much easier, though of course, the very detailed controls are still in place.

Another big change is the inclusion of Attribute tables for each control. These are defined in Appendix A, but generally tell you if the control is preventative, detective, or corrective, does the control deal with Confidentiality, Integrity, or Availability, what Cybersecurity concepts it covers: Identify, Protect, Detect, Respond, or Recover. Oh hey, those are the NIST CSF functions!

Many of the controls from 2013 -> 2022 were merged where it made sense. When reviewing the changes to ISO 27002:2022, it became clear that controls that were previously “near” each other are moved all over the place. I decided to use Appendix B (included in the standard) to map out better where controls from ISO 27002:2013 were moved to in this latest version.

Additionally, I found that although no controls were dropped altogether, there were 11 new controls added, showing that the ISO 27002 framework continues to evolve and include current technologies and security concepts. These new controls are noted in table 1 below, and it is clear these are more recent security technologies.

For the most part, there is a “Many to 1” mapping. This means that each 2013 control maps into a single 2022 control. Sometimes multiple 2013 controls map into a single 2022 control as it combined similar concepts into a single control. This is the merging I referenced earlier. The map shows for each 2013 control where to find it in 2022, but also for each 2022 control which 2015 controls are included. I like to keep my policies very obviously aligned with the framework, so they are trivially auditable, and this map will help me re-use my 2013 documents.

This mapping is provided in the linked “ISO 27002 2013-2022 MAP (Annex B).xlsx” file. As we all move our tools and documentation from ISO 27002:2013 to ISO 27002:2022, hopefully the mapping will be useful to help guide you in this process and maybe shorten the time it takes you to migrate to the latest and greatest.

Table 1

#

Control ID

Control Name

1

5.7

Threat intelligence

2

5.23

Information security for use of cloud services

3

5.30

ICT readiness for business continuity

4

7.4

Physical security monitoring

5

8.9

Configuration management

6

8.10

Information deletion

7

8.11

Data masking

8

8.12

Data leakage prevention

9

8.16

Monitoring activities

10

8.23

Web filtering

11

8.28

Secure coding

­­

Read More

Europol report warns of risk to economy and citizens’ health

Read More

Members voted unanimously to admit Eastern European nation

Read More

Look around the CISO community, and you’ll find signs of burnout everywhere.   Where CISOs aren’t just quitting, you’ll find increasing tension between them and their executives, sometimes resulting in surprising departures. Ply a friendly CISO with their favorite alcoholic beverage and a promise of being off-the-record, and you’ll hear stories that’ll raise your hackles: CISOs prodded to mislead the Board, CISOs summarily dismissed when pointing out security issues, CISOs that other executives won’t talk to, security projects committed and then defunded. 

To read this article in full, please click here

Read More

The idea of the cyber kill chain was first developed by Lockheed Martin more than a decade ago. The basic idea is that attackers perform reconnaissance, find vulnerabilities, get malware into victim systems, connect to a command-and-control (C2) server, move laterally to find juicy targets, and finally exfiltrate the stolen data.

Attackers can be caught at any point in this process and their attacks thwarted, but this framework missed many types of attacks right from the start. Today it is becoming even less relevant. “The cyber kill chain was a great way to break down the classic steps in a breach,” says Michael Salihoglu, cybersecurity managing consultant at Crowe, a public accounting, consulting, and technology firm. It was also a useful tool for defenders to help them come up with strategies to stop the attacks at each point in the chain.

To read this article in full, please click here

Read More