In Lecture 13, we delve into the organizational controls specified in the 2022 edition of ISO/IEC 27002. These controls are fundamental to maintaining cybersecurity within an organization. This article provides a detailed breakdown of key points discussed, emphasizing the importance of these controls and their implementation.
Key ConceptsOrganizational Controls
Definition: Organizational controls are policies, procedures, and governance structures that ensure effective management of information security within an organization.Importance: These controls are fundamental to the operation of an Information Security Management System (ISMS).
ISO/IEC 27002 Categories
The 2022 edition of ISO/IEC 27002 specifies 37 controls, covering various aspects of information security management. Key categories include:
- Organizational ControlsPeople ControlsPhysical ControlsTechnological Controls Detailed BreakdownInformation Security Policies
Definition: Policies that define the overall approach to managing information security.Requirements: According to ISO/IEC 27002, these policies should be defined, approved by management, published, communicated, and reviewed regularly.Key Components:
- Cybersecurity Definition: Clear definition and scope of cybersecurity.Security Objectives and Principles: Organizational objectives and guiding principles for security activities.Topic-Specific Policies: Detailed policies addressing specific areas such as access control, information transfer, and network security. Roles and Responsibilities
Definition: Clearly defined roles and responsibilities for managing information security within the organization.Importance: Ensures that everyone understands their role in maintaining security and that responsibilities are appropriately assigned.
Segregation of Duties
Definition: Dividing responsibilities among different individuals to reduce the risk of errors and fraud.Implementation: Ensuring that no single individual has control over all aspects of any critical security process.
Management Responsibilities
Definition: Management’s role in supporting and overseeing information security activities.Requirements: Management should actively support security initiatives, allocate resources, and ensure compliance with security policies.
Examples of Organizational ControlsAddressing Information Security within Supplier Agreements
Control Description: Processes and procedures should be defined to manage information security risks associated with suppliers.Guidance:
- Supplier Evaluation: Assess suppliers based on the sensitivity of the services they provide.Monitoring Compliance: Ensure suppliers adhere to established cybersecurity requirements.Cloud Services: Include specific provisions for the security of cloud services. Classification of Information
Control Description: Information should be classified according to confidentiality, integrity, availability, and relevant interested party requirements.Guidance:
- Policy on Classification: Establish and disseminate a policy on information classification.Ownership Responsibility: Assign information classification responsibilities to information owners.Labeling Information: Develop procedures for labeling information according to its classification. Privacy and Protection of Personally Identifiable Information (PII)
Control Description: The organization should identify and meet requirements for preserving privacy and protecting PII.Guidance:
- Legislation Compliance: Ensure compliance with privacy laws and regulations.Role of Privacy Officer: Appoint a Privacy Officer to oversee privacy-related activities and provide guidance.Consent and Transparency: Ensure that individuals give consent for their data to be stored and processed. Collection of Evidence
Control Description: Establish procedures for identifying, collecting, acquiring, and preserving evidence related to information security events.Guidance:
- Jurisdictional Requirements: Consider legal requirements to ensure evidence is admissible in court.Evidence Integrity: Maintain the integrity of evidence to show it has not been tampered with.System Integrity: Ensure the system from which evidence is gathered was operating correctly. Practical ApplicationsDeveloping Security Policies
Scenario: A company needs to establish a comprehensive information security policy.Actions:
- Top-Level Policy: Draft a high-level security policy that aligns with business strategy and legal requirements.Topic-Specific Policies: Create detailed policies on specific security topics, such as access control and network security.Regular Reviews: Implement a schedule for reviewing and updating policies. Managing Supplier Security
Scenario: An organization relies on multiple suppliers for critical services.Actions:
- Supplier Risk Assessment: Evaluate the security practices of each supplier.Security Requirements: Include security clauses in supplier agreements.Ongoing Monitoring: Regularly assess supplier compliance with security requirements. Relevant Standards and PublicationsISO/IEC 27002
Standard: ISO/IEC 27002 provides guidelines for implementing security controls to protect information assets.Clauses to Review:
- Clause 5.1: Security policies.Clause 5.2: Organizational roles and responsibilities.Clause 8: Technological controls. NIST Special Publication 800-53
Document: National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 (Rev 5), 2020.Chapter to Review: Chapter 2 (pp. 7–15) for an overview of security controls, including those for protecting information processing resources.
Book References for Further Reading
“Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton
- Provides a foundational understanding of information security management, including measures to implement organizational controls effectively.
“Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
- Discusses practical approaches to managing security risks, integrating broader principles that complement the implementation of organizational controls.
“Cybersecurity and Cyberwar: What Everyone Needs to Know” by P.W. Singer and Allan Friedman
- Offers a broader context for understanding cybersecurity principles, including the various types of organizational controls and how to implement them.
“Network Security Essentials: Applications and Standards” by William Stallings
- Covers key concepts in network security, including methods to implement and manage organizational controls effectively.
Lecture 13 emphasizes the importance of implementing organizational controls to maintain cybersecurity within an organization. These controls include security policies, roles and responsibilities, segregation of duties, and management responsibilities. The ISO/IEC 27002 standard provides detailed guidance on these controls, which are fundamental to the operation of an Information Security Management System (ISMS). The recommended books and standards offer further insights and practical guidance on implementing these controls within an organizational context.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.