ISO 27002 V 2022 (1)

Machine Translated by Google ISO/IEC 27002:2022 FEBRUARY 2022 This document is for the exclusive and non-collective use of AFNOR customers. Any networking, reproduction and redistribution, in any form whatsoever, even partial, is strictly prohibited. This document is intended for the exclusive and non collective use of AFNOR customers. All network exploitation, reproduction and re-dissemination, even partial, whatever the form (hardcopy or other media), is strictly prohibited. AFNOR Pour : JCLD CONSULTING Email: john.lacroix@jcld-consulting.com Identity: LACROIX John Client : 80150794 On: 01/26/2023 at 09:01 Machine Translated by Google AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING STANDARDS INTERNATIONAL ISO/ IEC 27002:20222022-02 ISO/IEC 27002 Third edition 2022-02 Information security, cybersecurity and privacy protection — Information security measures Information security, cybersecurity and privacy protection — Information security controls Reference number ISO/IEC 27002:2022(F) © ISO/IEC 2022 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) DOCUMENT PROTECTED BY COPYRIGHT © ISO/IEC 2022 All rights reserved. Unless otherwise specified or necessary in the context of its implementation, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, or broadcasting on the Internet or on an intranet, without prior written authorization. Permission may be requested from ISO at the address below or from the ISO member body in the applicant's country. ISO copyright office Case postale 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Tel.: +41 22 749 01 11 Fax: +41 22 749 09 47 E-mail: copyright@iso.org Web: www.iso . org Published in Switzerland ii © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Summary Page Foreword ............................................... .................................................. .................................................. .................................................. ....................... vi Introduction.............................................................................................................................................................................................................................vii 1 Domaine d'application...................................................................................................................................................................................1 2 Normative references ................................................ .................................................. .................................................. ..............................1 3 Terms, definitions and abbreviations .............................................. .................................................. .................................................1 3.1 Terms and definitions .............................................. .................................................. .................................................. ...................... 1 3.2 Abbreviations......................... .................................................. .................................................. .................................................. ............... 6 4 Structure of this document.................................................... .................................................. .................................................. .........8 4.1 Articles........................................................................................................................................................................................................... 8 4.2 Themes and attributes............................................... .................................................. .................................................. ........................... 8 4.3 Structure of the security measures............... .................................................. .................................................. ................... 9 5 Organizational security measures .................................................. .................................................. ..................................10 5.1 Information security policies ............... .................................................. .................................................. ............... 10 5.2 Functions and responsibilities related to information security ............................... .....................................12 5.3 Segregation of duties............... .................................................. .................................................. .................................................. ..............13 5.4 Management Responsibilities .................................... .................................................. .................................................. ... 14 5.5 Contacts with the authorities .................................. .................................................. .................................................. ...........15 5.6 Contacts with specific interest groups .................................. .................................................. .................. 16 5.7 Threat Intelligence .................................. .................................................. .................................................. .............. 17 5.8 Information security in project management .................................. .................................................. ..............18 5.9 5.10 Proper use of information and other related Inventory of information and other associated assets............................................... ...........................................20 assets .............................. ..................................22 5.11 Return of Assets ........... .................................................. .................................................. .................................................. ..2 5.12 Classification of information.................................... .................................................. .................................................. ...24 5.13 Marking of information............................................... .................................................. .................................................. ..25 5.14 Transferring information .................................. .................................................. .................................................. .............27 5.15 Access control............................... .................................................. .................................................. ...............................................29 5.16 Managing identities .................................................. .................................................. .................................................. ..................31 5.17 Authentication information............................... .................................................. .................................................. .............33 5.18 Access rights............................... .................................................. .................................................. .................................................. ...35 5.19 Information security in relations with suppliers ..................................................... ..................36 5.20 Information security in agreements with suppliers .................................. ...............39 5.21 Information security management in the ICT supply chain .................................. 41 5.22 Service Provider Monitoring, Review and Change Management ...............................43 5.23 Information Security in the Use of cloud services .................................................. ...........44 5.24 Information Security Incident Management Planning and Preparedness.... 47 5.25 Information Security Event Assessment and Decision Making . ...........................49 5.26 Responding to Information Security Incidents .................. .................................................. ..................................49 5.27 Learning from information security incidents .................................. ..................................50 5.28 Collecting evidence .............. .................................................. .................................................. .................................................. .................. 51 5.29 Information security during a disruption .................................. .................................................. .........52 5.30 Preparing ICT for business continuity.......................................... .................................................. ................53 5.31 Legal, statutory, regulatory and contractual requirements ..................... ..................................54 5.32 Intellectual property rights .............. .................................................. .................................................. ..............................56 5.33 Protecting recordings............................... .................................................. .................................................. ..................57 5.34 Protection of privacy and personal data.............................. .................................................. .................................................. ..59 5.35 Independent review of information security ............................................... ..............................................60 5.36 Compliance with information security policies, rules and standards .................................................. 61 5.37 Procedures for documented operations ........................................... .................................................. ..................62 Safety measures applicable to people .................................. .................................................. ..................................63 Selection of candidates............... .................................................. .................................................. .................................................. .63 6.1 6.2 Terms and conditions of the employment contract............................... .................................................. .......................64 6 © ISO/IEC 2022 – All rights reserved iii AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Awareness, education and training in information security...............................................66 6.3 6.4 Disciplinary process............................................... .................................................. .................................................. ..............67 6.5 Responsibilities after termination or change of employment .................................................68 6.6 Confidentiality or non-disclosure agreements............................................... .................................................. ..69 6.7 Working remotely ............................................... .................................................. .................................................. ..................................70 6.8 Reporting of information security events .................. .................................................. ...................72 7 Physical security measures .................................................. .................................................. .................................................. ...........73 7.1 Physical security perimeters .................................... .................................................. .................................................. ...73 7.2 The physical inputs.............................................. .................................................. .................................................. ..................74 7.3 Securing offices, rooms and facilities ............................... .................................................. .............. 76 Physical security monitoring .................................. .................................................. ..............................................77 7.4 7.5 Protection against physical and environmental threats .................................................. .............78 Working in secure and areas .................................... .................................................. .................................................. ..79 7.6 7.7 Blank desktop blank screen .................................. .................................................. .................................................. ..................80 7.8 Location and protection of the equipment .................. .................................................. ...........................................81 7.9 Security of offpremises assets .................................................. .................................................. ..................................82 7.10 Storage media .............. .................................................. .................................................. .................................................. ..83 7.11 Support services ...................................... .................................................. .................................................. ..............................85 7.12 Wiring safety ............................... .................................................. .................................................. .................................................. .....86 7.13 Hardware maintenance .................................................. .................................................. .................................................. ................87 7.14 Safe Disposal or Recycling of Hardware............................................... .................................................. ......88 Technological security 8 measures ............................................... .................................................. .................................................. 89 8.1 End user terminals.................................................... .................................................. ..................................89 8.2 Privileged access rights .................. .................................................. .................................................. .................................................. ..91 Restrictions on access to information ............................................... .................................................. ..................................93 8.3 8.4 Access to source codes............... .................................................. .................................................. .................................................95 8.5 Secure authentication............................................... .................................................. .................................................. .....96 8.6 Dimensioning.............................................. .................................................. .................................................. ...............................97 8.7 Protection against malicious programs (malware).............. .................................................. .............99 8.8 Managing technical vulnerabilities .................................. .................................................. ..................................101 8.9 Configuration management .................. .................................................. .................................................. ..................................104 8.10 Deleting information .............. .................................................. .................................................. ..................................106 8.11 Data masking .................. .................................................. .................................................. .................................................108 8.12 Preventing Data Leakage ...................................................... .................................................. ..................................110 8.13 Backing up information .................. .................................................. .................................................. ..................................111 8.14 Redundancy of information processing facilities .................. .................................................. .....................113 8.15 Logging............................... .................................................. .................................................. .................................................. .... 114 8.16 Oversight activities ............................................ .................................................. .................................................. .............117 8.17 Synchronization of the clocks .................................. .................................................. .................................................. ..119 8.18 Using privileged utility programs .................................................. .................................................. ......120 8.19 Installing software on working systems............................................... ..................................121 8.20 Network security ..... .................................................. .................................................. .................................................. .........122 8.21 Security of network services .................................. .................................................. .................................................. .........123 8.22 Partitioning of networks.................................. .................................................. .................................................. ...........125 8.23 Web filtering .................................. .................................................. .................................................. .................................................. 126 8.24 Use of cryptography .................................................. .................................................. ...........................................127 8.25 Life cycle of secure development ................................................ .................................................. ..................129 8.26 Application security requirements .................................. .................................................. ...........................................130 8.27 Principles of engineering and architecture of secure systems .............................................. ...............132 8.28 Secure Coding ............................... .................................................. .................................................. ............................................134 8.29 Safety tests in development and acceptance .................................................. ..............................137 8.30 Outsourced development .............. .................................................. .................................................. ..................................138 8.31 Separation of development, test and operational environments .............. ..................139 8.32 Managing Changes.............................. .................................................. .................................................. .............. 141 8.33 Testing information ............................... .................................................. .................................................. ........................................142 8.34 Protection of information systems during audit testing .................................................. .........143 Annex A (informative) Use of attributes .................................. .................................................. ...........................................145 iv © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Annex B (informative) Correspondence of ISO/IEC 27002:2022 (this document) with ISO/IEC 27002:2013......................................... .................................................. .................................................. .....................156 Bibliography........................... .................................................. .................................................. .................................................. ...........................................164 © ISO/IEC 2022 – All rights reserved in AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Foreword ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for global standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in areas of common interest. Other international organizations, governmental and nongovernmental, in liaison with ISO and IEC, also take part in the work. The procedures used to develop this document and those intended for its maintenance are described in the ISO/IEC Directives, Part 1. In particular, note should be taken of the different approval criteria required for the different types of ISO documents. . This document has been drafted in accordance with the editorial rules given in the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/ refdocs). Attention is drawn to the fact that some of the elements of this document may be the subject of intellectual property rights or similar rights. ISO and IEC shall not be liable for failing to identify such proprietary rights and give notice of their existence. Details concerning references to intellectual property rights or other similar rights identified during the preparation of the document are indicated in the Introduction and/or in the list of patent declarations received by ISO (see www.iso.org /patents) or in the list of patent declarations received by the IEC (see https://patents.iec.ch). Any trade names mentioned in this document are given for information, for the convenience of users, and do not constitute an endorsement. For an explanation of the voluntary nature of standards, the meaning of specific ISO terms and expressions related to conformity assessment, or for information about ISO's adherence to ISO principles World Trade Organization (WTO) on Technical Barriers to Trade (TBT), see www.iso.org/iso/avant-propos. For the IEC, see www.iec.ch/understanding-standards. This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection. This third edition cancels and replaces the second edition (ISO/IEC 27002:2013), which has been technically revised. It also incorporates the Technical Corrigenda ISO/IEC 27002:2013/Cor. 1:2014 and ISO/IEC 27002:2013/Cor. 2:2015. The main changes are as follows: — the title has been changed; — the structure of the document has been modified, presenting the security measures with a taxonomy simple and associated attributes; — some security measures have been merged, others have been removed, and several new security measures have been added. The full correspondence can be found in Appendix B. This French version of ISO/IEC 27002:2022 corresponds to the English version published on 2022-02 and corrected on 2022-03. The user should direct any feedback or questions regarding this document to the national standards body in his country. A comprehensive list of such bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees. we © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Introduction 0.1 History and context This document has been designed for organizations of all types and sizes. It is to be used as a reference document to determine and implement security measures for the treatment of information security risks in an information security management system (ISMS) based on ISO/ IEC 27001. It can also be used as a good practice guide for organizations determining and implementing commonly accepted information security measures. In addition, this document is intended to be used when developing information security management guidelines specific to organizations and industries, taking into account their specific environment(s). (s) information security risks. Organizational or environment-specific safety measures other than those listed in this document can, if necessary, be determined through the risk assessment. Organizations of all types and sizes (including public and private sector, for-profit and not-for-profit) create, collect, process, store, transmit and dispose of information in many forms, including electronic, physical and verbal (for example, conversations and presentations). The value of information goes beyond written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and other related assets deserve or require protection against various sources of risk, whether natural, accidental or deliberate. Information security is achieved by implementing a set of appropriate security measures, including policies, rules, processes, procedures, organizational structures, and hardware and software functions. To achieve its business and security objectives, the organization should define, implement, monitor, review, and improve these security measures as necessary. An information security management system (ISMS) such as that specified in ISO/IEC 27001 captures the organization's information security risks from a global and coordinated view, in order to determine and implement a comprehensive set of information security measures within the overall framework of a coherent management system. Many information systems, including their management and operations, were not designed to be secure within the meaning of an information security management system as specified in ISO/IEC 27001 and this document. The level of security that can be achieved by technical measures alone is limited, and should be enhanced by appropriate organizational processes and management activities. Identifying the appropriate security measures to put in place requires careful planning and attention to detail when performing the risk treatment. A successful information security management system requires buy-in from everyone in the organization. It may also require the participation of other interested parties, such as shareholders or suppliers. Advice from subject matter experts may also be required. An appropriate, adequate and effective information security management system provides assurance to the organization's leaders and other interested parties that their information and other associated assets are sufficiently secure and protected against threats and damage, thereby enabling the organization to achieve the targeted business objectives. 0.2 Information security requirements It is essential for an organization to determine its information security requirements. There are three main sources of information security requirements: a) the organization's risk assessment, taking into account all of its business strategy and objectives. This can be facilitated or supported by an information security risk assessment. © ISO/IEC 2022 – All rights reserved vii AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) This should lead to the determination of the necessary security measures ensuring that the residual risks for the organization correspond to its risk acceptance criteria; b) the legal, statutory, regulatory and contractual requirements with which the organization and its interested parties (business partners, service providers, etc.) must comply as well as their socio-cultural environment; c) the set of principles, objectives and business requirements for all stages of the life cycle of information that the organization has developed to support its operation. 0.3 Security measures A security measure is defined as a measure that modifies or maintains a risk. Some of the security measures in this document are means that modify the risks, while others maintain the risks. An information security policy, for example, only maintains the risks, while compliance with the information security policy can modify the risks. Additionally, some security measures describe the same generic measure in different risk contexts. This document proposes a generic combination of organisational, people-related, physical and technological information security measures, derived from internationally recognized good practices. 0.4 Determination of security measures The determination of the security measures depends on the decisions of the organization following a risk assessment, with a clearly defined perimeter. Decisions about identified risks should be based on the risk acceptance criteria, risk treatment options and risk management approach applied by the organization. The determination of security measures should also take into account all relevant national and international laws and regulations. The determination of security measures also depends on how the security measures interact with each other to provide defense in depth. The organization can design security measures as needed, or identify them from any source. When specifying these security measures, the organization should consider the resources and investments required to implement and operate a security measure in relation to the business value realized. See ISO/IEC TR 27016 for guidance on ISMS investment decisions and the economic consequences of those decisions in the context of competing resource demands. There should be a balance between the resources deployed to implement the security measures and the possible business impact resulting from security incidents in the absence of these security measures. The results of the risk assessment should help guide and determine appropriate management actions, priorities for managing information security risks, and for implementing security measures identified as necessary to protect against these risks. Certain security measures in this document can be considered basic principles for information security management and are applicable to most organizations. More information on determining security measures and other risk treatment options can be found in ISO/IEC 27005. 0.5 Development of organization-specific guidelines This document can be considered as a starting point for developing organization-specific guidelines. All security measures and guidelines in this document may not be applicable to all organizations. Other security measures and guidelines not listed in this document may be required to address specific organizational needs and identified risks. When writing documents containing guidelines or additional safety precautions, it may be useful to add cross-references to sections of this document for future reference. viii © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) 0.6 Life cycle considerations Information has a life cycle, from its creation to its disposal. The value of the information and the associated risks may vary during this life cycle (for example, an unauthorized disclosure or theft of a company's financial accounts does not have a significant impact after the publication of these information, but integrity remains critical). Therefore, the importance of information security remains at all stages. Information systems and other assets relevant to information security have life cycles during which they are thought out, specified, designed, developed, tested, implemented, operated, maintained and eventually retired from service and upgraded. scum. Information security should be considered at every stage. Development projects for new systems and changes to existing systems provide an opportunity to improve security measures while taking into account the organization's risks and lessons learned from incidents. 0.7 Related International Standards While this document provides guidance covering a wide range of security measures that are commonly used in many different organizations, other documents in the ISO/IEC 27000 family provide additional guidance or requirements relating to other aspects. of the overall information security management process. Refer to ISO/IEC 27000 for a general introduction to both ISMS and the family of documents. ISO/IEC 27000 provides a glossary, defining most of the terms used in the ISO/IEC 27000 family of documents, and describes the scope and objectives of each member of the family. There are industry standards that include additional security measures to address specific areas (e.g. ISO/ IEC 27017 for cloud services, ISO/IEC 27701 for privacy protection, ISO/IEC 27019 for energy, ISO/IEC 27011 for telecommunications organizations and ISO 27799 for health). These standards are listed in the Bibliography and some of them are referenced in the recommendations and other information in Clauses 5 to 8. © ISO/IEC 2022 – All rights reserved ix AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING INTERNATIONAL STANDARD ISO/IEC 27002:2022(F) Information security, cybersecurity and privacy protection — Information security measures 1 Domaine d'application This document provides a reference set of generic information security controls, including implementation recommendations. This document is designed for use by organizations: a) in the context of an information security management system (ISMS) according to ISO/IEC 27001; b) for the implementation of information security measures based on best practices internationally recognized; c) for the development of information security management recommendations specific to an organization. 2 Normative references This document does not contain any normative references. 3Terms, definitions and abbreviations 3.1Terms and definitions For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminology databases for use in standardization, which can be consulted at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at https://www.electropedia.org/ 3.1.1 access control means to ensure that physical and logical access to assets (3.1.2) is authorized and limited according to information security and business requirements 3.1.2 active anything of value to the organization Note 1 to entry: In the context of information security, two types of assets can be distinguished: — essential assets: — information; — process (3.1.27) and business activities; — supporting assets (on which essential assets are based) of all types, for example: - material; - software; © ISO/IEC 2022 – All rights reserved 1 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) - network; — personnel (3.1.20); — site; — organizational structure. 3.1.3 attack unauthorized attempt, whether successful or not, to destroy, alter, disable, gain access to an asset (3.1.2) or any attempt to expose, steal or make unauthorized use of an asset (3.1.2) 3.1.4 authentication provision of assurance that a claimed characteristic of an entity (3.1.11) is correct 3.1.5 authenticity property that an entity (3.1.11) is what it claims to be 3.1.6 chain of custody demonstrable possession, movement, handling and location of material from time to time another Note 1 to entry: Material includes information and other related assets (3.1.2) in the context of ISO/IEC 27002. [SOURCE: ISO/IEC 27050ÿ1:2019, 3.1, modified — Added Note 1 to entry] 3.1.7 confidential information information that is not intended to be made available or disclosed to unauthorized persons, entities ( 3.1.11) or processes (3.1.27) 3.1.8 safety measure action that maintains and/or modifies a risk Note 1 to entry: A risk security measure includes, but is not limited to, any process (3.1.27), policy (3.1.24), device, practice or other conditions and/or actions that maintain and/or modify a risk. Note 2 to entry: A risk safety measure does not always necessarily result in the intended or assumed change. [SOURCE: ISO 31000:2018, 3.8, modified] 3.1.9 incidental disruption , anticipated or unanticipated, that results in an unplanned negative deviation from the delivery of products and the provision of services as planned according to an organization's objectives [SOURCE: ISO 22301:2019, 3.10] 3.1.10 end terminal information and communication technology (ICT) hardware terminal connected to the network Note 1 to entry: An end device can refer to desktops, laptops, smartphones, tablets, thin clients, printers or other specialized hardware including smart meters or Internet of Things terminals. (IoT). 2 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 3.1.11 entity something relevant for the purposes of the operation of a domain and which possesses a manifestly distinct existence Note 1 to entry: An entity can have physical or logical embodiment. EXAMPLE A person, organization, device, group of such items, human subscriber to a telecommunications service, SIM card, passport, network interface card, software application, service or website. [SOURCE: ISO/IEC 24760ÿ1:2019, 3.1.1] 3.1.12 information processing means any information processing system, service or infrastructure, or the premises housing them [SOURCE: ISO/IEC 27000:2018, 3.27, modified — “means” has been replaced by “means”.] 3.1.13 information security breach information security compromise that results in the unwanted destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored, or submitted to another treatment 3.1.14 information security event occurrence indicating a possible information security breach (3.1.13) or breach of security safeguards (3.1.8) [SOURCE: ISO/IEC 27035ÿ1:2016, 3.3, modified — “information security breach” has been replaced by “information security breach”.] 3.1.15 information security incident one or more information security events (3.1.14), which may harm the assets (3.1.2) of an organization or compromise its functioning [SOURCE: ISO/IEC 27035ÿ1:2016, 3.4, modified] 3.1.16 information security incident management exercising a consistent and effective approach to handling information security incidents (3.1.15) [SOURCE: ISO/IEC 27035ÿ1:2016, 3.5, modified] 3.1.17 information system set of applications, services, information assets (3.1.2) or other components for managing information [SOURCE: ISO/IEC 27000:2018, 3.35] 3.1.18 interested party stakeholder person or organization likely to affect, be affected or feel affected by a decision or activity [SOURCE: ISO/IEC 27000:2018, 3.37] © ISO/IEC 2022 – All rights reserved 3 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 3.1.19 non-repudiation ability to prove the occurrence of a claimed event or action and the entities (3.1.11) that caused it 3.1.20 personnel persons performing work under the control of the organization Note 1 to entry: The concept of personnel includes members of the organization, such as the governing body, management, employees, temporary staff, contractors and volunteers. 3.1.21 personal data DCP any information that (a) can be used to link the information to the natural person to whom such information relates, or that (b) is or can be directly or indirectly associated with a natural person Note 1 to entry: The “natural person” referred to in the definition is the data subject (3.1.22). In determining whether a data subject is identifiable, consideration should be given to all means that may reasonably be employed by the privacy stakeholder holding the data, or any other party, to establish the link between the set of personal data and the natural person. [SOURCE: ISO/IEC 29100:2011/Amd.1:2018, 2.9] 3.1.22 data subject natural person to whom the personal data (PCD) relates (3.1.21) Note 1 to entry: Depending on the jurisdiction and applicable data protection and privacy law, the term “data subject” may also be used instead of “data subject”. [SOURCE: ISO/IEC 29100:2011, 2.11] 3.1.23 DCP data processor privacy stakeholder who processes personal data (PDD) (3.1.21) on behalf of a DCP data controller and in accordance with its instructions [SOURCE: ISO/IEC 29100:2011, 2.12] 3.1.24 policy intentions and orientations of an organization as formalized by its management [SOURCE: ISO/IEC 27000:2018, 3.53] 3.1.25 privacy impact study PIA overall process (3.1.27) to identify, analyze, assess, consult, communicate and plan to address potential privacy impacts with respect to the processing of personal data (PCD) (3.1.21), within the broader framework of an organization's risk management system [SOURCE: ISO/IEC 29134:2017, 3.7, modified — “assessment” replaced by “study”. Note 1 to entry deleted] 4 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 3.1.26 procedure specified way of performing an activity or process (3.1.27) [SOURCE: ISO 30000:2009, 3.12] 3.1.27 process set of interrelated or interacting activities that uses inputs to produce a result [SOURCE: ISO 9000:2015, 3.4.1, modified — Notes to entry removed] 3.1.28 record information created, received and preserved as evidence and assets (3.1.2) by a natural or legal person in the exercise of its legal obligations or the conduct of operations related to its activity Note 1 to entry: In this context, legal obligations include all legal, statutory, regulatory and contractual requirements. [SOURCE: ISO 15489ÿ1:2016, 3.14, modified — Added note 1 to entry] 3.1.29 recovery point objective OPR time at which data is to be restored following a disturbance (3.1.9) [SOURCE: ISO/IEC 27031:2011, 3.12] 3.1.30 DR recovery delay period during which minimum levels of service and/or products, as well as supporting systems, applications or functions, must be restored following a disruption (3.1.9) [SOURCE: ISO/IEC 27031:2011, 3.13] 3.1.31 reliability property relating to consistency of behavior and intended results 3.1.32 rule accepted principle or instruction stating the organization's expectations of what is required to be done, what is allowed or what is not Note 1 to entry: Rules can be expressed formally in topic-specific policies (3.1.35) as well as in other types of documents. 3.1.33 sensitive information information that needs to be protected from unavailability, unauthorized access, modification, or public disclosure because of possible adverse effects on a person, organization, national security, or public safety 3.1.34 menace potential cause of an undesirable incident, which may harm a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74] © ISO/IEC 2022 – All rights reserved 5 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 3.1.35 topic-specific policy intentions and direction on a specific topic or topic, as formally expressed by the appropriate level of management Note 1 to entry: Topic-specific policies can formally express organizational rules (3.1.32) or standards. Note 2 to entry: Some organizations use other terms to refer to topic-specific policies. Note 3 to entry: Topic-specific policies referred to in this document relate to information security. EXAMPLE Access control topic-specific policy (3.1.1), topic-specific policy of clean desktop and blank screen. 3.1.36 interested party user (3.1.18) with access to the organization's information systems (3.1.17) EXAMPLE Staff (3.1.20), customers, suppliers. 3.1.37 end user end terminal ( 3.1.10) used by users to access information processing services Note 1 to entry: An end-user device can refer to a desktop computer, laptop, smartphone, tablet, thin client, etc. 3.1.38 vulnerability flaw in an asset (3.1.2) or security measure (3.1.8) that can be exploited by one or more threats (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77] 3.2 Abbreviations ABAC THERE ARE BYOD attribute-based access control business impact analysis bring your own communication equipment (WITH) [bring your own device] CAPTCHA public test of Turing completely automatic with the aim of differentiating between humains des ordinateurs [completely automated public Turing test to tell computers and humans Apart] CPU central processing unit DAC discretionary access control DNS domain name system DR recovery time GPS global positioning system IAM identity and access management 6 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) ID identifier GOES integrated development environment IDS intrusion detection system IoT Internet of Things [internet of things] IP internet protocol IPS intrusion prevention system IT technologies de l'information [information technology] LCA access control list MAC mandatory access control NTP network time protocol [network time protocol] OPR recovery point objective TOO privacy impact assessment PII information personnelle identifiable [personally identifiable information] PIN personal identification number PKI public key infrastructure PTP precision time protocol [precision time protocol] RBAC role-based access control SAST static application security testing SD secure digital SDN software-defined networking SD-WAN software -defined wide area network SIEM security information and event management SMS short message service SMS information security management system SQL structured query language SSO signature unique [single sign-on] SWID software identification [software identification] TIC Information and Communication Technologies UEBA user and entity behavior analysis [user and entity behavior analytics] © ISO/IEC 2022 – All rights reserved 7 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) UPS alimentation sans interruption [uninterruptible power supply] URL uniform resource locator USB universel serial bus [universal serial bus] VM machine virtual [virtual machine] VPN virtual private network Wi-Fi wireless Internet access [Wireless Fidelity] 4 Structure of this document 4.1 Articles This document is structured as follows: a) organizational security measures (Article 5); b) security measures applicable to persons (Article 6); c) physical security measures (Article 7); d) technological security measures (Article 8). It contains 2 informative annexes: — Annex A — Use of attributes; — Annex B — Correspondence with ISO/IEC 27002:2013. Annex A explains how an organization can use the attributes (see 4.2) to create its own views based on the security control attributes defined in this document or created by it. Annex B shows the correspondence between the security measures in this edition of ISO/IEC 27002 and the previous edition from 2013. 4.2 Themes and attributes The categories of security measures proposed in Clauses 5 to 8 are called themes. Security measures are categorized as follows: (a) applicable to persons, if they relate to individuals; (b) physical, if they relate to physical objects; (c) technological, if they relate to technology; d) organizational for the rest of the security measures. The organization can use attributes to create different views representing different categorizations of security controls, providing a different point of view of topics. Attributes can be used to filter, sort, or present security measures in different views for different audiences. Appendix A explains how attributes can be used and provides an example view. 8 © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) By way of example, each security measure in this document has been associated with five attributes with the corresponding attribute values (preceded by the sign "#" to facilitate finding them), as following: a) The type of security measure The type of security measure is an attribute that allows security measures to be considered in terms of when and how this security measure modifies the risk in the event of the occurrence of an information security incident. The values of this attribute are: Preventive (the purpose of the security measure is to prevent the occurrence of an information security incident), Detective (the security measure acts when an information security incident occurs) and Corrective (the security measure acts after the occurrence of an information security incident). b) Information security properties Information security properties are an attribute that allows security measures to be viewed from the perspective of the characteristics of the information that the security measure will help preserve. The values of this attribute are: Confidentiality, Integrity and Availability. c) Cybersecurity concepts Cybersecurity concepts is an attribute that allows security measures to be considered from the point of view of their association with cybersecurity concepts as defined in the cybersecurity framework described in ISO/IEC TS 27110. The values of this attribute are : Identify, Protect, Detect, Respond and Restore. d) Operational capacities Operational capabilities are an attribute that allows security measures to be considered from the point of view of practitioners in relation to information security skills. The values of this attribute are: Governance, Asset_Management, Information_Protection, Human_Resource_Security, Physical_Security, System_and_Network_Security, Application_Security, Secure_Configuration, Identity_and_Access_Management, Threat_and_Vulnerability_Management, Continuity, Supplier_Relationship_Security, Regulatory_and_Compliance, Security_Event_Management and Information_Security_Assurance. e) Security domains Security Domains is an attribute that allows security controls to be considered from the perspective of the four information security domains: “Governance & Ecosystem” includes “Governance of Information Systems Security and Management of Risks” and “Ecosystem Cybersecurity Management” (including internal and external stakeholders); “Protection” includes “IT Security Architecture”, “IT Security Administration”, “Identity and Access Management”, “IT Security Maintenance” and “Environmental and Physical Security” ; “Defence” includes “Detection” and “Computer Security Incident Management” ; “Resilience” includes “Continuity of Operations” and “Crisis Management”. The values of this attribute are: Governance_and_Ecosystem, Protection, Defense and Resilience. The attributes proposed in this document are selected because they are considered generic enough to be used by different types of organizations. Organizations may choose to ignore one or more of the attributes in this document. They can also create their own attributes (with corresponding attribute values) to create their own organizational views. Clause A.2 includes examples of such attributes. 4.3 Structure of security measures The structure of each security measure contains the following: — Security measure title: short name of the security measure; © ISO/IEC 2022 – All rights reserved 9 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) — Attribute table: table showing the value(s) of each attribute for a measure of given security; — Security measure: description of the security measure; — Purpose: the reasons why the security measure should be implemented; — Recommendations: how the security measure should be implemented; — Other information: explanatory text or references to other related documents. Subtitles are used in the text of the recommendations of certain security measures for the sake of readability when the text of the recommendations is long and covers several subjects. These titles are not necessarily used in the text of all recommendations. Subtitles are underlined. 5 Organizational security measures 5.1 Information Security Policies Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identifier Operational capabilities #Governance #Integrity #Availablity Security domains #Governance_and_Ecosys theme #Resilience Security measure An information security policy and topic-specific policies should be established, approved by senior management, published, communicated and confirmed to relevant staff and interested parties, as well as to revise them at planned intervals and if significant changes take place. Objective Continuously ensure the relevance, adequacy and effectiveness of management's orientations and its support for information security according to business, legal, statutory, regulatory and contractual requirements. Recommendations The organization should define, at its highest level, an “information security policy”, which is approved by management and which sets out the organisation's approach to managing the security of its information. The information security policy should take into account the requirements derived from the following: a) strategy and business requirements; (b) regulations, legislation and contracts; c) current and foreseeable information security risks and threats. This information security policy should include information about: a) the definition of information security; b) the information security objectives or the framework for establishing these objectives; 10 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) the principles to guide all activities related to information security; d) commitment to meet applicable information security requirements; e) the commitment to ensure the continuous improvement of the safety management system of l'information; f) assignment of responsibilities for information security management to functions defined; (g) procedures for managing waivers and exceptions. Management should approve any changes to the information security policy. At a lower level, information security policy should be reinforced with topic-specific policies to additionally mandate the implementation of information security measures. Topic-specific policies are generally structured to meet the needs of certain target groups of an organization or to cover certain areas of security. Topic-specific policies should be aligned with and complementary to the organization's information security policy. Examples of these themes are: a) access control; (b) physical and environmental security; (c) asset management; (d) transfer of information; e) secure configuration and management of end user terminals; (f) network security; g) information security incident management; (h) backup; i) cryptography and key management; (j) classification and information management; k) the management of technical vulnerabilities; l) secure development. Responsibility for developing, reviewing and approving topic-specific policies should be assigned to appropriate staff based on their level of authority and technical competence. The review should include assessing opportunities for improving the organization's information security policy and topic-specific policies, as well as managing information security to respond to changes. In: a) the business strategy of the organization; b) the technical environment of the organization; (c) regulations, statutes, legislation and contracts; d) information security risks; (e) the current and foreseeable information security threat environment; © ISO/IEC 2022 – All rights reserved 11 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) f) lessons learned from information security events and incidents. The review of the information security policy and topic-specific policies should take into account the results of management reviews and audits. The review and update of other related policies should be taken into account when a policy is changed to ensure consistency. The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to recipients. Recipients of policies should be required to confirm their understanding of these policies and agree to abide by them where applicable. The organization can determine the formats and names of these policy documents according to its needs. In some organizations, the information security policy and topicspecific policies may be in a single document. The organization may refer to these topic-specific policies as standards, guidelines, policies, or others. If the information security policy or any topic-specific policy is disseminated outside the organization, care should be taken not to indiscriminately disclose confidential information. Table 1 illustrates the differences between an information security policy and a topic-specific policy. Table 1 — Differences between information security policy and topic-specific policy Information Security Policy Level of detail Theme-specific policy General or high level Specific and detailed Documented and formally The appropriate level of management The general direction approved by Additional Information Topic-specific policies may differ from organization to organization. 5.2 Information Security Duties and Responsibilities Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier Operational capabilities #Governance Security domains #Governance_and_Ecosystem #Protection #Resilience Security measure Information security functions and responsibilities should be defined and assigned according to the needs of the organization. Objective Establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization. 12 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations Information security functions and responsibilities should be assigned in accordance with the information security policy and topic-specific policies (see 5.1). The organization should define and manage responsibilities for: (a) protection of information and other associated assets; b) the application of specific information security related processes; c) information security risk management activities and, in particular, the acceptance of residual risks (for example, vis-à-vis risk owners); d) all personnel using the organization's information and other associated assets. These responsibilities should be supplemented, if necessary, with additional detailed recommendations for certain sites and means of processing information. People with information security responsibilities can assign security tasks to other people. However, they remain responsible and should ensure the proper execution of any delegated task. Each security domain for which individuals are responsible should be defined, documented, and communicated. The different authorization levels should be defined and documented. Persons in an information security function should possess the knowledge and skills required for the function and they should receive the necessary support to keep abreast of developments relating to the function and which are necessary to fulfill the responsibilities of this function. Additional Information Many organizations appoint an information security officer to take full responsibility for the development and implementation of information security and to support the identification of risks and mitigation measures. However, the responsibility for allocating resources and implementing security measures often remains assigned to other managers. A common practice is to designate an owner for each asset who then becomes responsible for the day-to-day protection of that asset. Depending on the size of the organization and the resources at its disposal, information security can be ensured by dedicated functions or by the assignment of tasks to be carried out in addition to existing functions. 5.3 Segregation of duties Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Governance Security domains #Governance_and_Ecosystem #Management_of_identities_and_access Security measure Incompatible tasks and areas of responsibility should be separated. Objective Reduce the risk of fraud, error and circumvention of information security measures. © ISO/IEC 2022 – All rights reserved 13 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Recommendations The separation of tasks and areas of responsibility aims to separate incompatible tasks between several people in order to avoid that one person can carry out potentially incompatible tasks alone. The organization should determine which tasks and areas of responsibility need to be separated. These examples of the following activities may require separation: a) initiation, approval and execution of a change; b) request, approval and implementation of access rights; c) design, implementation and code review; d) software development and administration of production systems; (e) use and administration of the applications; f) use of applications and administration of databases; g) design, audit and implementation of information security measures. Consideration should be given to the possibility of collusion when designing the means of separation. Smaller organizations may find it difficult to achieve segregation of duties, but this principle should be applied wherever possible. When segregation of duties is difficult to achieve, consider other security measures such as activity monitoring, audit logs, and management oversight. Care should be taken not to assign incompatible functions to individuals when using role-based access control systems. When there are a large number of functions, the organization should consider the use of automated tools to identify conflicts and facilitate their elimination. Roles should be defined and assigned carefully to minimize access issues if a function is removed or reassigned. Additional Information No additional information. 5.4 Management Responsibilities Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier Operational capabilities #Governance Security domains #Governance_and_Ecosys theme Security measure Management should require all personnel to apply information security measures in accordance with the organization's information security policy, topic-specific policies and established procedures. Objective Ensure that management understands their role in information security and takes actions to ensure that all staff are aware of and carry out their information security responsibilities Oh good. 14 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations Management should demonstrate support for the information security policy, topic-specific policies, procedures and information security measures. Management responsibilities should include ensuring that staff: a) is properly briefed on its information security duties and responsibilities before being granted access to the organization's information and other associated assets; b) has received guidelines specifying information security expectations related to their functions within the organization; c) is mandated to apply the information security policy and the policies specific to a theme of the organization; d) achieves a level of information security awareness commensurate with their duties and responsibilities within the organization (see 6.3); e) comply with the terms and conditions of their employment, employment contract or agreement, including the organization's information security policy and appropriate working practices; f) continue to have the appropriate information security skills and qualifications through continuing professional development; (g) where possible, has a confidential channel for reporting violations of the Information Security Policy, topic-specific policies or information security procedures (“whistleblower”). This may allow anonymous reports to be made or arrangements to be made to ensure that the identity of the person reporting the violation is known only to those who deal with these types of reports; h) has adequate resources and project planning time necessary for the implementation of implementation of the organization's security processes and measures. Additional Information No additional information. 5.5 Contacts with authorities Type of measurement Information Security Security Properties #Preventive #Corrective Cybersecurity concepts #Privacy #Identifier #Integrity #Availablity #Protect #Respond Operational capabilities #Governance Security domains #Defense #Resilience #To re-establish Security measure The organization should establish and maintain contact with the appropriate authorities. Objective Ensure the proper flow of information security information between the organization and the relevant legal, regulatory and supervisory authorities. © ISO/IEC 2022 – All rights reserved 15 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Recommendations The organization should specify when and which authority (e.g. law enforcement, regulatory bodies, supervisory authorities) to contact and how information security incidents should be reported as soon as possible. time limit. Contacts with authorities should also be used to facilitate understanding of current and future expectations of those authorities (eg applicable information security regulations). Additional Information Organizations under attack can ask the authorities to take action against the source of the attack. Maintaining these contacts may be a requirement to support information security incident management (see 5.24 to 5.28) or contingency planning and business continuity processes (see 5.29 and 5.30). Contacts with regulatory authorities are also useful for anticipating and preparing for future changes in relevant laws or regulations that impact the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers, health and safety [e.g. fire brigade (related to business continuity), telecommunications operators (related to routing and availability) and water suppliers (related to hardware cooling)]. 5.6 Contacts with specific interest groups Information Security Properties Type of security measure #Preventive #Corrective #Privacy #Integrity #Availablity Cybersecurity concepts #Protect #Respond Security domains Operational capabilities #Governance #Defense #To re-establish Security measure The organization should establish and maintain contacts with specific interest groups or other specialized security forums and professional associations. Objective Ensure the proper flow of information regarding information security. Recommendations Membership in specific interest groups or specialized forums should be considered as a means of: a) improve knowledge of best practices and keep up to date with safety information important; b) ensure that the understanding of the information security environment is up to date; c) Receive early warnings, warnings, and patches regarding attacks and vulnerabilities; d) have access to advice from information security specialists; (e) share and exchange information about new technologies, products, services, threats or vulnerabilities; f) have relevant points of contact in case of information security incident management (see 5.24 to 5.28). 16 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information No additional information. 5.7 Threat Intelligence Type of security measure #Preventive #Detective #Corrective Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identification #Detect #Respond Operational capabilities Security domains #Defense #Resilience #Management_of_threats_and_vulnera bilities Security measure Information security threat information should be collected and analyzed to produce threat intelligence. Objective Bring knowledge of the organization's threat environment so that appropriate mitigating actions can be taken. Recommendations Information on existing and emerging threats is collected and analyzed in order to: a) promote informed actions to prevent threats from harming the organization; b) reduce the impact of these threats. Threat intelligence can be divided into three layers, all of which should be considered: a) strategic threat intelligence: exchange of high-level information on the evolution the threat landscape (eg, types of attackers or types of attacks); b) tactical threat intelligence: information on attacker methodologies, tools and technologies involved; c) operational threat intelligence: details of specific attacks, including technical indicators. Threat intelligence should be: a) relevant (i.e. related to the protection of the organization); b) sharp (i.e. they provide the organization with a correct and detailed understanding of the threat landscape); c) contextual, to provide situational awareness (i.e. adding context to information based on the time of events, where they occur, previous experiences and prevalence in organizations similar); d) actionable (ie, the organization can act quickly and effectively on the information). Activities associated with threat intelligence should include: a) establishment of objectives for the generation of threat intelligence; b) identification, verification and selection of internal and external information sources that are necessary and appropriate to provide the information required for the generation of threat intelligence; © ISO/IEC 2022 – All rights reserved 17 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) collection of information from selected sources, which may be internal and external; d) processing the collected information to prepare it for analysis (for example, by translating, formatting or corroborating the information); e) analysis of information to understand its connection and importance to the organization; f) communication and sharing of information to the appropriate persons in a form understandable. Threat intelligence should be analyzed and then used: a) implementing processes to integrate information collected from threat intelligence sources into the organization's information security risk management processes; b) as additional input data for technical preventive and detective security measures such as firewalls, intrusion detection system or malware protection solutions (anti-malware solutions); c) as input to information security testing techniques and processes. The organization should mutually share threat intelligence with other organizations on a mutual basis to improve threat intelligence overall. Additional Information Organizations can use threat intelligence to prevent, detect, or respond to threats. Organizations may produce threat intelligence, but typically they receive and use threat intelligence produced by others sources. Threat intelligence is often offered by independent vendors or advisors, government agencies, or collaborative threat intelligence groups. The effectiveness of security measures such as 5.25, 8.7, 8.16 or 8.23 depends on the quality of threat intelligence available. 5.8 Information security in project management Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier #Protect Operational capabilities #Governance Security domains #Governance_and_Ecosystem #Protection Security measure Information security should be integrated into project management. Objective Ensure that information security risks relating to projects and deliverables are effectively addressed in project management, throughout the project life cycle. Recommendations Information security should be integrated into project management to ensure that information security risks are addressed as part of project management. This recommendation can be applied to any type of project, regardless of its complexity, size, duration, discipline 18 © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) or its scope (for example, a project on a core business process, on information technology (ICT), on facilities management or on other supporting processes). Current project management should require that: a) information security risks are assessed and addressed early on and periodically thereafter as project risks, throughout the project life cycle; b) information security requirements [eg, application security requirements (8.26), intellectual property rights compliance requirements (5.32), etc.] are addressed at the outset of projects; (c) information security risks associated with the execution of projects, such as the security of aspects relating to internal and external communication, are taken into account and addressed throughout the life cycle of the project; d) the progress of the treatment of information security risks is monitored and the effectiveness of the treatment is evaluated and tested. The adequacy of information security considerations and activities should be monitored, at predefined stages, by appropriate individuals or governance bodies, such as the project board. Information security responsibilities and authorities appropriate to the project should be defined and assigned to specific functions. The information security requirements for the products or services to be delivered by the project should be determined using different methods, including determining the compliance requirements from the information security policy, policies specific to a theme and regulations. Additional information security requirements can be derived from activities such as threat modeling, incident analysis, use of vulnerability thresholds, or contingency planning, thereby ensuring that the architecture and design of information systems are protected against known threats in the operational environment. Information security requirements should be determined for all types of projects, not just ICT development projects. The following should also be considered when determining these requirements: a) what information is affected (information determination), what are the associated information security needs (classification; see 5.12) and the potential negative business impact that may result from the lack of adequate security; b) the required protection needs of the relevant information and other related assets, in particular in terms of confidentiality, integrity and availability; c) the level of confidence or assurance required in the claimed identity of the entities, in order to derive authentication requirements; d) processes for authorizing and assigning access for customers and other potential business users as well as technical or privileged users, such as relevant members of the project team, prospective operating or external vendors; e) informing users of their duties and responsibilities; f) requirements deriving from business processes, such as transaction logging and monitoring, nonrepudiation requirements; g) requirements imposed by other information security measures (eg interfaces for logging and monitoring or data leak detection systems); © ISO/IEC 2022 – All rights reserved 19 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) h) compliance with the legal, statutory, regulatory and contractual environment in which the organization operates; i) the level of confidence or assurance required for third parties to comply with the organization's information security policy and topic-specific policies, including appropriate security clauses in any agreement or CONTRACT. Additional Information The project development approach, such as the waterfall life cycle or the agile life cycle, should promote information security in a structured way that can be adapted to align with the assessed severity of information security risks, depending on the character of the project. Consideration of the information security requirements for the product or service from the outset (for example, from the planning and design phases) can lead to more efficient and cost-effective solutions from a information quality and security. ISO 21500 and ISO 21502 provide guidance on project management concepts and processes that are important to project performance. ISO/IEC 27005 provides guidance on using risk management processes to identify security measures to meet information security requirements. 5.9 Inventory of information and other related assets Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identifier Operational capabilities #Asset_management Security domains #Governance_ and_Ecosystem #Protection #Integrity #Availablity Security measure An inventory of information and other associated assets, including their owners, should be developed and maintained. Objective Identify the organization's information and other associated assets to maintain their security and assign ownership appropriately. Recommendations Inventory The organization should identify its information and other associated assets and determine their importance to information security. The documentation should be kept up to date in dedicated inventories or already in place as the case may be. The inventory of information and other related assets should be correct, current, consistent and aligned with other inventories. Possibilities for ensuring the accuracy of an inventory of information and other associated assets include: a) conduct regular audits of information and other related assets identified against inventory of assets; b) automatically apply an inventory update when installing, changing or withdrawal of an asset. The location of each asset should be noted in the inventory as required. The inventory does not need to be a single list of related information and other assets. Considering that the inventory should be maintained by the appropriate functions, 20 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) it can be thought of as a set of dynamic inventories, such as inventories of information assets, hardware, software, virtual machines (VMs), facilities, personnel, skills, capabilities, and records . Each asset should be classified according to the information classification (see 5.12) associated with it. The granularity of the inventory of information and other related assets should be at a level appropriate to the needs of the organization. Sometimes it is not possible to document specific instances of assets in the information lifecycle due to the nature of the asset. An example of an ephemeral asset is a VM instance that may have a short life cycle. Property For identified information and other associated assets, ownership of the asset should be assigned to a person or group, and the classification should be identified (see 5.12 , 5.13). A process should be implemented to ensure the rapid assignment of an owner to the asset. Assets should be assigned an owner when they are created or when they are transferred to the organization. Ownership of the asset should be reallocated as needed when the current owner leaves the organization or changes roles. Obligations of the owner The asset owner should be responsible for the proper management of that asset throughout its life cycle, ensuring that: (a) the information and other associated assets are inventoried; (b) information and other associated assets are classified and protected appropriately; (c) the classification is reviewed periodically; (d) the components that make up the technology assets are listed and their relationships established, such as software, database, and storage components and subcomponents; e) requirements for the correct use of information and other associated assets (see 5.10) are defined; f) the access restrictions correspond to the classification, that they are effective and that they are periodically revised; (g) information and other associated assets that are deleted or disposed of are securely handled and removed from inventory; h) it participates in the identification and management of the risks associated with its asset(s); i) it supports staff who have the functions and responsibilities of managing its information. Additional Information Inventories of information and other associated assets are often necessary to ensure effective protection of information and may also be necessary for other purposes, such as health and safety, insurance or financial reasons. In addition, inventories of information and other related assets also support risk management, audit activities, vulnerability management, incident response and recovery planning. Tasks and responsibilities can be delegated (for example, to someone who monitors assets on a daily basis), but the person or group who delegated them remains accountable. It may be useful to designate groups of information and other related assets that act together to provide a particular service. In this case, the owner of this service is responsible for the delivery of the service, including the operation of its assets. © ISO/IEC 2022 – All rights reserved 21 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) See ISO/IEC 19770-1 for additional information on IT asset management. See ISO 55001 for additional information on asset management. 5.10 Proper Use of Information and Other Related Assets Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Asset_management #Protection_of_information Security domains #Governance_ and_Ecosystem #Protection Security measure Rules for the correct use and procedures for handling information and other associated assets should be identified, documented and implemented. Objective Ensure that information and other associated assets are protected, used and handled appropriately. Recommendations Staff and external users who use or have access to the organization's information and other related assets should be made aware of the information security requirements for the protection and handling of the organization's information and other related assets. . They should be responsible for their use of any means of processing information. The organization should establish a topic-specific policy for the correct use of information and other related assets and communicate it to anyone who uses or processes the information and other related assets. The correct use topic-specific policy should clearly state how individuals are expected to use the information and other related assets. The specific policy for this theme should indicate: a) the expected and unacceptable behaviors of people from the point of view of the safety of l'information; (b) permitted and prohibited use of information and other associated assets; c) the surveillance activities carried out by the organization. Procedures for the correct use should be established for the full life cycle of the information, based on its classification (see 5.12) and the identified risks. It should be taken into consider the following: a) access restrictions supporting the protection requirements at each level of classification; b) maintaining an up-to-date record of authorized users of information and other assets associates; c) the protection of temporary or permanent copies of the information at a level appropriate with the level of protection of the original information; d) storage of information assets in accordance with manufacturer specifications (see 7.8); e) clear marking of all copies of storage media (electronic or physical) for authorized users (see 7.10); f) authorization to dispose of information and other associated assets and method(s) used (see 8.10). 22 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Sometimes the assets involved do not directly belong to the organization, such as public cloud services. The use of such third-party assets and the organization's assets associated with such external assets (e.g., information, software) should be identified as applicable and controlled, for example through agreements with vendors of cloud services. Care should also be taken when a collaborative work environment is used. 5.11 Return of Assets Information Security Properties Type of security measure #Preventive #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Asset_Management #Protection #Integrity #Availablity Security measure Staff and other interested parties, as appropriate, should return all assets of the organization that are in their possession at the time of change or termination of their employment, contract or agreement. Objective Protect the organization's assets in the process of changing or ending their employment, contract or agreement. Recommendations The change or termination process should be formalized to include the return of all previously provided physical and electronic assets that belong to or have been entrusted to the organization. Where staff and other interested parties purchase equipment from the organization or use their own equipment, procedures should be followed to ensure that all relevant information is tracked and transferred to the organization, and securely removed from hardware (see 7.14). In cases where personnel and other interested parties have knowledge that is important to ongoing activities, this information should be documented and passed on to the organization. During the notice period and thereafter, the organization should prevent unauthorized copying of material information (eg subject to intellectual property) by personnel notified of the notice. The organization should clearly identify and document all information and other associated assets to be returned, which may include: (a) end user terminals; (b) portable storage media; (c) specialized equipment; d) Authentication materials (e.g. mechanical keys, physical tokens and smart cards) chip) for information systems, sites and physical archives; e) physical copies of information. © ISO/IEC 2022 – All rights reserved 23 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information It can be difficult to return information held in non-organizational assets. In such cases, it is necessary to restrict the use of information using other information security measures such as access rights management ( 5.18) or the use of cryptography (8.24 ). 5.12 Classification of information Information Security Properties Type of security measure #Preventive #Privacy Cybersecurity concepts #Identifier Operational capabilities #Protection_of_information #Integrity #Availablity Security domains #Protection #Defense Security measure Information should be classified in accordance with the information security needs of the organization, based on the requirements of confidentiality, integrity, availability and important requirements of interested parties. Objective Ensure the identification and understanding of information protection needs based on its importance to the organization. Recommendations The organization should establish a policy specific to the topic of information classification and communicate it to the appropriate interested parties. The organization should consider confidentiality, integrity and availability requirements in the classification scheme. The classification of information and the associated means of protection should take into account business needs for sharing or restricting information, for protecting information integrity and for ensuring availability, as well as the requirements legal requirements regarding the confidentiality, integrity or availability of the information. Assets other than information may also be classified according to the classification of the information they store, process or otherwise handle or protect. The owners of the information should be responsible for its classification. The classification scheme should include conventions for the classification and criteria for the revision of this classification over time. Classification results should be updated as the value, sensitivity and level of criticality of information changes throughout its life cycle. The diagram should be aligned with the policy specific to the theme of access control (see 5.1) and should meet the specific business needs of the organization. Classification can be determined based on the level of impact the information compromise would have on the organization. Each level defined in the scheme should be given a name that makes sense in the context of the application of the classification scheme. The schema should be consistent across the organization and included in its procedures, so that everyone classifies information and other related assets in the same way. In this way, everyone has the same understanding of the protection requirements and applies appropriate protection. 24 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) The classification scheme used in the organization may differ from schemes used by other organizations, even if the names assigned to the levels are similar. In addition, information flowing between organizations may have a classification that varies depending on its context in each organization, even if their classification schemes are identical. Thus, agreements with other organizations involving the sharing of information should include procedures for identifying the classification of that information and for interpreting the classification levels of other organizations. The correspondence between different schemes can be determined by looking for equivalence in the associated protection and treatment methods. Additional Information Classification gives people handling information a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying the information security procedures that apply to all information in each group helps to facilitate classification. This approach reduces the need for case-by-case risk assessment and customization of security measures. Information may cease to be sensitive or critical after a certain period. For example, once made public, the information no longer has confidentiality requirements, but it may still require the protection of its integrity and availability. These aspects should be taken into account, as an overclassification may lead to the implementation of unnecessary security measures resulting in additional expense, or conversely, an underclassification may result in insufficient security measures to protect information of any compromise. As an example, an information privacy classification scheme may be based on four levels, namely: (a) the disclosure does not cause any harm; (b) the disclosure results in minor reputational harm or minor impact on the functioning; (c) the disclosure has a significant short-term impact on business activities or objectives; d) the disclosure has a serious impact on the long-term business objectives or jeopardizes the survival of l'organisation. 5.13 Marking information Information Security Properties Type of security measure #Preventive #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Protection_of_information Security domains #Defense #Protection Security measure An appropriate set of procedures for marking information should be developed and implemented, in accordance with the information classification scheme adopted by the organization. Objective Facilitate communication of information classification and support management automation and information processing. Recommendations Information tagging procedures should include information and other associated assets in all formats. The marking should reflect the classification scheme defined in 5.12. Marks should be easily recognizable. Procedures should © ISO/IEC 2022 – All rights reserved 25 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) give recommendations on where and how marks are attached, considering how to access information or how to handle assets, depending on the types of storage media. Procedures can define: (a) cases where marking is not essential (e.g. marking of non-confidential information to reduce workload); b) how to mark information sent by or stored on physical means or electronic, or any other format; c) how to deal with cases where tagging is not possible (e.g. due to limitations techniques). Below are examples of marking techniques: (a) physical marks; b) headers and footers; c) metadata; d) watermark; e) rubber buffers. Digital information should use metadata to identify, manage and control information, particularly in terms of confidentiality. Metadata should also allow efficient and correct retrieval of information. Metadata should allow systems to interact and make decisions based on associated classification marks. Procedures should describe how to attach metadata to information, what tokens to use, and how data should be handled in accordance with the organization's information model and its ICT architecture. Appropriate additional metadata should be added by systems when processing information, depending on their information security properties. Staff and other interested parties should be made aware of marking procedures. All staff should receive adequate training to ensure that information is correctly marked and handled accordingly. Output data from systems containing information classified as sensitive or critical should bear the appropriate classification markings. Additional Information Marking of classified information is a key requirement for information sharing. Other useful metadata that can be attached to information is the indication of the organizational process that created the information and the corresponding date/time. Tagging information and other related assets can sometimes have negative effects. Classified assets can be more easily identified by attackers for possible misuse. Some systems do not mark individual files or database records with their classification, but protect all information according to the highest classification level of all information they contain or may contain. It is common in these types of systems to determine and then mark the information when it is exported. 26 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 5.14 Transfer of information Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Asset_management Security domains #Protection #Protection_of_information Security measure Information transfer rules, procedures or agreements should be in place for all types of means of transfer within the organization, and between the organization and third parties. Objective Maintain the security of information transferred within the organization and to any external interested party. Recommendations General The organization should establish a policy specific to the topic of information transfer and communicate it to all interested parties. Rules, procedures and agreements to protect information in transit should take into account the classification of the information involved. When information is transferred between the organization and third parties, transfer agreements (including recipient authentication) should be established and maintained to protect the information in all forms during transfer (see 5.10 ) . The transfer of information can be done through electronic transfer, transfer on physical storage medium and verbal transfer. For all types of information transfers, the rules, procedures and agreements should include: a) security measures designed to protect the transferred information against interception, unauthorized access, copying, modification, misdirection, destruction and denial of service, including levels of control access corresponding to the classification of the information involved and any special security measures necessary to protect the sensitive information, such as the use of cryptographic techniques (see 8.24); b) security measures to ensure traceability and non-repudiation, including maintaining a chain of custody for information in transit; c) identification of appropriate contacts in connection with the transfer, including information owners, risk owners, security officers and persons monitoring the information, if applicable; d) obligations and liabilities in the event of an information security incident, such as the loss physical or data storage media; e) the use of an agreed marking system for sensitive or critical information, to ensure that the meaning of the markings is immediately understood and that the information is appropriately protected (see 5.13) ; f) the reliability and availability of the transfer service; g) the theme-specific policy for the correct use of the transfer functions of information or guidelines on this subject (see 5.10); © ISO/IEC 2022 – All rights reserved 27 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) h) guidelines for retention and disposal of all records professionals, including messages; NOTE Local laws and regulations may exist regarding the retention and disposal of professional recordings. i) consideration of any other significant legal, statutory, regulatory and contractual requirements (see 5.31, 5.32, 5.33, 5.34) relating to the transfer of information (eg requirements on electronic signatures). Electronic transfer The rules, procedures and agreements should also take into account the following elements in the context of the use of electronic means of communication for the transfer of information: a) detection and protection against malicious programs that can be transmitted via the use of electronic communications (see 8.7); (b) protection of sensitive electronic information communicated as attachments; c) prevention against sending documents and messages in communications to the wrong address or number; d) obtaining approval before using external public services such as instant messaging, social networks, file sharing or cloud storage; e) enhanced levels of authentication when transferring information over accessible networks to the public; f) restrictions associated with means of electronic communication (eg prevention against automatic forwarding of e-mails to external e-mail addresses); g) Recommendation to staff and other interested parties not to use short messaging services (SMS) or instant messages containing critical information as this can be read in public places (and therefore by people unauthorized) or stored in devices without adequate protection; h) informing staff and other interested parties about problems related to the use of fax machines or fax services, namely: 1) unauthorized access to embedded message stores to retrieve messages; 2) the deliberate or accidental programming of machines to send messages to specific numbers. Transfer of physical storage media When transferring physical storage media (including paper), the rules, procedures and agreements should also include: (a) responsibilities for control and notification of transmission, sending and receipt; b) assurance of correct addressing and transport of the message; c) packaging that protects the contents from physical damage that may occur in transit and in accordance with the manufacturer's specifications, e.g. protection against any environmental factors that may reduce the effectiveness of restoring the storage medium, such as exposure to heat, humidity or electromagnetic fields; use of minimum technical standards for packaging and transmission (eg use of opaque envelopes); d) a list of Authorized Reliable Carriers, approved by management; 28 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (e) carrier identification standards; f) depending on the level of classification of the information contained on the storage medium to be transported, the use of inviolable or burglar-proof means (for example, bags, containers); (g) procedures for verifying the identity of carriers; h) an approved list of third parties providing transportation or courier services according to classification of information; i) the keeping of logs for the identification of the contents of the storage media, the protection applied, as well as the recording of the list of authorized recipients, the dates and times of delivery to those responsible for transport and of receipt by the recipient. Verbal transfer To protect the verbal transfer of information, staff and other interested parties should be reminded that it is recommended to: a) not to hold confidential conversations in public places or via unsecured communication channels insofar as these can be overheard by unauthorized persons; b) not to leave messages containing confidential information on answering machines or in the form of voice messages insofar as these can be replayed by unauthorized persons, stored on systems for collective use or incorrectly stored as a result of a dialing error; c) be selected at the appropriate level to listen to the conversation; d) ensure that appropriate security measures are implemented in the room (eg soundproofing, door closed); e) begin any sensitive conversation with a warning, so that those present know the classification level and handling requirements of the information they are about to hear. Additional Information No additional information. 5.15 Access control Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Identi ty_and_access_management Security domains #Protection Security measure Rules should be defined and implemented to control physical and logical access to information and other related assets based on business and information security requirements. Objective Ensure authorized access and prevent unauthorized access to information and other associated assets. © ISO/IEC 2022 – All rights reserved 29 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations Owners of information and other related assets should determine business and information security requirements for access control. A policy specific to the topic of access control that takes these requirements into account should be defined and communicated to all appropriate interested parties. These requirements and the specific policy on this topic should take into account the following points: a) determining which entities require a defined type of access to information and other assets associates; b) application security (see 8.26); c) physical access which must be supported by adequate means of physical access (see 7.2, 7.3, 7.4); d) information dissemination and authorizations (eg need-to-know principle), information security levels and information classification (see 5.10, 5.12, 5.13); e) privileged access restrictions (see 8.2); f) segregation of duties (see 5.3); g) material laws, regulations and contractual obligations relating to the limitation of access to data or services (see 5.31, 5.32, 5.33, 5.34, 8.3); h) separation of access control functions (eg access request, access authorization and access administration); i) formal authorization of access requests (see 5.16 and 5.18); j) management of access rights (see 5.18); k) logging (see 8.15). Access control rules should be implemented by defining and assigning access rights and appropriate restrictions to the entities concerned (see 5.16). An entity can correspond to a human user as well as to a technical or logical element (for example, a machine, a terminal or a service). To simplify access control management, specific functions can be assigned to groups of entities. The following points should be considered when defining and implementing access control rules: (a) consistency between access rights and classification of information; b) Consistency between access rights and physical perimeter security needs and requirements; c) accounting for all types of connections available in distributed environments, so entities are granted access only to information and other associated assets, including networks and network services, that they have permission to to use; d) consideration of how elements or factors relevant to dynamic access control may be taken into account. 30 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information There are often fundamental principles used in the context of access control. Two examples of the most commonly used principles are: a) need-to-know: an entity is granted access only to the information it needs to perform its tasks (different tasks or functions imply different needs-to-know and therefore different access profiles); b) the need to use: an entity is granted access to the technology infrastructure of information only when there is an existing need. Care should be taken when specifying which access control rules to consider: a) setting rules based on the principle of least privilege, "Everything is generally forbidden unless explicitly allowed", rather than the weaker rule, "Everything is generally allowed unless explicitly forbidden"; b) changes in the marking of information which are operated automatically (see 5.13) by the information processing means, and those which are operated by the user; c) modifications of the user's authorizations which are operated automatically by the information system, and those which are operated by an administrator; d) when to define and periodically review approval. Access control rules should be supported by documented procedures (see 5.16, 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18) and defined responsibilities (see 5.2, 5.17). There are several ways to implement access control, such as MAC (Mandatory Access Control), DAC (Discretionary Access), RBAC (Role-Based Access Control), and ABAC (Attribute-Based Access Control). Access control rules can also contain dynamic elements (for example, a function that evaluates past access or environment-specific values). Access control rules can be implemented with different granularities, ranging from coverage of entire networks or systems to specific data fields, and can also take into consideration properties such as the location of the user or type of network connection that is used for access. These principles and the level of granularity in defining access control can have a significant impact on costs. Stronger rules and higher granularity generally entail higher costs. Business requirements and risk considerations should be used to define which access control rules to apply and what level of granularity is needed. 5.16 Identity Management Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Identi ty_and_access_management Security domains #Protection Security measure The full lifecycle of identities should be managed. © ISO/IEC 2022 – All rights reserved 31 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective To enable the unique identification of people and systems that access the organization's information and other associated assets, and to enable the appropriate assignment of access rights. Recommendations Processes used in the context of identity management should ensure that: (a) for identities assigned to persons, a given identity is only linked to a person, which makes it possible to hold the person responsible for acts performed under that specific identity; b) identities assigned to more than one person (eg shared identities) are only permitted when necessary for business or operational reasons and are subject to dedicated approval and documentation; c) identities assigned to non-human entities are subject to separate approval appropriate and ongoing independent monitoring; d) identities are promptly deactivated or deleted if they are no longer needed (for example, if associated entities are deleted or no longer used, or if the person linked to an identity has left the organization or changed roles) ; e) in a specific domain, a given identity is associated with one and only one entity [ie the association of several identities with the same entity in the same context (duplicate identities) is avoided]; f) records of all significant events relating to the use and management of User identities and authentication information are retained. The organization should have a support process in place to manage changes to user identity information. These processes may include re-verification of trust documents linked to a person. When using identities provided or created by third parties (e.g. social media IDs), the organization should ensure that the third party identities provide the required level of trust and that any risk associated is identified and sufficiently addressed. This may include security measures relating to third parties (see 5.19) as well as security measures relating to associated authentication information (see 5.17). Additional Information Granting or removing access to information and other related assets is generally a multi-step process: a) confirm the business requirements for an identity to be implemented; b) verify the identity of an entity before assigning it a logical identity; c) establish an identity; d) configure and activate the identity. This also includes the configuration and initial setup of associated authentication services; e) grant or revoke identity-specific access rights, based on the decisions appropriate authorization or clearance (see 5.18). 32 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 5.17 Authentication Information Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Identi ty_and_access_management Security domains #Protection Security measure The allocation and management of authentication information should be controlled by a management process, including guidance to personnel on the appropriate use of authentication information. Objective Ensure correct entity authentication and avoid authentication process failures. Recommendations Assigning Credentials The management and allocation process should ensure that: a) personal passwords or personal identification numbers (PINs) automatically generated during registration processes as temporary secret authentication credentials are unguessable and unique to each person, and that users must modify them after the first use; b) procedures are in place to verify the identity of a user before assigning new, replacement or temporary authentication information; c) authentication information, including temporary ones, is transmitted to users in a secure manner (for example, through an authenticated and protected channel), and that the use of unprotected (plain text) e-mail for this purpose is avoided; d) users acknowledge receipt of authentication information; e) default authentication credentials as predefined or provided by vendors are changed immediately after installation of the systems or software; f) records of significant events relating to the assignment and management of authentication information are kept and their confidentiality ensured, and that the method of keeping the records is approved (for example, using an approved vault tool for Passwords). User responsibilities Anyone accessing or using authentication information should be notified to ensure that: a) secret authentication information, such as passwords, is kept confidential. Personal secret authentication information should not be shared with anyone. Secret authentication information used in the context of identities associated with multiple users or associated with non-human entities is only shared with authorized individuals; b) the impacted or compromised authentication information is immediately changed following notification, or other indication, of a compromise; © ISO/IEC 2022 – All rights reserved 33 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) when passwords are used as authentication credentials, strong passwords are chosen according to best practice recommendations, for example: 1) passwords are not based on information that someone can easily guess or obtain using information about the person (eg, names, phone numbers, and dates of birth); 2) passwords are not based on dictionary words or combinations of these latter; 3) the use of easily remembered passphrases trying to include characters in them alphanumeric and special; 4) passwords have a minimum length; (d) the same passwords are not used in separate services and systems; e) the obligation to follow these rules is also included in the terms and conditions of employment (see 6.2). Password management system When passwords are used as authentication credentials, the password management system should: a) allows users to choose and change their passwords, and includes a confirmation procedure to deal with input errors; b) enforces strong passwords in accordance with best practice recommendations [see c) under “User Responsibility”]; (c) require users to change their password on first login; d) enforces password changes as necessary, for example after a security incident, or upon termination or change of employment, when a user knows passwords for identities that remain active ( for example, shared identities); e) prevents the reuse of old passwords; f) prevents the use of commonly used passwords and compromised credentials, password combinations from hacked systems; g) does not display passwords on screen as they are entered; h) stores and transmits passwords in a protected form. Encryption and hashing of passwords should be done in accordance with approved cryptographic techniques for passwords (see 8.24). Additional Information Passwords or passphrases are a commonly used type of authentication information and are a common way to verify a user's identity. Other types of authentication information are cryptographic keys, data stored on physical tokens (eg, smart cards) that produce authentication codes, and biometric data such as iris scans or fingerprints. Additional information is available in the ISO/IEC 24760 series. Requiring passwords to be changed frequently can be problematic, as users may become annoyed by frequent changes, may forget new passwords, write them down in insecure places, or choose insecure passwords. The provision of Single Sign On (SSO) or other authentication management tools (e.g. password vault) limits the amount of authentication information users 34 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) must protect and can thus improve the effectiveness of this security measure. However, these tools can also increase the impact of leaking credentials. Some applications require user passwords to be assigned by an independent authority. In these cases, points a), c) and d) of “Password Management System” do not apply. 5.18 Access Rights Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Identi ty_and_access_management Security domains #Protection Security measure Access rights to information and other related assets should be provided, reviewed, modified, and terminated in accordance with the topic-specific access control policy and the organization's access control rules. Objective Ensure that access to information and other related assets is defined and authorized in accordance with business requirements. Recommendations Provision and revocation of access rights The process for provisioning or revoking the physical and logical access rights granted to an entity's authenticated identity should include: a) obtaining permission from the owner of the information and other associated assets for the use of that information and other associated assets (see 5.9). Separate approval of access rights by management may also be appropriate; b) taking into account the business requirements as well as the policy specific to the theme of the access control and rules on the access control of the organization; (c) consideration of segregation of duties, including the separation of approval and enforcement functions and the separation of incompatible functions; d) ensuring that access rights are removed when an individual does not need to access information and other associated assets, in particular ensuring that the access rights of users who have left the organization are deleted quickly; (e) taking into account the granting of temporary access rights for a limited period and their revocation on the expiry date, in particular for temporary staff or for temporary access necessary for staff; f) verifying that the level of access granted is aligned with topic-specific access control policies (see 5.15) and is consistent with other information security requirements such as segregation tasks (see 5.3); g) ensuring that access rights are not activated (e.g. by service providers) that once the authorization procedures are successfully completed; h) maintaining a centralized record of all access rights granted to a user identifier (ID, logical or physical) to access information and other associated assets; i) modification of the access rights of users who have changed role or position; © ISO/IEC 2022 – All rights reserved 35 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (j) removing or adjusting physical and logical access rights, which may be accomplished by removing, revoking or replacing keys, authentication information, identification cards or subscriptions; k) maintaining an up-to-date record of changes to physical access rights and user logic. Review of access rights Regular reviews of physical and logical access rights should consider the following: a) user access rights following any change within the same organization (e.g. change of position, promotion, demotion) or termination of employment (see 6.1 to 6.5 ) ; b) permissions for privileged access rights. Things to consider before changing or ending a job A user's access rights to information and other related assets should be reviewed and adjusted or removed prior to any change or termination of employment based on the assessment of risk factors such as: a) if the termination or change of employment occurred at the initiative of the user or the management, and the reason for termination; b) current user responsibilities; (c) the value of currently accessible assets. Additional Information Consideration should be given to establishing user access roles based on business requirements, which group a set of access rights into typical user access profiles. Access requests and access rights reviews are easier to manage at the level of these roles than at the level of individual access rights. Consideration should be given to including clauses in staff contracts and service contracts which stipulate the penalties for attempted unauthorized access by staff (see 5.20, 6.2, 6.4, 6.6). When management initiates the termination of the employment contract, disgruntled external party staff or users may deliberately alter information or sabotage information processing facilities. In cases where people resign or are fired, they may be tempted to collect information for later use. Cloning is an effective way for organizations to assign access to users. However, it should be done carefully based on the different functions identified by the organization rather than just cloning an identity with all the associated access rights. Cloning carries the inherent risk of creating excessive access rights to information and other associated assets. 5.19 Information security in relations with suppliers Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity 36 Cybersecurity concepts #Identifier Operational capabilities Security domains #Governance_ #Security_of_relationships_suppliers and_Ecosystem #Protection © ISO/IEC 2022 – All rights reserved AFNOR Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Security measure Processes and procedures should be defined and implemented to manage the information security risks that are associated with the use of the supplier's products or services. Objective Maintain the agreed level of information security in supplier relationships. Recommendations The organization should establish and communicate to all interested parties a policy specific to the topic of relations with suppliers. The organization should identify and implement processes and procedures to address security risks associated with the use of supplier products and services. This recommendation should also be applied to the organization's use of cloud service provider resources. These processes and procedures should include those to be implemented by the organization, as well as those that the organization requires the supplier to implement at the start or end of the use of the supplier's products or services. of which: a) identification and documentation of the types of providers (e.g. ICT services, logistics services, support services, financial services, ICT infrastructure components) that may affect the confidentiality, integrity and availability of organization; b) Establishing how to evaluate and select suppliers based on sensitivity of information, products and services (for example, using market analysis, customer references, review documents, on-site assessments, certifications); c) the evaluation and selection of products or services from suppliers that implement adequate information security measures and their review; in particular, the accuracy and completeness of the security measures implemented by the supplier to ensure the integrity of the supplier's information and information processing, and consequently the information security of the organization; d) the definition of the information, ICT services and physical infrastructure of the organization which the suppliers can access and which they can supervise, control or use; e) definition of the types of components and services of the suppliers' ICT infrastructure, which may affect the confidentiality, integrity and availability of the organization's information; f) the assessment and management of information security risks associated with: 1) the vendors' use of the organization's information and other related assets, including risks from potentially malicious vendor personnel; 2) the malfunction or vulnerabilities of the products (including the software components and sub-components used in these products) or the services of the suppliers; (g) monitoring compliance with information security requirements established for each type of provider and each type of access, including third party product review and validation; h) mitigation of a supplier's non-compliance, whether detected through the surveillance or other means; i) the handling of incidents and contingencies associated with the products and services of the suppliers, including including the responsibilities of the organization and those of the suppliers; j) the resiliency and, if necessary, recovery and contingency measures to ensure the availability of the supplier's information and the information processing carried out by the supplier and consequently the availability of the organization's information; © ISO/IEC 2022 – All rights reserved 37 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) k) sensitization and training of organization personnel interacting with supplier personnel, on appropriate rules of engagement, topic-specific policies, processes and procedures, and behavior depending on the type of supplier and the supplier's level of access to the organization's systems and information; l) managing the necessary transfer of information and other associated assets and anything that needs to be changed, and ensuring that the security of the information is maintained for the duration of the transfer; m) requirements to ensure secure termination of the relationship with the supplier, including: 1) removal of assigned access rights; 2) manipulation of information; 3) determination of ownership of intellectual property created during the contract; 4) the portability of information in the event of a change of supplier or insourcing; 6) records management; 7) return of assets; 8) secure disposal of information and other associated assets; 9) current confidentiality requirements; n) the level of personnel security and physical security provided for personnel and supplier facilities. Consideration should be given to procedures for the continuity of information processing in the event that the supplier is no longer able to provide its products or services (for example, due to an incident, cessation of activity of the supplier or the cessation of production of certain components due to technological advances) in order to avoid any delay in setting up replacement products or services (for example, identifying an alternative supplier in advance or always use substitute suppliers). Additional Information In cases where an organization would not be able to impose requirements on a supplier, the organization should: (a) take into account the recommendations given in this security measure when making decisions regarding the choice of a supplier and its product or service; b) implement compensatory means, as far as necessary, based on a risk assessment. Information may be exposed to risk by providers in the event of inadequate information security management. Security measures should be determined and applied to manage vendor access to information and other related assets. For example, if there is a particular need for confidentiality of information, non-disclosure agreements or cryptographic techniques can be used. Another example concerns the risks related to the protection of personal data when the agreement concluded with the supplier includes the transfer or access to information across borders. It is necessary for the organization to be aware that the legal or contractual responsibility for protecting information rests with it. Risks can also be caused by inappropriate security measures of providers' ICT infrastructure services and components. Faulty or vulnerable services or components may cause information security breaches in the organization or in another entity (for example, they may cause malware infection, attacks or other damages on entities other than the organization). 38 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) See ISO/IEC 27036-2 for more information. 5.20 Information Security in Supplier Agreements Information Security Properties Type of security measure #Preventive #Privacy Cybersecurity concepts #Identifier #Integrity #Availablity Operational capabilities Security domains #Governance_ #Security_of_relationships_suppliers and_Ecosystem #Protection Security measure Appropriate information security requirements should be established and agreed with each supplier, depending on the type of relationship with the supplier. Objective Maintain the agreed level of information security in supplier relationships. Recommendations Agreements with suppliers should be established and documented to ensure that both the organization and the supplier understand each other's obligations to meet applicable information security requirements. To meet the identified information security requirements, it may be considered to include the following conditions in the agreements: a) description of the information to be provided or accessed and the methods for providing or accessing such information information; b) classification of information according to the organization's classification scheme (see 5.10, 5.12, 5.13); c) mapping of the organization's own classification scheme to the provider's classification scheme; d) legal, statutory, regulatory and contractual requirements, including data protection, processing of personal data (DCP), intellectual property rights and copyrights and description of how to ensure that these requirements are met; e) obligation for each contracted party to implement an agreed set of security measures, including access control, performance analysis, monitoring, reporting and auditing, and obligations for the supplier to comply with the organization's information security requirements; f) rules of acceptable use of the information and other associated assets, including, if necessary, this that falls under unacceptable use; g) procedures or conditions for granting or removing permissions for the use of the organization's information and other related assets by Supplier personnel (for example, through an explicit list of Supplier personnel). provider authorized to use information and other associated assets of the organization); h) information security requirements relating to the supplier's ICT infrastructure; in particular, the minimum information security requirements for each type of information and type of access to be used as the basis of agreements with each supplier, based on the organization's business needs and its risk criteria ; i) indemnities and corrective actions in the event of the contractor's failure to comply with the requirements; © ISO/IEC 2022 – All rights reserved 39 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) j) incident management procedures and requirements (particularly notification and cooperation in corrective action); k) training and awareness requirements for specific information security procedures and requirements (eg incident response and authorization procedures); l) necessary arrangements for subcontracting, including the necessary security measures to be implemented, such as an agreement on the use of subcontractors (for example, which requires that they be subject to the same obligations as the supplier, which requires having a list of subcontractors and prior notification of any change); m) necessary contacts, including a contact for information security issues; n) any requirements for screening, where permitted by law, of Supplier personnel, including responsibilities for carrying out the screening and procedures for notification if the screening is unsuccessful or the results are objectionable. worry or doubt; o) Proof and assurance mechanisms of third party attestations of significant information security requirements relating to Supplier's processes and independent reporting on the effectiveness of security measures; p) right to audit the supplier's security processes and measures in relation to the contract; q) obligation for the supplier to periodically provide a report on the effectiveness of the security measures and its agreement to the prompt correction of the significant problems indicated in the report; r) process for correcting defects and resolving disputes; s) provision of backups in line with the needs of the organization (in terms of frequency, and type and location of storage); t) assurance of the availability of an alternative facility (i.e. disaster recovery site) that is not subject to the same threats as the primary facility and consideration of fallback means (alternative security measures ) if primary security measures fail; u) have a change management process that ensures prior notification to the organization and the possibility for the organization not to accept the changes; (v) physical security measures appropriate to the classification of the information; (w) information transfer security measures designed to protect information during physical transfer or logical transmission; (x) termination clauses upon entering into the contract, including records management, return of assets, secure disposal of information and other associated assets, and any ongoing confidentiality obligations; y) providing a method of securely destroying organization information stored by the supplier as soon as they are no longer useful; z) at the end of the contract, provide assistance for handover to another supplier or to the organization herself. The organization should establish and maintain a record of agreements with external parties (eg contracts, memorandums of understanding, information sharing agreements) to keep track of where their information is going. The organization should also regularly review, validate and update its agreements with external parties to ensure that these agreements are still necessary and are adapted to the relevant information security clauses. 40 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Agreements can differ significantly from organization to organization and between types of vendors. Care should therefore be taken to include all important requirements to address information security risks. For details on vendor agreements, see the ISO/IEC 27036 series. For cloud service agreements, see the ISO/IEC 19086 series. 5.21 Information Security Management in the ICT Supply Chain Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identifier #Integrity #Availablity Operational capabilities Security domains #Governance_ #Security_of_relationships_suppliers and_Ecosystem #Protection Security measure Processes and procedures should be defined and implemented to manage information security risks associated with the supply chain of ICT products and services. Objective Maintain the agreed level of information security in supplier relationships. Recommendations The following points should be considered when addressing information security in the context of ICT supply chain security, in addition to general information security requirements for supplier relationships: a) define the information security requirements to be applied to the acquisition of products or services TIC; b) require ICT service providers to propagate the application of the organisation's security requirements throughout the supply chain if they outsource parts of the ICT service provided to the organisation; c) require suppliers of ICT products to propagate the application of appropriate security practices throughout the entire supply chain if these products contain components purchased or obtained from other suppliers or other entities (for example, under -contractors in software development and suppliers of hardware components); d) require suppliers of ICT products to provide information describing the components software used in the products; e) require suppliers of ICT products to provide information describing the security features implemented for their product and the configuration required for it to operate securely; f) implement a monitoring process and acceptable methods to validate compliance of delivered ICT products and services with specified security requirements. Examples of these vendor control methods may include penetration testing and proof or validation of third party certifications of vendor information security operations; g) implement a process for the identification and documentation of components of a product or service that are critical to continued operation and therefore require additional attention, monitoring and additional follow-up required when they are © ISO/IEC 2022 – All rights reserved 41 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) performed outside the organization, particularly if the supplier subcontracts certain aspects of the components of the product or service to other suppliers; h) Obtain assurance that critical components and their origin can be traced throughout the supply chain; i) Obtain assurance that the delivered ICT products perform as intended without any aspect unexpected or unwanted; j) implement processes to ensure that components from suppliers are authentic and unchanged from their specifications. Examples of measures are tamper-evident markings, verification of cryptographic fingerprints or digital signatures. Monitoring of out-of-specification performance may provide an indication of tampering or counterfeiting. Tamper prevention and detection should be implemented in multiple stages of the system development life cycle, including design, development, integration, operation and maintenance; k) obtain assurance that ICT products meet the required levels of security, for example, through formal certification or an evaluation scheme such as the Common Criteria Mutual Recognition Arrangement; l) define rules for sharing information regarding the supply chain and any possible issues and trade-offs between the organization and suppliers; m) implement specific processes for managing the life cycle of ICT components and their availability, as well as the associated security risks. This includes managing the risk that components may no longer be available due to suppliers going out of business or production of those components stopping due to technological advances. Consideration should be given to identifying an alternate vendor and the process of transferring software and skills to the alternate vendor. Additional Information Specific ICT supply chain risk management practices build on, but do not replace general information security, quality, project management and systems engineering practices. Organizations are advised to work with suppliers to understand the ICT supply chain and all aspects that have a significant impact on the products and services to be provided. The organization can influence the information security practices applied in the ICT supply chain, by clearly stipulating in the agreements concluded with their suppliers the points that other suppliers in the ICT supply chain should treat. ICT products should be acquired from reputable sources. The reliability of software and hardware is a matter of quality control. Although an organization typically does not have the ability to inspect its suppliers' quality control systems, it can make reliable judgments based on the supplier's reputation. The ICT supply chain as discussed here includes cloud services. Examples of ICT supply chains are: (a) provision of cloud services, where the cloud service provider relies on software developers, telecommunications service providers and hardware providers; b) Internet of Things (IoT), where the service involves device manufacturers, cloud service providers (e.g. IoT platform operators), web and mobile application developers and library provider software; 42 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) c) hosting services, where the supplier relies on external service centers including the first, second and third level supports. See ISO/IEC 27036-3 for further details and guidance on risk assessment. Software Identification (SWID) tags can also help improve information security in the supply chain by providing information about where software comes from. See ISO/IEC 19770-2 for details. 5.22 Service Provider Monitoring, Review and Change Management Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identifier #Integrity #Availablity Operational capabilities Security domains #Governance_and_Ecosys theme #Protection #Security_of_relationships_suppliers #Defense #Information_Security_Assurance Security measure The organization should regularly monitor, review, evaluate and manage changes to vendor and service delivery information security practices. Objective Maintain an agreed level of information security and service delivery, in accordance with agreements with suppliers. Recommendations Monitoring, reviewing and change management of supplier services should ensure that information security terms and conditions described in agreements are adhered to, information security issues and incidents are properly managed and that changes in the services providers or the situation of the company do not affect the provision of the services. This should include a process for managing the relationship between the organization and the supplier in order to: a) monitor service performance levels to verify compliance with agreements; b) control changes made by suppliers, including: 1) enhancements to existing provided services; 2) development of new applications and systems; 3) changes or updates to Supplier's policies and procedures; 4) new or modified security measures to resolve information security incidents and to improve information security; c) monitor changes in the services of providers, including: 1) network changes and enhancements; 2) the use of new technologies; 3) the adoption of new products or more recent versions; © ISO/IEC 2022 – All rights reserved 43 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 4) new development tools and environments; 5) changes to the physical location of the Services' facilities; 6) changes of subcontractors; 7) subcontracting to another supplier; d) review service reports produced by the supplier and organize progress meetings regular as required by the agreements; e) conduct audits of suppliers and subcontractors in conjunction with the review of independent auditors' reports, if any, and follow up on identified issues; f) provide information relating to information security incidents and review such information as required by the agreements and by all supporting guidelines and procedures; g) review the Supplier's audit logs and records regarding information security events, operational issues, traceability of malfunctions and interruptions relating to the service provided; h) manage and respond to all identified information security events or incidents; i) identify and manage information security vulnerabilities; j) examine aspects related to information security in the supplier's relations with its own suppliers; k) ensure that the provider maintains sufficient service capacity and enforceable plans designed to ensure that agreed service continuity levels are maintained following a major service failure or disaster (see 5.29, 5.30 , 5.35 , 5.36, 8.14); l) ensure that suppliers designate persons responsible for monitoring compliance and the application of the requirements stipulated in the agreements; m) regularly assess suppliers' maintenance of adequate levels of security of l'information. Responsibility for supplier relationship management should be assigned to a designated person or team. Sufficient resources and technical skills should be made available to monitor that contract requirements, in particular information security requirements, are met. Appropriate measures should be taken when shortcomings in the provision of the service are observed. Additional Information See ISO/IEC 27036-3 for details. 5.23 Information security in the use of cloud services Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities Security domains #Governance_ #Security_of_relationships_suppliers and_Ecosystem #Protection Security measure Processes for acquiring, using, managing, and terminating cloud services should be established in accordance with the organization's information security requirements. 44 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Specify and manage information security when using cloud services. Recommendations The organization should establish and communicate to all significant interested parties a policy specific to the subject of the use of cloud services. The organization should define and communicate how it plans to manage the information security risks associated with the use of cloud services. This may be an extension or part of the existing approach to how the organization manages services provided by external parties (see 5.21 and 5.22). The use of cloud services may include shared responsibility for information security and a collaborative effort between the cloud service provider and the organization that has the role of cloud service customer. It is essential that the responsibilities of the cloud service provider and the organization as a customer of the cloud services are defined and implemented appropriately. The organization should define: a) all significant information security requirements associated with the use of the Services in cloud; (b) the criteria for selecting cloud services and the scope of use of cloud services; (c) duties and responsibilities relating to the use and management of cloud services; d) the information security measures that are managed by the cloud service provider and those managed by the organization as a customer of the cloud service; e) how to obtain and use the information security means made available by the cloud service provider; f) how to obtain a guarantee on the information security measures implemented by the cloud service provider; g) how to manage information security measures, interfaces and changes in services when an organization uses multiple cloud services, particularly if they are provided by different cloud service providers; h) procedures for managing information security incidents that occur in connection with use of cloud services; i) its approach to monitoring, reviewing and evaluating cloud services in use to manage information security risks; j) how to change or discontinue use of cloud services, including cloud service exit strategies. Cloud service agreements are often predefined and not open to negotiation. For all cloud services, the organization should review the cloud service agreements with the cloud service provider(s). A cloud service contract should address the organization's requirements for confidentiality, integrity, availability and management of information, with appropriate cloud service level objectives and appropriate quality objectives of the cloud service. The organization should perform appropriate risk assessments to identify the risks associated with the use of the cloud service. Any residual risks associated with the use of the cloud service should be clearly identified and accepted by the appropriate level of management in the organization. © ISO/IEC 2022 – All rights reserved 45 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) A contract between the cloud service provider and the organization, having the role of customer of the cloud service, should include the following provisions to protect the organization's data and ensure the availability of the services: a) provide solutions based on accepted industry standards regarding architecture and l'infrastructure; b) manage cloud service access controls to meet organizational requirements; (c) implement monitoring and malware protection solutions; (d) process and store the organization's sensitive information in locations that are approved (eg, a specific country or region) or subject to/under the jurisdiction of a specific jurisdiction; e) make dedicated support available in the event of an information security incident in the cloud service environment; f) ensure that the organization's information security requirements are met in the event that cloud services are themselves outsourced to an external provider (or prohibition on outsourcing cloud services); g) support the organization in gathering digital evidence, taking into account digital evidence laws and regulations in different jurisdictions; h) make available the appropriate support and availability of the Services for the appropriate period when the Organization wishes to discontinue the use of the Cloud Services; (i) provide necessary data backups and configuration information and securely manage backups as appropriate, based on the cloud service provider means used by the organization having the role of cloud service customer; j) provide and return information, such as configuration files, source codes and data that belong to the organization, in its capacity as a customer of the cloud service, on request during the provision of the service or during termination of service. The organization, as the customer of the cloud service, should consider whether it is appropriate for the agreement to require cloud service providers to provide prior notification prior to any change that has a significant impact on the customer. , change that relates to the way the service is provided to the organization, including: a) changes to technical infrastructure (e.g., relocation, reconfiguration, or changes to hardware or software) that affect or modify the cloud service offering; (b) processing or storing the information under a new geographic or legal jurisdiction; (c) use of other cloud service providers or sub-processors (including changing existing providers and sub-processors or using new existing providers and sub-processors). The organization using cloud services should maintain close contact with its cloud service providers. These contacts enable a mutual exchange of information security information relating to the use of cloud services, with a mechanism available to the cloud service provider and the organization acting as the customer of the service in cloud, allowing them to monitor every feature of the service and report any failures against the commitments contained in the agreements. Additional Information This security measure addresses cloud security from the perspective of the cloud service customer. 46 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Further information on cloud services is available in ISO/IEC 17788, ISO/IEC 17789 and ISO/IEC 22123-1. Specifics related to portability of cloud computing in support of exit strategies are available in ISO/IEC 19941. Specifics related to information security and public cloud services are described in ISO / IEC 27017. The specifics related to the protection of personal data in public cloud computing acting as personal data processor are described in ISO/IEC 27018. Relationships with suppliers in the context of cloud services are dealt with in ISO/IEC 27036-4 and agreements relating to cloud services and their content are addressed in the ISO/IEC 19086 series, with security and privacy being addressed specifically in ISO/ IEC 19086-4. 5.24 Information security incident management planning and preparation Type of security measure #Corrective Information Security Properties Cybersecurity concepts #Privacy #Respond #Integrity #Availablity #To re-establish Operational capabilities #Governance Security domains #Defense #Management_of_information_security_events_ Security measure The organization should plan and prepare for information security incident management by defining, establishing and communicating the organization's security incident management processes, roles and responsibilities. information. Objective Ensure a prompt, effective, consistent and orderly response to information security incidents, including communication on information security events. Recommendations Duties and Responsibilities The organization should establish appropriate information security incident management processes. Duties and responsibilities for carrying out incident management procedures should be determined and effectively communicated to relevant internal and external interested parties. Consideration should be given to the following: a) establish a common method for reporting information security events, including a point of contact (see 6.8); b) establish an incident management process to empower the organization to manage information security incidents, including administration, documentation, detection, triage, prioritization, analysis, communication and coordination of interested parties; c) establish an incident response process to provide the organization with the ability to assess, respond to and learn from information security incidents; d) allow only competent personnel to handle information security incident issues within the organization. These personnel should have documentation of the procedures and receive regular training; e) establish a process to identify training, certification and professional development required for incident response personnel. © ISO/IEC 2022 – All rights reserved 47 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Incident management procedures The objectives of information security incident management should be agreed with management and it should be ensured that those responsible for information security incident management understand the priorities of the organization for handling information security incidents, including resolution times based on potential consequences and severity. Incident management procedures should be implemented to meet these objectives and priorities. Management should ensure that an information security incident management plan is created taking into consideration different scenarios and that procedures are developed and implemented for the following activities: a) evaluation of information security events according to the criteria that determine what constitutes an information security incident; b) monitoring (see 8.15 and 8.16), detection (see 8.16), classification (see 5.25), analysis and reporting (see 6.8) of information security events and incidents (by human or automatic means); c) management of information security incidents until their conclusion, including response and escalation (see 5.26), depending on the type and category of the incident, the possible activation of an crisis and business continuity plans, controlled incident recovery and communication to internal and external interested parties; d) coordination with internal and external interested parties, such as authorities, groups external interests and forums, suppliers and customers (see 5.5 and 5.6); e) logging of incident management activities; f) evidence management (see 5.28); g) root cause analysis or post incident analysis procedures; h) identification of lessons learned and any improvements to be made to the incident management procedures or more generally to the information security measures required. Declaration procedures Reporting procedures should include: a) the actions to be taken in the event of an information security event (for example, immediately noting all relevant details, such as malfunctions that occur and messages that appear on the screen, immediately informing the point of contact and perform only coordinated actions); b) the use of incident forms to help staff take all necessary actions when declaring information security incidents; c) adequate feedback processes to ensure that persons reporting information security events are notified, where possible, of the results after the issue has been addressed and closed; d) creation of incident reports. Consideration should be given to any external requirements on reporting incidents to relevant interested parties within the defined time frame (e.g. requirements to report breaches to regulators) when implementing incident management procedures. 48 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Information security incidents can transcend organizational and national boundaries. To respond to such incidents, it is helpful to coordinate the response and share information about these incidents with external organizations as necessary. Detailed guidance on information security incident management is provided in the ISO/IEC 27035 series. 5.25 Information security event assessment and decision making Type of security measure #Detective Information Security Properties #Privacy Cybersecurity concepts Operational capabilities #Detect #Respond Security domains #Defense #Management_of_information_security_events_ #Integrity #Availablity Security measure The organization should evaluate information security events and decide whether they should be categorized as information security incidents. Objective Ensure effective categorization and prioritization of information security events. Recommendations An information security incident categorization and prioritization scheme should be agreed upon for the identification of the consequences and priority of an incident. The diagram should include criteria for categorizing events as information security incidents. The point of contact should assess each information security event using the agreed scheme. Information security incident response and coordination personnel should assess and decide on information security events. The results of the assessment and the decision should be recorded in detail for later verification or reference purposes. Additional Information The ISO/IEC 27035 series provides additional guidance on incident management. 5.26 Information Security Incident Response Type of security measure #Corrective Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts Operational capabilities Security domains #Defense #Respond #Restore #Management_of_information_security_events_ Security measure Information security incidents should be responded to in accordance with documented procedures. Objective Ensure an efficient and effective response to information security incidents. © ISO/IEC 2022 – All rights reserved 49 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations The organization should establish information security incident response procedures and communicate them to all appropriate interested parties. Response to information security incidents should be provided by a designated team with the required skills (see 5.24). The response should include: a) the isolation, if the consequences of the incident can propagate, of the systems affected by l'incident; b) collecting evidence (see 5.28) as soon as possible after the occurrence of the incident; c) an escalation, if necessary, including crisis management activities and possibly the use of business continuity plans (see 5.29 and 5.30); d) ensuring that all response activities undertaken are properly logged for further analysis; (e) communicating the existence of an Information Security Incident or any relevant details relating thereto to all relevant internal and external interested parties on a need-to-know basis; f) coordination with internal and external parties, such as authorities, external interest groups and forums, suppliers and customers, to improve the effectiveness of responses and help minimize consequences for other organisations; g) once the incident has been successfully addressed, recording the incident and closing it in a manner formal; h) scientific analysis of information security, if required (see 5.28); i) a post-incident analysis to identify the root cause. Make sure it is documented and communicated according to defined procedures (see 5.27); j) identification and management of information security vulnerabilities and weaknesses, including those related to the security measures that caused, contributed to, or failed to prevent the incident. Additional Information The ISO/IEC 27035 series provides additional guidance on incident management. 5.27 Learning from information security incidents Type of security measure #Preventive Information Security Properties Cybersecurity concepts #Privacy #Identify #Proté #Integrity #Availablity gives Operational capabilities Security domains #Defense #Management_of_information_security_events_ Security measure Knowledge gained from information security incidents should be used to strengthen and improve information security measures. Objective Reduce the likelihood or consequences of future incidents. 50 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations The organization should establish procedures to quantify and monitor the types, volume and cost of information security incidents. The information collected during the assessment of information security incidents should be used to: a) improve the incident management plan, including incident scenarios and procedures (see 5.24); b) identify recurring or serious incidents and their causes to update the organization's information security risk assessment and to determine and implement additional security measures necessary to reduce the likelihood or consequences of future similar incidents. Mechanisms to enable this include collecting, quantifying and monitoring information on incident types, volumes and costs; c) improve training and awareness and training of users (see 6.3) by providing examples of what can happen, how to respond to such incidents and how to prevent them in the future. Additional Information The ISO/IEC 27035 series provides additional guidance. 5.28 Collection of evidence Information Security Properties Type of security measure #Corrective #Privacy #Integrity #Availablity Cybersecurity concepts Operational capabilities #Detect #Respond Security domains #Defense #Management_of_information_security_events_ Security measure The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence relating to information security events. Objective Ensure consistent and effective management of evidence relating to information security incidents for the purposes of legal or disciplinary action. Recommendations Internal procedures should be defined and followed for handling evidence of information security events for legal or disciplinary action. Consideration should be given to the requirements of the various jurisdictions in order to maximize the chances of recognition across the jurisdictions concerned. In general, these evidence management procedures should provide instructions for the identification, collection, acquisition and preservation of evidence according to different types of storage media, terminals and terminal states (i.e. i.e. on or off). Evidence generally needs to be collected in a manner admissible by the appropriate national courts or other disciplinary body. It should be possible to show that: a) the recordings are complete and have not been altered in any way; (b) the copies of the digital evidence are likely identical to the originals; (c) any information system from which the evidence was collected was functioning properly at the time the evidence was recorded. © ISO/IEC 2022 – All rights reserved 51 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Certifications and other means of qualification of personnel and tools should be used, when these means are available, in order to reinforce the value of the preserved evidence. Digital evidence can cross jurisdictional or organizational boundaries. In these cases, it should be ensured that the organization is entitled to collect the information required as digital evidence. Additional Information When an information security event is first detected, it is not always clear whether the event will be subject to legal action. Therefore, there is a risk that the necessary evidence may be destroyed, intentionally or accidentally, before the seriousness of the incident is established. It is advisable to seek legal advice or the police if legal action is contemplated, and seek advice on the evidence required. ISO/IEC 27037 provides definitions and guidelines on the identification, collection, acquisition and preservation of digital evidence. The ISO/IEC 27050 series deals with electronic discovery, which includes the treatment of electronically stored information as evidence. 5.29 Information security during a disruption Type of security measure #Preventive #Cor rective Information Security Properties #Privacy Cybersecurity concepts #Protect #Respond Operational capabilities #Continuity Security domains #Protection #Resilience #Integrity #Availablity Security measure The organization should plan how to maintain information security at the appropriate level during a disruption. Objective Protect information and other associated assets during a disruption. Recommendations The organization should determine its requirements for adapting information security measures during a disruption. Information security requirements should be included in business continuity management processes. Plans should be developed, implemented, tested, reviewed and evaluated to maintain or restore the information security of critical business processes following an interruption or failure. Information security should be restored to the required level and within the required time frame. The organization should implement and maintain: a) information security measures, and supporting systems and tools in business continuity and ICT continuity plans; b) the processes that maintain the operation of the information security measures existing during a disturbance; c) Compensating security measures for information security measures that do not can no longer function during a disturbance. 52 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information In the context of business continuity and ICT continuity planning, it may be necessary to tailor information security requirements depending on the type of disruption, compared to normal operating conditions. As part of the business impact analysis and risk assessment carried out in business continuity management, the consequences of the loss of confidentiality and integrity of information should be considered. considered and prioritized, in addition to the need to maintain availability. Information on business continuity management systems is available in ISO 22301 and ISO 22313. Additional guidance on business impact analysis (BIA) is available in ISO /TS 22317. 5.30 ICT readiness for business continuity Type of security measure #Corrective Information Security Properties #Availablity Cybersecurity concepts #Respond Operational capabilities #Continuity Security domains #Resilience Security measure ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. Objective Ensure the availability of information and other associated assets of the organization during a disruption. Recommendations ICT readiness for business continuity is an important component of business continuity management and information security management to ensure that the organization's objectives can continue to be achieved during a disturbance. ICT continuity requirements result from the Business Impact Analysis (BIA). The AIA process should use impact types and criteria to assess the impacts over time caused by the disruption of activities that provide products and services. The magnitude and duration of the impacts caused should be used to identify the activities to be prioritized, to which a recovery time (DR) should be assigned. The AIA should then determine the resources that are needed to support the prioritized activities. A DR should also be specified for these resources. A subset of these resources should include ICT services. Business impact analysis involving ICT services can be extended to define performance and capacity requirements of ICT systems, as well as recovery point objectives (RPOs) of the information needed to carry out activities during a disturbance. Based on the results of the business impact analysis and risk assessment involving ICT services, the organization should identify and choose ICT continuity strategies that take into account options for the periods before, during and after a disturbance. Business continuity strategies can consist of one or more solutions. Based on the strategies, plans should be developed, implemented and tested to meet the required level of availability of ICT services within the required timeframe following the interruption or failure of critical processes. The organization should ensure that: a) an adequate organizational structure is in place to prepare for, mitigate and respond to a disruption handled by personnel with the necessary responsibility, authority and competence; © ISO/IEC 2022 – All rights reserved 53 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) b) ICT continuity plans, including response and recovery procedures detailing how the organization plans to handle a disruption of ICT services, are: 1) regularly assessed through exercises and tests; 2) approved by management; c) ICT continuity plans include the following ICT continuity information: 1) performance and capacity specifications to meet business continuity requirements and objectives as specified in the business impact analysis (BIA); 2) the recovery time (DR) of each prioritized ICT service and the procedures for restoring these components; 3) the recovery point objectives (RPOs) of the prioritized ICT resources defined as that information and information restoration procedures. Additional Information ICT continuity management forms an essential part of business continuity requirements on availability, to be able to: a) provide response and recovery after disruption of ICT services, whatever the cause; b) ensure that the continuity of prioritized activities is supported by ICT services required; c) respond before a disruption of ICT services occurs, upon detection of at least least one incident that may cause disruption of ICT services. Additional guidance on preparing ICT for business continuity is available in ISO/IEC 27031. Additional guidance on business continuity management systems is available in ISO 22301 and ISO 22313. Additional guidance on business impact analysis (BIA) is available in ISO/TS 22317. 5.31 Legal, statutory, regulatory and contractual requirements Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier Operational capabilities #Regulations_and_compliance Security domains #Governance_ and_Ecosystem #Protection Security measure Relevant legal, statutory, regulatory and contractual requirements for information security, as well as the organization's approach to meeting those requirements, should be identified, documented and kept up to date. Objective Ensure compliance with legal, statutory, regulatory and contractual requirements relating to information security. 54 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations General External requirements, including legal, statutory, regulatory or contractual requirements, should be considered when: a) developing information security policies and procedures; b) the design, implementation or change of information security measures; c) the classification of information and other related assets as part of the process of establishing information security requirements for internal purposes or for agreements with suppliers; d) performing information security risk assessments and determining information security risk treatment activities; e) the determination of the processes and the functions and responsibilities relating to the security of associated information; f) determination of supplier contractual requirements relevant to the organization and the scope of supply of products and services. Legislation and regulations The organization should: a) identify all laws and regulations relevant to the organization's information security in order to become aware of the requirements concerning its type of activity; b) consider compliance in all relevant countries, if the organization: — conducts business in other countries; — uses products and services from other countries where the laws and regulations can impact the organization; — transfers information across jurisdictional boundaries where laws and regulations can impact the organization; c) regularly reviews identified laws and regulations to keep abreast of changes and identify new legislation; d) defines and documents specific processes and individual responsibilities to meet these requirements. Cryptography Cryptography is an area that often has specific legal requirements. Consideration should be given to compliance with applicable agreements, laws and regulations relating to the following: a) restrictions on the import or export of computer hardware and software for performing cryptographic functions; (b) restrictions on the import or export of computer hardware and software designed to incorporate cryptographic functions; c) restrictions on the use of cryptography; d) the methods of access to encrypted information, mandatory or optional, available to the country authorities; © ISO/IEC 2022 – All rights reserved 55 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) e) the validity of digital signatures, seals and certificates. It is recommended that you seek legal advice when establishing compliance with applicable laws and regulations, particularly when encrypted information or cryptographic tools are transferred across jurisdictional boundaries. Contracts Contractual information security requirements should include those set out in: (a) contracts with customers; b) contracts with suppliers (see 5.20); (c) insurance contracts. Additional Information No additional information. 5.32 Intellectual property rights Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identifier Security domains Operational capabilities #Regulations_and_compliance #Governance_ and_Ecosystem #Integrity #Availablity Security measure The organization should implement appropriate procedures to protect intellectual property rights. Objective Ensure compliance with legal, statutory, regulatory and contractual requirements relating to intellectual property rights and the use of proprietary products. Recommendations Consideration should be given to the following guidelines to protect any material that may be subject to intellectual property rights: a) define and communicate a policy specific to the theme of the protection of human rights; intellectual property; (b) publish procedures for ensuring compliance with intellectual property rights that define the intended use of software and information products; c) acquire software only through known and reputable sources to ensure that there is no has not infringed copyright; (d) maintain appropriate records of assets and identify all assets subject to intellectual property rights protection requirements; e) retain evidence and evidence of ownership of licenses, manuals, etc.; f) ensure that the maximum number of users or resources (eg central processing units [CPUs]) permitted by the license is not exceeded; 56 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) g) carry out checks to ensure that only authorized software and licensed products are installed; h) provide procedures for maintaining appropriate license conditions; i) provide procedures for the removal of software or for its transfer to third parties; j) comply with the terms and conditions of software and information obtained from public networks and external sources; k) not duplicate, convert to another format or extract commercial recordings (video, audio) except as permitted by applicable copyright laws or licenses; l) not to copy, in whole or in part, standards (e.g. ISO/IEC International Standards), books, articles, reports or other documents, except as permitted by copyright law or applicable licenses. Additional Information Intellectual property rights include software and document copyrights, design rights, trademarks, patents and source code licenses. Proprietary software products are generally provided under a license agreement specifying the general conditions of the license, for example limiting the use of the products to specific machines or limiting the copying to the creation of backup copies only. See the ISO/IEC 19770 series for more details on IT asset management. Data may be obtained from external sources. Typically, this type of data is obtained under the terms of a data sharing agreement or similar legal instrument. Such data sharing agreements should specify the nature of the authorized processing for the acquired data. It is also recommended that the provenance of the data be clearly indicated. See ISO/IEC 23751 for more details on data sharing agreements. Legal, statutory, regulatory and contractual requirements may include restrictions on copying proprietary material. In particular, they may require that only material developed by the organization, or which is licensed, or provided by a developer to the organization, may be used. Copyright infringement may result in legal action which may involve fines and criminal prosecution. Apart from the need for the organization to comply with its obligations to the intellectual property rights of third parties, the risks associated with personnel or third parties who do not respect the organization's own intellectual property rights should be managed. 5.33 Protection of recordings Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identify #Protect Operational capabilities #Regulations_and_compliance Security domains #Defense #Asset_management #Protection_of_information Security measure Records should be protected from loss, destruction, tampering, unauthorized access and unauthorized dissemination. © ISO/IEC 2022 – All rights reserved 57 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Ensure compliance with legal, statutory, regulatory and contractual requirements, as well as company or community expectations relating to the protection and availability of records. Recommendations The organization should take the following steps to protect the authenticity, reliability, integrity and usability of records, knowing that their operational context and the requirements for their management change over time: a) issue guidelines on the storage, management of the chain of custody and disposal of records, which include the prevention of manipulation of records. These guidelines should align with the topicspecific records management policy and other records requirements of the organization; b) establish a retention schedule defining the recordings and their retention period. The storage and management system should ensure the identification of records and their retention period taking into account national or regional laws or regulations, as well as societal or community expectations, if necessary. This system should allow for the appropriate destruction of records at the end of this period if the organization no longer needs them. When deciding on the protection of specific organization records, consideration should be given to their information security classification, which is based on the organization's classification scheme. Records should be categorized into types (e.g. accounting records, business transaction records, personnel records, legal records); with for each type of recording details on the retention periods and the type of storage medium authorized, which can be physical or electronic. Storage systems should be chosen such that they allow the retrieval of the required records in a time and in a format acceptable to the requirements to be met. When electronic storage media are chosen, procedures to ensure the accessibility of the records (access to the storage medium and readability of the format) throughout the retention period should be established in order to protect against loss due to changes in future technologies. All cryptographic keys and programs associated with encrypted records or electronic signatures should also be retained to allow decryption of records during their retention period (see 8.24) . Storage and use procedures should be implemented in accordance with recommendations provided by storage media manufacturers. Consideration should be given to the possibility of degradation of the medium used for storing the recordings. Additional Information Records document particular events or transactions, or may be aggregations designed to document business processes, activities, or functions. They are both evidence of business activity and information assets. Any set of information, regardless of its structure and form, can be managed as a record. This includes information in the form of a document, collection of data or other types of digital or analog information that is created, captured and managed in the course of a professional activity. In records management, metadata is the data describing the context, content, and structure of records, as well as their management over time. Metadata is an essential component of any record. 58 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) It may be necessary to retain certain records securely to comply with legal, statutory, regulatory, or contractual requirements and to support the essential business activities of the organization. National regulation or law may determine the period and content of the data for the retention of information, as well as its content. Additional information on records management is available in ISO 15489. 5.34 Protection of privacy and personal data Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identify #Protect Operational capabilities #Protection_of_information Security domains #Protection #Regulations_and_compliance Security measure The organization should identify and comply with privacy and personal data protection requirements in accordance with applicable laws, regulations and contractual requirements. Objective Ensure compliance with legal, statutory, regulatory and contractual requirements relating to aspects of information security relating to the protection of personal data. Recommendations The organization should establish and communicate to all relevant interested parties a policy specific to the subject of privacy protection and personal data. The organization should develop and implement procedures for the protection of privacy and personal data. These procedures should be communicated to all relevant interested parties involved in the processing of personal data. Compliance with these procedures and all relevant privacy and personal data protection laws and regulations requires appropriate duties, responsibilities and safeguards. Often the best way to achieve this is to appoint a manager, such as a data protection officer (DPO) and this manager should provide guidance to staff, service providers and other interested parties. on their individual responsibilities and the specific procedures to be followed. Accountability for the processing of personal data should be ensured taking into account relevant laws and regulations. Appropriate technical and organizational measures should be implemented to protect the DCPs. Additional Information Some countries have introduced legislation imposing security measures for the collection, processing, transmission and disposal of personal data. Depending on the relevant national legislation, these security measures may impose obligations on those who collect, process and distribute personal data and may also restrict the right to transfer personal data to other countries. ISO/IEC 29100 provides a high level framework for the protection of personal data in ICT systems. Additional information on privacy management systems can be found in ISO/IEC 27701. Specific information on privacy management in public cloud computing acting as a processor DCPs are available in ISO/IEC 27018. © ISO/IEC 2022 – All rights reserved 59 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) ISO/IEC 29134 provides guidance on the Privacy Impact Assessment (PIA) and gives an example of the structure and content of a PIA report. Compared to ISO/IEC 27005, this is focused on the processing of personal data and is relevant for organizations dealing with personal data. It can help identify privacyrelated risks and possible mitigations to reduce those risks to acceptable levels. 5.35 Independent Information Security Review Type of security measure #Preventive #Cor rective Information Security Properties Cybersecurity concepts #Privacy #Identify #Proté #Integrity #Availablity gives Operational capabilities Security domains #Governance_ #Information_Security_Assuranceand_Ecosystem Security measure The organization's approach to managing information security and its implementation, including people, processes and technology, should be independently reviewed at planned intervals, or when significant changes occur. produce. Objective Ensure that the organization's approach to managing information security is continuously appropriate, adequate and effective. Recommendations The organization should have processes for conducting independent reviews. Management should plan and initiate periodic independent reviews. Reviews should include the assessment of opportunities for improvement and the need for changes to the information security approach, including the information security policy, topic-specific policies and other security measures. Such reviews should be performed by persons independent of the area being reviewed (e.g., internal audit function, independent manager, or external third-party organization specializing in such reviews). . The people performing these reviews should have the appropriate skills. The person conducting the reviews should be independent of the line structure to ensure that they have the necessary independence to carry out an assessment. The results of independent reviews should be reported to the management that initiated the reviews, if necessary, to senior management. These records should be retained. If independent reviews identify that the organization's approach and implementation to information security management is inadequate [for example, documented objectives and requirements are not being met or are not compliant information security guidance given in the information security policy and topic-specific policies (see 5.1)], management should take corrective action. In addition to periodic independent reviews, the organization should consider conducting independent reviews when: (a) the laws and regulations affecting it change; (b) significant incidents occur; c) the organization begins a new activity or makes changes to an existing activity; 60 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) d) the organization begins to use a new product or service, or makes changes to the use of an existing product or service; e) the organization makes significant changes to the security measures and procedures of information security. Additional Information ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance on performing independent reviews. 5.36 Compliance with information security policies, rules and standards Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Identify #Protect #Integrity #Availablity Operational Capabilities #Regulations_and_compliance Security domains #Governance_ and_Ecosystem #Information_Security_Assurance Security measure Compliance with the information security policy, topic-specific policies, rules and standards of the organization should be checked regularly. Objective Ensure that information security is implemented and operating in accordance with the information security policy, topic specific policies, rules and standards of the organization. Recommendations Managers and owners of products, services or information should identify how to verify that the information security requirements defined in the information security policy, topic-specific policies, applicable rules, standards and other regulations are complied with. Automated measurement and reporting tools should be considered to perform effective regular reviews. If a nonconformity is detected as a result of the review, those responsible should: a) identify the causes of non-compliance; b) assess the need for corrective actions to establish compliance; c) implement appropriate corrective actions; d) analyze the corrective actions chosen to verify their effectiveness and identify any shortcomings or weaknesses. The results of reviews and corrective actions performed by managers and owners of products, services or information should be recorded and these records kept up to date. Managers should communicate the results to persons performing independent reviews (see 5.35) when an independent review is conducted in their area of responsibility. Corrective actions should be completed as soon as possible according to the risks. If they are not completed before the next scheduled review, they should at least be addressed progress during this review. © ISO/IEC 2022 – All rights reserved 61 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Operational monitoring of system usage is covered in 8.15, 8.16, 8.17. 5.37 Documented operating procedures Type of security measure #Preventive #Corrective Information Security Properties Cybersecurity concepts Operational capabilities #Privacy #Protect #Asset_management #Integrity #Availablity #To re-establish #Physical_Security #System_and_network_security #Application_Security #Secure_Configuration #Identity_and_access_management #Management_of_threats_and_vulnerabilities Security domains #Governance_and_Ecosystem #Protection #Defense #Continuity #Management_of_information_security_events Security measure The procedures for operating the information processing facilities should be documented and made available to personnel who require them. Objective Ensure the correct and secure operation of the means of processing information. Recommendations Documented procedures should be developed for the operational activities of the organization associated with information security, for example: a) when the activity requires to be carried out in the same way by several people; b) when the activity is rarely performed, so that the procedure may have been forgotten during the next execution; c) when it is a new activity which presents a risk if it is not carried out correctly; d) before handing the activity over to new personnel. Operating procedures should specify: (a) responsible persons; b) secure installation and configuration of systems; (c) information processing and manipulation, whether automated or manual; d) backup (see 8.13) and resilience; e) planning requirements, including interdependencies with other systems; f) instructions for handling errors or other exceptional conditions [eg, restrictions on the use of utility programs (see 8.18)] that may occur during execution of the task; (g) relations with the helpdesk and management, including relations with the external helpdesk, in the event of unexpected technical or operational difficulties; 62 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine by Google LACROIX Translated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) h) instructions for handling storage media (see 7.10 and 7.14); i) the system restart and recovery procedures to be applied in the event of a failure of the system; j) management of the traceability system and system log information (see 8.15 and 8.17) and video surveillance systems (see 7.4); k) monitoring procedures, such as capacity, performance and security (see 8.6 and 8.16); l) maintenance instructions. Operating procedures should be documented and updated as necessary. Changes to documented operating procedures should be authorized. Where technically feasible, information systems should be managed consistently using the same procedures, tools and utilities. Additional Information No additional information. 6 Safety measures applicable to people 6.1 Selection of candidates Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities Security domains #Governance_ #Security_of_human_resourcesand_Ecosystem Security measure Reference checks should be performed on all job applicants before they join the organization and on an ongoing basis taking into account applicable laws, regulations and ethics, and 'they are proportional to the business requirements, to the classification of the information to which they will have access and to the identified risks. Objective Ensure that all staff members are eligible and suitable to perform the functions for which they are nominated, and that they remain so throughout their employment. Recommendations A selection process should be carried out for all staff, including full-time, part-time and temporary staff. Where these individuals are hired through service providers, the selection requirements should be specified in the contractual agreements between the organization and the providers. Information on all candidates considered for positions within the organization should be collected and managed taking into account all relevant laws in force in the relevant jurisdiction. In some jurisdictions, the organization may be required by law to notify candidates in advance of screening activities. © ISO/IEC 2022 – All rights reserved 63 ISO/ IEC 27002:20222022-02 AFNOR Machine by Google LACROIX Translated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Checks should take into account employment, privacy and personal data protection laws, and checks should include, where permitted, the following: a) the availability of satisfactory references (for example, professional references and personal); b) verification (for completeness and accuracy) of the candidate's curriculum vitae; c) confirmation of declared academic and professional qualifications; d) independent verification of identity (e.g. passport or other recognized document issued by competent authorities); (e) a more detailed check, such as a credit or criminal record check if the candidate is applying for a critical function. When a person is hired for a specific function related to information security, the organization should ensure that the candidate: (a) possesses the skills necessary to perform the safety function; b) is trustworthy to perform that function, particularly if the function is critical to l'organisation. Whether it is a first hiring or a promotion, when a position involves access to means of processing information and, in particular, if these means involve the processing of confidential information (for financial, personal or health-related information), the organization should consider carrying out additional, more detailed checks. Procedures should define the criteria and limits for carrying out checks (for example, that they determine who is entitled to select candidates, how, when and for what reasons checks are carried out). In cases where checks cannot be completed in time, mitigation measures should be implemented until the check is completed, for example: a) delayed integration; (b) deferred allocation of corporate assets; c) integration with restricted access; d) termination of the hiring process. The verifications should be repeated periodically to confirm that the aptitude of the personnel is still adequate in relation to the level of criticality of the function occupied. Additional Information No additional information. 6.2 Terms and conditions of the employment contract Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity 64 Cybersecurity concepts #Protect Operational capabilities Security domains #Governance_ #Security_of_human_resourcesand_Ecosystem © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Security measure Employment contracts should outline staff and organizational responsibilities for information security. Objective Ensure that staff understand their responsibilities in terms of information security within the framework of the functions that the organization intends to entrust to them. Recommendations Staff contractual obligations should take into account the organization's information security policy and relevant topic-specific policies. In addition, the following aspects can be clarified and specified: a) confidentiality or non-disclosure agreements that personnel with access to confidential information should sign before being granted access to the information and other associated assets (see 6.6); (b) legal rights and responsibilities [for example, relating to copyright laws or data protection legislation (see 5.32 and 5.34)]; c) responsibilities for information classification and management of information and other related assets of the organization, information processing facilities and information services used by personnel (see 5.9 to 5.13 ) ; d) responsibilities for handling information received from parties interested; e) action to be taken if personnel disregard the organization's security requirements (see 6.4). Information security responsibilities and functions should be communicated to candidates during the preemployment process. The organization should ensure that staff accept the information security terms and conditions. These terms and conditions should be appropriate to the nature and extent of access he will have to the organization's assets associated with the services and information systems. Information security terms and conditions should be reviewed when laws, regulations, information security policy, or topic-specific policies change. If necessary, the responsibilities indicated in the terms and conditions of the employment contract should continue to apply for a defined period after the end of employment (see 6.5). Additional Information A code of conduct can be used to outline personnel information security responsibilities regarding confidentiality, protection of personal data, ethics, appropriate use of information and other associated organizational assets, and best practices expected by the organization. An external party, involving supplier personnel, may need to be included in contractual agreements on behalf of the contracted person. If the organization is not a legal entity and does not employ any employees, the equivalent of the contractual agreement and terms and conditions may be considered as recommended in this security measure. © ISO/IEC 2022 – All rights reserved 65 ISO/ IEC 27002:20222022-02 AFNOR Machine by Google LACROIX Translated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 6.3 Awareness, education and training in information security Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities Security domains #Governance_ #Security_of_human_resourcesand_Ecosystem Security measure The organization's personnel and relevant interested parties should receive appropriate information security awareness, education and training, as well as regular updates of the information security policy, policies specific to a theme and organizational procedures that are relevant to their function. Objective Ensure that staff and relevant interested parties are aware of and fulfill their information security responsibilities. Recommendations General An information security awareness, education and training program should be established consistent with the information security policy, thematic-specific policies and the organization's procedures for information security, taking into account the organization's information to be protected and the information security measures that have been implemented to protect information. Information security awareness, education and training should take place periodically. The first awareness, education and training sessions can apply to new staff or people assigned to new positions or functions with very different information security requirements. Staff understanding should be assessed following an awareness, education or training activity in order to test the transfer of knowledge and the effectiveness of the awareness, education and training programme. Sensitization An information security awareness program should aim to make staff aware of their information security responsibilities and the means at their disposal to fulfill those responsibilities. The awareness program should be planned taking into account staff functions within the organization, whether internal or external staff (eg external consultants or supplier staff). Outreach program activities should be scheduled over time, preferably at regular intervals, so that they are repeated and include new staff. The awareness program should also be based on lessons learned from information security incidents. The awareness-raising program should include a number of awareness-raising activities through appropriate physical or virtual channels, such as campaigns, booklets, posters, newsletters, websites, information sessions, briefing sessions, e-learning modules and emails. Information security awareness should cover general aspects such as: a) management's commitment to information security throughout the organization; 66 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) knowledge of information security rules and obligations, and the need to comply with them, taking into account the information security policy and topic-specific policies, standards, laws, statutes, regulations, contracts and agreements; c) individual responsibilities for their actions and inactions, and general responsibilities with respect to securing or protecting information belonging to the organization and interested parties; d) basic information security procedures [e.g. information security event reporting (6.8)] and basic security measures [e.g. password security (5.17) ]; e) points of contact and resources for additional information and guidance on information security topics, including additional information security awareness materials. Learning and training The organization should identify, prepare and implement a training plan for technical teams whose functions require a specific skill set and expertise. Technical teams should have the skills to configure and maintain the required level of security for endpoints, systems, applications and services. If skills are lacking, the organization should take action and acquire them. The education and training program should consider several forms [e.g. lectures or self-study sessions, which are supervised by experts or consultants (work-based training), rotation of staff to monitor different activities, the recruitment of already qualified people and the hiring of consultants]. This program can use different means of transmission, for example classrooms, distance education, online learning, selfstudy, among others. Technical personnel should keep their knowledge up to date by subscribing to newsletters and magazines or by attending conferences and events for technical and professional development. Additional Information When developing an awareness program, it is important not to focus only on the questions “what?” and "how?", but also on the question "why?", as far as possible. It is important that staff understand the objectives of information security and the potential effects, positive and negative, of their behavior on the organization. Awareness, education and training in information security can be part of or be carried out with other activities, for example training on information management in general, ICT, security, protection of privacy or security. 6.4 Disciplinary Process Type of security measure #Preventive #Cor rective Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts Operational capabilities Security domains #Governance_ #Protect #Respond #Security_of_human_resources and_Ecosystem Security measure A disciplinary process should be formalized and communicated to take action against personnel and other interested parties who have committed a violation of the information security policy. © ISO/IEC 2022 – All rights reserved 67 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Ensure that personnel and other relevant interested parties understand the consequences of violations of the information security policy, prevent such violations, and deal appropriately with personnel and other interested parties who have committed violations . Recommendations The disciplinary process should not be initiated until it has been verified that a violation of the information security policy has occurred (see 5.28). The formal disciplinary process should provide a graduated response that takes into account factors such as: a) the nature (who, what, when, how) and seriousness of the violation and its consequences; b) whether the breach was intentional (malicious) or unintentional (accidental); c) whether it is a first offense or a repeat offence; d) whether the offender has received adequate training. The response should consider applicable legal, statutory, regulatory, contractual and business requirements, as well as other factors as necessary. The disciplinary process should also act as a deterrent to prevent staff and other relevant interested parties from violating the information security policy, topic-specific policies and procedures relating to the security of the organization. information. Deliberate violations of information security policy may require immediate action. Additional Information Where possible, the identity of persons subject to disciplinary action should be protected in accordance with applicable requirements. When people demonstrate excellent behavior towards information security, they can be rewarded to promote information security and encourage good behavior. 6.5 Responsibilities after employment ends or changes Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts Operational capabilities Security domains #Governance_ #Protect #Security_of_human_resources and_Ecosystem #Asset_management Security measure Responsibilities and obligations relating to information security that remain in effect after termination or change of employment should be defined, enforced and communicated to relevant staff and other interested parties. Objective Protect the interests of the organization in the process of changing or terminating a job or contract. Recommendations The process for managing the end or change of employment should define what information security responsibilities and obligations should be maintained after 68 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) termination or change of employment. This may include confidentiality of information, intellectual property and other acquired knowledge, as well as responsibilities contained in any other confidentiality agreement (see 6.6). Responsibilities and obligations that continue after the end of the employment or contract should be set out in the terms and conditions of employment (see 6.2), the person's contract or agreement. Other contracts or agreements that continue for a defined period after a person's employment has ended may also contain information security responsibilities. Changes in responsibilities or jobs should be managed as the end of a current job or responsibilities, combined with the introduction of new responsibilities or a new job. The information security functions and responsibilities held by any person who leaves or changes position should be identified and transferred to another person. A process should be established for communicating changes and operational procedures to staff, other interested parties and relevant contacts (eg, customers and suppliers). The process of termination or change of employment should also be applied to external personnel (i.e. suppliers) when an end of employment, contract or position occurs in the organization, or when there is a change of position within the organization. Additional Information In many organizations, the human resources function is typically responsible for the entire termination process and works with the transitioning person's line manager to manage the information security aspects of the procedures involved. In the case of personnel made available by an external party (for example, by a supplier), this termination process is carried out by the external party in accordance with the contract between the organization and the external party. 6.6 Confidentiality or non-disclosure agreements Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Security_of_human_resources Security domains #Governance_ and_Ecosystem #Protection_of_information #Supplier_relations Security measure Confidentiality or non-disclosure agreements representing the organization's information protection needs should be identified, documented, regularly reviewed and signed by staff and other relevant interested parties. Objective Ensure the confidentiality of information accessed by staff or external parties. Recommendations Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and staff of the organization. Depending on the information security requirements of the organization, the terms of the agreements should be determined taking into account the type of information that will be processed, its classification level, its use and the authorized access. by the other party. To identify the © ISO/IEC 2022 – All rights reserved 69 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) confidentiality and non-disclosure requirements, consideration should be given to the elements following: a) a definition of the information to be protected (eg confidential information); b) the duration of an agreement, including where it may be necessary to maintain confidentiality indefinitely or until the information becomes public; (c) actions required when an agreement expires; d) responsibilities and actions of signatories to prevent unauthorized disclosure of information; (e) ownership of information, trade secrets and intellectual property, as well as its relationship to the protection of confidential information; (f) the authorized use of the confidential information and the rights of the signatory to use the information; g) the right to audit and monitor activities involving confidential information in the event of highly sensitive circumstances; h) the process for notifying and reporting unauthorized disclosure or leaked information confidential; (i) the arrangements for the return or destruction of the information upon expiry of the agreement; (j) the measures to be taken in the event of non-compliance with the agreement. The organization should consider compliance with confidentiality and nondisclosure agreements according to the jurisdiction in which they apply (see 5.31, 5.32, 5.33, 5.34). Confidentiality and non-disclosure agreements should be reviewed periodically and as changes affecting these requirements occur. Additional Information Confidentiality and nondisclosure agreements protect organization information and inform signatories of their responsibility to safeguard, use, and disclose information in a responsible and authorized manner. 6.7 Remote work Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Asset_management #Protection_of_information Security domains #Protection #Physical_Security #System_and_network_security Security measure Security measures should be implemented when staff work remotely, to protect information accessed, processed or stored outside the organization's premises. Objective Ensure information security when staff work remotely. 70 © ISO/IEC 2022 – All rights reserved AFNOR Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Recommendations Remote work takes place when the personnel of the organization work from a location outside the premises of the organization, accessing information, whether it is on paper or available electronically via ICT equipment. Remote work environments include those labeled as “telecommuting”, “flexible workplace”, “virtual work environments” and “remote maintenance”. NOTE It is possible that not all recommendations of this safety measure can be applied due to local laws and regulations in different jurisdictions. Organizations authorizing remote work activities should issue a policy specific to the topic of remote work that sets out the appropriate conditions and restrictions. Consideration should be given to the following aspects if deemed applicable: (a) the existing or proposed level of physical security at the remote work site, taking into account the level of physical security of the location and its immediate environment, including the different jurisdictions in which the staff is present; b) rules and security mechanisms for the remote physical environment, such as lockable storage cabinets, secure transportation from location to location, and rules for remote access, clean desk, printing and disposal of information and other associated assets, and reporting of information security events (see 6.8); c) planned physical remote work environments; d) communications security requirements, taking into account the need for remote access to the organization's systems, the sensitivity of the information consulted or transmitted on the communication medium and the sensitivity of the systems and applications; e) the use of remote access, such as access to a virtual office that allows processing and storing information on personal equipment; (f) the threat of unauthorized access to information or resources by others at the remote work site (for example, family members and friends); g) the threat of unauthorized access to information or resources by others in public places; h) use of home networks and public networks, and any requirements or restrictions relating to the configuration of wireless network services; i) the use of security measures, such as firewalls and program protection malicious; j) secure mechanisms for remote system deployment and initialization; k) secure authentication mechanisms and means allowing privileged access rights taking into account the vulnerability of single-factor authentication mechanisms when remote access to the organization's network is authorized. Guidelines and measures to consider should include: a) the provision of equipment and storage furniture suitable for remote work activities, when the use of personal equipment not subject to the control of the organization is not authorized; b) the definition of authorized work, the classification of information that may be held, and the internal systems and services to which the remote worker is authorized to access; © ISO/IEC 2022 – All rights reserved 71 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (c) the provision of training for those who work remotely and those who provide support to them. This training should cover, among other things, how to work securely while working remotely; (d) the provision of adequate communication facilities, including methods for securing remote access, such as requirements for terminal screen locking and inactivity timers; the activation of the geolocation of the terminal; installation of remote wipe functions; (e) physical security; f) rules and recommendations regarding family and visitor access to equipment and information; (g) the provision of support and maintenance services for hardware and software; (h) provision of insurance; (i) backup and business continuity procedures; (j) security auditing and monitoring; k) the revocation of authorizations and access rights, and the return of equipment when the remote work activities are completed. Additional Information No additional information. 6.8 Information Security Event Reporting Type of security measure #Detective Information Security Properties #Privacy Cybersecurity concepts Operational capabilities #Detect #Integrity #Availablity Security domains #Defense #Management_of_information_security_events_ Security measure The organization should provide a mechanism for personnel to promptly report observed or suspected information security events through appropriate channels. Objective Enable the reporting of information security events that can be identified by personnel, in a timely, consistent and efficient manner. Recommendations All personnel and users should be made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimize the consequences of information security incidents. They should also be informed of the procedure for reporting information security events and the point of contact to which events should be reported. The reporting mechanism should be as simple, accessible and available as possible. Information security events include incidents, breaches, and vulnerabilities. Situations to consider for information security event reporting include: (a) ineffective information security measures; 72 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) a breach of the expected level of confidentiality, integrity or availability of information; (c) human error; d) a non-compliance with the information security policy, policies specific to a theme or applicable standards; (e) breach of physical security measures; (f) system changes that have not gone through the change management process; g) malfunctions or other abnormal behavior of the system caused by software or material; h) access violations; (i) vulnerabilities; j) suspected malware infection. Staff and users should be warned not to attempt to prove the existence of suspected information security vulnerabilities. Testing for vulnerabilities may be construed as potential misuse of the system, may also damage the information system or service, and may alter or obscure digital evidence. Finally, it may engage the legal liability of the person carrying out the tests. Additional Information See the ISO/IEC 27035 series for additional information. 7 Physical security measures 7.1 Physical security perimeters Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Physical_Security #Protection #Integrity #Availablity Security measure Security perimeters should be defined and used to protect areas that contain information and other associated assets. Objective Prevent unauthorized physical access, damage, or interference to information and other associated assets of the organization. Recommendations The following guidelines should be considered and implemented for physical security perimeters, where deemed appropriate: a) define the security perimeters and the location and strength of each of the perimeters according to the information security requirements for the assets located within the perimeter; b) have physically sound perimeters for a building or site containing information processing facilities (i.e. the perimeter or areas should not present © ISO/IEC 2022 – All rights reserved 73 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) no flaws likely to facilitate a break-in). External roofs, walls, ceilings and floor of the site should be of solid construction and all external doors should be adequately protected against unauthorized access with control mechanisms (e.g. bars, alarms , locks). Doors and windows should be locked when the premises are unattended, and consideration should be given to external protection for windows, particularly on the ground floor; ventilation points should also be considered; c) alarm, monitor and test all fire doors within a security perimeter together with the walls, to establish the level of resistance required in accordance with the appropriate standards. They should work flawlessly. Additional Information Physical protection can be achieved by creating one or more physical barriers around the organization's premises and information processing facilities. A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access may be required between areas with different security requirements within a security perimeter. The organization should consider having physical security measures that can be enhanced during heightened threat situations. 7.2 Physical inputs Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities Security domains #Protection #Physical_Security #Identity_and_access_management Security measure Secured areas should be protected with appropriate access point and access security measures. Objective Ensure that only authorized physical access to information and other associated assets of the organization is possible. Recommendations General Access points such as delivery and loading areas and other points through which unauthorized persons may enter the premises should be monitored and, if possible, isolated from information processing facilities, to prevent unauthorized access. The following guidelines should be considered: a) Restrict access to sites and buildings to authorized personnel only. The process for managing access rights to physical areas should include providing, periodically reviewing, updating and revoking permissions (see 5.18); b) securely maintain and regularly monitor a physical log or electronic audit log of all access, and protect all logs (see 5.33) and sensitive authentication information; 74 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) establish and implement a process and technical mechanisms for managing access to areas where information is processed or stored. Authentication mechanisms include the use of access cards, biometrics, or two-factor authentication, such as an access card and secret PIN. Consideration should be given to the use of security airlocks for access to sensitive areas; d) provide a staffed reception area, or other means to control physical access to the site or building; e) inspect and examine personal effects of staff and interested parties upon entry and exit exit; NOTE Local laws and regulations may exist regarding the ability to inspect personal effects. f) require all staff and interested parties to wear visible identification, and notify security personnel immediately if they encounter unaccompanied visitors or anyone without visible identification. Consideration should be given to wearing easily distinguishable badges to better identify permanent employees, suppliers and visitors; g) Grant Supplier personnel limited access to secure areas or information processing facilities only as necessary. Such access should be authorized and monitored; h) pay particular attention to the security of physical access in the case of buildings containing the assets of several organizations; i) design physical security measures in such a way that they can be strengthened when the likelihood of physical incidents increases; j) secure other entry points, such as emergency exits, from unauthorized access; k) implement a key management process to ensure the management of physical keys or authentication information (e.g. lock codes, combination locks of offices, rooms and equipment such as lockable cabinets) and to ensure an annual key log or audit is maintained and that access to physical keys or authentication information is controlled (see 5.17 for additional recommendations on authentication information). Visitors The following guidelines should be considered: (a) authenticate the identity of visitors by an appropriate means; (b) record the date and time of arrival and departure of visitors; c) assign access to visitors only for specific authorized purposes, together with instructions on area security requirements and emergency procedures; d) monitor all visitors, unless an explicit exception has been granted. Delivery and loading areas and receipt of material The following guidelines should be considered: a) limit access to delivery and loading areas from outside the building to personnel identified and authorized; © ISO/IEC 2022 – All rights reserved 75 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (b) design delivery and loading areas so that deliveries can be loaded and unloaded without the delivery staff having unauthorized access to other parts of the building; c) secure the exterior doors of the delivery and loading areas when the doors leading to restricted areas are open; (d) inspect and examine incoming deliveries for the presence of explosives, chemicals or other hazardous substances, before they leave the delivery and loading areas; e) record incoming deliveries in accordance with asset management procedures (see 5.9 and 7.10) upon arrival at the site; f) physically separate incoming and outgoing shipments, if possible; g) inspect incoming shipments for any tampering that occurred during transit. If tampering is identified, it should be reported immediately to security personnel. Additional Information No additional information. 7.3 Securing offices, rooms and facilities Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Physical_Security #Asset_management Security domains #Protection Security measure Physical security measures should be designed and implemented for offices, rooms and facilities. Objective Prevent unauthorized physical access, damage and interference impacting information and other associated assets of the organization in offices, rooms and facilities. Recommendations Consideration should be given to the following guidelines for securing offices, rooms and facilities: (a) locate critical facilities in such a way as to avoid public access; b) as far as possible, ensure that the buildings are discreet and give the minimum indication of their purpose, without any obvious sign, outside or inside the building, which would allow the presence to be identified information processing activities; c) configure the facilities to prevent confidential information or activities from being visible and audible from the outside. If necessary, consideration should be given to the provision of electromagnetic shielding; d) not make directories, internal telephone directories and maps available online identifying the location of the means of processing confidential information easily accessible to any unauthorized person. 76 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information No additional information. 7.4 Physical Security Monitoring Type of security measure #Preventive #Detective Information Security Properties #Privacy concepts of cybersecurity capabilities Operational Security domains #Protect #Detect #Physical_Security #Protection #Integrity #Availablity #Defense Security measure The premises should be continuously monitored to prevent unauthorized physical access. Objective Detect and deter unauthorized physical access. Recommendations Physical premises should be monitored using surveillance systems, which may include security guards, intruder alarms or CCTV systems such as CCTVs and physical security information management software that are managed internally or by a monitoring service provider. Access to buildings that house critical systems should be continuously monitored to detect unauthorized access or suspicious behavior by means of: (a) installation of CCTV systems such as closed circuit televisions to view and record access to sensitive areas inside and outside the organisation's premises; b) the installation, in accordance with the relevant applicable standards, and periodic testing of contact, sound or motion detectors capable of triggering an intruder alarm, for example: 1) the installation of contact detectors which trigger an alarm when a contact is made or broken at any place where a contact can be made or broken (such as windows, doors and under objects) in order to serve as a panic alarm; 2) motion detectors based on infrared technology that trigger an alarm when an object passes through their field of vision; 3) installation of sensors sensitive to the sound of breaking glass that can be used to trigger an alarm to alert security personnel; c) the use of these alarms to cover all exterior doors and accessible windows. Unoccupied areas should be equipped with permanently activated alarms. Other areas should also be covered (eg computer or telecommunications rooms). The design of surveillance systems should be kept confidential as disclosure may facilitate undetected break-ins. Surveillance systems should be protected from unauthorized access to prevent unauthorized persons gaining access to surveillance information, such as video recordings, or the systems being disabled remotely. The alarm system control panel should be located in an area equipped with an alarm and, in the case of security alarms, in a location providing an easy egress for the © ISO/IEC 2022 – All rights reserved 77 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) person who activates the alarm. The control panel and detectors should be equipped with tamper-proof mechanisms. The system should be tested regularly to ensure that it operates as expected, particularly if its components are battery powered. Any monitoring and recording system should be used taking into account local laws and regulations, including data protection and personal data protection legislation, in particular with regard to the monitoring of personnel and the durations of preservation of video recordings. Additional Information No additional information. 7.5 Protection against physical and environmental threats Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Physical_Security #Protection #Integrity #Availablity Security measure Protection against physical and environmental threats such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. Objective Prevent or reduce the consequences of events resulting from physical or environmental threats. Recommendations Risk assessments should be carried out to identify the potential consequences of physical and environmental threats before commencing critical operations at a physical site, at regular intervals. Implement the necessary protections and monitor changes in threats. Specialist advice should be sought on how to manage risks from physical and environmental threats, such as fires, floods, earthquakes, explosions, social unrest, toxic waste, polluting emissions and other forms of natural or man-made disasters. The location and construction of physical premises should take into account: a) local topography, such as appropriate elevation, water bodies and tectonic faults; b) urban threats, such as locations with a high probability of attracting political unrest, criminal activities or terrorist attacks. Based on the results of risk assessments, relevant physical and environmental threats should be identified and appropriate security measures should be considered, for example in the following contexts: a) fire: install and configure systems capable of detecting fires at their very beginning to send alarms or trigger fire extinguishing systems in order to prevent fire damage to storage media and processing systems associated information. The fire should be extinguished with the most appropriate substance in relation to the surrounding environment (eg gas in confined spaces); 78 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) flooding: install systems capable of detecting flooding at its very beginning, under the ground of areas containing storage media or information processing systems. Water pumps or equivalent means should be readily available in the event of flooding; c) electrical overvoltages: adopt systems capable of protecting both client and server information systems against electrical overvoltages or similar events in order to minimize the consequences of such events; d) Explosives and Weapons: Carry out random inspections to ensure the absence of explosives or weapons on personnel, in vehicles or in goods entering sensitive information handling facilities. Additional Information Safes or other forms of secure storage can protect the information stored therein from disasters such as fires, earthquakes, floods or explosions. Organizations can consider crime prevention concepts through environmental design when designing security measures to secure their environment and reduce urban threats. For example, instead of using bollards, statues or water features can serve as both landscaping and a physical barrier. 7.6 Working in secure areas Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Physical_Security #Protection #Integrity #Availablity Security measure Safety measures for working in secure areas should be designed and implemented. implemented. Objective Protect information and other associated assets in secure areas from damage and unauthorized interference by personnel working in those areas. Recommendations Security measures for working in secure areas should apply to all personnel and cover all activities taking place in the secure area. The following guidelines should be considered: (a) inform personnel of the existence of secure areas or of the activities taking place there, only on a need-to-know basis; b) avoid unsupervised/supervised work in secure areas, both for security reasons and to reduce the possibility of malicious activity; c) physically lock and periodically inspect unoccupied secure areas; (d) prohibit photographic, video, audio, or other recording materials, such as cameras embedded in end-user terminals, unless permitted; © ISO/IEC 2022 – All rights reserved 79 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) e) appropriately supervise the transport and use of end-user terminals in secure areas; (f) post emergency procedures so that they are easily visible or accessible. Additional Information No additional information. 7.7 Blank desktop and blank screen Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Physical_Security #Protection Security measure Clear desk rules, clear of paper documents and removable storage media, and clear screen rules for information processing facilities should be defined and enforced as appropriate. Objective Reduce the risk of unauthorized access, loss, and damage to information on desks, screens, and other accessible locations during and outside normal working hours. Recommendations The organization should establish and communicate to all relevant interested parties a policy specific to the topic of empty desks and blank screens. The following guidelines should be considered: a) lock up sensitive or critical business information (for example, in paper format or on electronic storage media) (preferably in a safe, cabinet or other form of secure furniture) when not are not used, especially when the premises are empty; (b) protect end-user terminals with key locks or other security means when not in use or left unattended; c) disconnect end devices from users or protect them with a screen and keyboard lock controlled by a user authentication mechanism when left unattended. All computers and systems should be configured with a timeout or automatic logoff feature; d) cause the initiator to retrieve output from printers or multifunction terminals immediately. The use of printers with an authentication function, so that only initiators can retrieve their prints, and only when they are in front of the printer; (e) securely store documents and removable storage media containing sensitive information and, when no longer required, dispose of them using secure destruction mechanisms; f) establish and communicate rules and recommendations for configuring pop-ups on screens (e.g., disable new email notification and messaging pop-ups, if possible, during presentations, screen sharing or in a public place); 80 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) g) erase sensitive or critical information on whiteboards and other types of displays when they are no longer needed. The organization should have procedures in place when staff leave the premises, including carrying out a final inspection before leaving to ensure that no organizational assets (e.g. documents fallen behind drawers or furniture). Additional Information No additional information. 7.8 Location and protection of equipment Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Security domains Operational capabilities #Physical_Security #Asset_management #Protection Security measure A secure location for the equipment should be chosen and protected. Objective Reduce risk from physical and environmental threats, and unauthorized access and damage. Recommendations Consideration should be given to the following guidelines for protecting equipment: a) select a location for the equipment to minimize unnecessary access to work areas and prevent unauthorized access; (b) carefully position the means of processing information handling sensitive data, in order to reduce the risk that this information is seen by unauthorized persons during its use; c) adopt security measures to minimize the risk of potential physical and environmental threats [e.g. theft, fire, explosions, smoke, water leaks (or water supply failure), dust, vibration, chemical effects , power supply interference, communications interference, electromagnetic radiation and vandalism]; d) set guidelines on eating, drinking and smoking near information processing facilities; (e) monitoring environmental conditions, such as temperature and humidity, to detect conditions that may adversely affect the operation of the information processing means; (f) equip all buildings with a lightning rod and equip all incoming electrical and telecommunication lines with lightning arresters; g) consider the use of specific protection methods, such as membrane keypads, for equipment in industrial environments; h) protect equipment handling confidential information to minimize the risk of leakage information due to electromagnetic radiation; © ISO/IEC 2022 – All rights reserved 81 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (i) physically separate the information processing facilities operated by the organization from those that she does not manage. Additional Information No additional information. 7.9 Security of off-premises assets Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Physical_Security #Asset_management Security domains #Protection Security measure Off-site assets should be protected. Objective Prevent loss, damage, theft, or compromise of offsite devices and business disruption. Recommendations Any device used outside the organization's premises that stores or processes information (e.g. mobile device), including organization-owned devices or private devices used on behalf of the organization [Bring your own device (BYOB)], needs protection. Use of these terminals should be authorized by management. Consideration should be given to the following guidelines for the protection of endpoints that store or process information outside of the organization's premises: a) not to leave equipment and storage media taken out of the premises unattended in public and unsecured places; b) follow the manufacturer's instructions for protecting the equipment at all times (eg protection against exposure to strong electromagnetic fields, water, heat, humidity, dust); c) when material circulates off the premises of the organization between different persons or interested parties, maintain a log that describes the chain of custody of the material and includes at least the names and organizations of the persons responsible for the material. Information that does not need to be transferred with the asset should be securely deleted prior to transfer; d) where necessary and possible, request authorization for equipment and media to be removed from the organization's premises and keep a record of such removals in order to maintain a system of traceability (see 5.14) ; (e) protect against viewing information on a terminal (eg mobile or laptop) on public transport, and against the risks associated with 'over-the-shoulder reading'; f) implement geo-fencing and remote data wipe function of terminals. Installation of equipment outside the organization's premises [such as antennas and automatic teller machines (ATMs)] may be subject to a higher risk of damage, theft 82 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) or intercept. These risks can vary considerably from place to place and should be taken into account when determining the most appropriate measures. Consideration should be given to the following guidelines when installing such equipment outside the organization's premises: a) physical security monitoring (see 7.4); b) protection against physical and environmental threats (see 7.5); c) security measures for physical access and inviolability; d) logical access controls. Additional Information More information on other aspects of protecting information storage and processing equipment and user end devices is available in 8.1 and 6.7. 7.10 Storage media Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Physical_Security #Asset_management Security domains #Protection Security measure Storage media should be managed throughout their lifecycle of acquisition, use, transportation, and disposal in accordance with the organization's classification scheme and processing requirements. Objective Ensure that only authorized disclosure, modification, removal, or destruction of organization information on storage media is performed. Recommendations Removable storage media Consideration should be given to the following guidelines for managing removable storage media: (a) establish a topic-specific policy for the management of removable storage media and communicate the topic-specific policy to anyone who uses or handles removable storage media; b) where necessary and possible, request authorization for storage media to be removed from the organization and keep a record of such removals in order to maintain a system of traceability; c) store all storage media in a safe and secure environment according to their information classification, and protect them from environmental threats (such as heat, humidity, electromagnetic fields or aging) in accordance with the manufacturer's specifications; d) if confidentiality or integrity of information is important, use cryptographic techniques to protect information in removable storage media; © ISO/IEC 2022 – All rights reserved 83 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) (e) to mitigate the risks of degradation of the storage media when the stored information is still in use, transfer this information to a new storage medium, before it becomes unreadable; f) store multiple copies of important information on separate storage media to further reduce the risk of accidental damage or loss of information; g) consider keeping a record of removable storage media to limit the risk of loss information; h) enable removable storage media ports (e.g. SD card slots or USB bus ports) only if the organization has a reason to use them; i) when there is a need to use removable storage media, control the transfer of information to such storage media; j) the information may be vulnerable to unauthorized access, fraudulent use or alteration during physical transport, for example when sending storage media by post or carrier. This “Storage Media” security measure includes paper documents. When transferring physical storage media, apply the security measures of 5.14. Safe reuse or disposal Procedures for the safe reuse or disposal of storage media should be defined to minimize the risk of leakage of confidential information to unauthorized persons. Procedures for the safe reuse or disposal of storage media containing confidential information should be commensurate with the sensitivity of that information. Consideration should be given to the following: a) if there is a need in the organization to reuse storage media containing confidential information, securely erase the data or format the storage media before reuse (see 8.10) ; (b) dispose of storage media containing confidential information in a secure manner when they are no longer needed (for example, by secure destruction, shredding or deletion of the contents); c) have procedures in place to identify items that may require disposal secure; d) several organizations offer collection and disposal services for storage media. Care should be taken to select the appropriate external third-party provider with adequate security measures and experience; e) log the disposal of sensitive items to maintain a traceability system; f) when storage media are accumulated for disposal, consider the aggregation effect which can cause a large amount of non-sensitive information to become sensitive. A risk assessment should be performed on damaged terminals containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded (see 7.14 ). Additional Information Where storage media contain unencrypted confidential information, additional physical protection of the storage media should be considered. 84 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 7.11 Services supports Information Security Properties Type of security measure #Preventive #Detective #Integrity #Availablity Cybersecurity concepts Operational capabilities Security domains #Protect #Detect #Physical_Security #Protection Security measure The information processing facilities should be protected against power cuts and other disturbances caused by failures of bearer services. Objective Prevent loss, damage, or compromise of information and other related assets, or disruption of business operations, caused by support service failures and disruptions. Recommendations Organizations depend on support services (for example, electricity, telecommunications, water supply, gas, sanitation, ventilation and air conditioning) to enable the operation of their means of processing information. Therefore, the organization should: a) ensures that the service support equipment is configured, operated and maintained in accordance with the relevant manufacturer's specifications; b) ensure that support services are assessed regularly with regard to their ability to respond to the increase in the activities of the organization and interactions with other support services; c) ensure that service support equipment is inspected and tested regularly to ensure their proper functioning; d) if necessary, raises alarms to detect malfunctions of bearer services; e) if necessary, ensure that the support services have multiple power supplies on different physical delivery routes; f) ensure that the service support equipment is connected to a separate network from that of the information processing means, if connected to a network; g) ensures that the supporting equipment of the services is connected to the Internet only when necessary and only in a secure manner. Emergency lighting and communication systems should be available. Emergency switches and valves for shutting off power, water, gas or other services should be located near emergency exits or rooms containing equipment. Emergency contact details should be recorded and made available to personnel in the event of a breakdown. Additional Information Additional network connectivity redundancy can be provided by using multiple routing routes from multiple service providers. © ISO/IEC 2022 – All rights reserved 85 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 7.12 Wiring Safety Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Physical_Security #Protection #Availablity Security measure Electrical cables carrying data or supporting information services should be protected against interception, interference or damage. Objective Prevent the loss, damage, theft, or compromise of information and other associated assets and the disruption of business operations related to electrical and communications wiring. Recommendations The following wiring safety guidelines should be considered: a) bury power lines and telecommunication lines connected to data processing facilities where possible, or submit them to an adequate alternative means of protection, such as ground cable protectors and utility poles; if the cables are buried, protect them from accidental cuts (for example, by using shielded conduits or presence signals); b) separate electrical cables from communications cables to avoid interference; c) for sensitive or critical systems, additional security measures to consider include: 1) Installation of shielded cable conduit and locked rooms or cabinets and alarms at inspection and termination points; 2) the use of electromagnetic shielding to protect the cables; 3) periodic technical scans and physical inspections to detect terminals unauthorized connected to cables; 4) controlled access to patch panels and cable rooms (e.g. with mechanical keys or PIN codes); 5) the use of fiber optic cables; d) labeling of cables at each end with sufficient detail of source and destination to allow physical identification and inspection of the cable. Specialist advice should be sought on how to manage risks arising from wiring incidents or malfunctions. Additional Information Sometimes electrical and telecommunications cabling are resources shared by several organizations occupying the same premises. 86 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 7.13 Hardware Maintenance Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Physical_Security #Asset_management Security domains #Protection #Resilience Security measure Equipment should be properly maintained to ensure the availability, integrity and confidentiality of information. Objective Prevent loss, damage, theft or compromise of information and other associated assets and disruption of business operations caused by lack of maintenance. Recommendations The following hardware maintenance guidelines should be considered: a) maintain the equipment according to the specifications and the periodicity recommended by the supplier; b) implement a maintenance program and ensure its supervision by the organization; c) have repairs and maintenance of the equipment carried out only by authorized maintenance personnel; d) record all suspected or proven failures and all preventive or corrective maintenance tasks; e) implement appropriate security measures when maintenance of equipment is scheduled, taking into account whether this maintenance is carried out by personnel on site or external to the organization; subject maintenance personnel to an appropriate confidentiality agreement; f) supervising maintenance personnel when performing on-site maintenance; g) authorize and control access for remote maintenance; h) apply off-premises asset security measures (see 7.9) if equipment containing information is removed from the premises for maintenance; i) Comply with all insurance maintenance requirements; j) before returning the equipment to service after maintenance, inspect it to ensure that it has not been tampered with and is functioning correctly; k) apply the measures relating to the safe disposal or recycling of the material (see 7.14) if it is decided that this material must be disposed of. Additional Information Hardware includes technical components of information processing facilities, uninterruptible power supplies (UPS) and batteries, generators, alternators and power converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and elevators. © ISO/IEC 2022 – All rights reserved 87 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 7.14 Safe disposal or recycling of material Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Physical_Security #Asset_management Security domains #Protection Security measure Items of hardware containing storage media should be checked to ensure that sensitive data and licensed software have been securely deleted or overwritten before disposal or reuse. Objective Avoid leakage of information from material to be disposed of or reused. Recommendations Equipment should be checked to ensure whether or not it contains storage media before disposal or reuse. Storage media containing confidential or copyright information should be physically destroyed, or the information should be destroyed, deleted or overwritten using techniques that render the original information unrecoverable rather than using the standard delete function. See 7.10 for detailed recommendations on the safe disposal of storage media and 8.10 for deletion recommendations informations. Labels and markings identifying organization or indicating classification, owner, system or network should be removed prior to disposal, including when resold or donated to charity. The organization should consider removing security measures such as access controls or surveillance equipment at the end of the lease or when it moves. It depends on factors such as: a) its rental contract stipulating the restoration of the installation to its original state; b) minimizing the risk of leaving systems containing sensitive information in the hands of the next tenant (eg user access lists, video files or image files); c) the possibility of reusing the security measures in the next installation. Additional Information Damaged hardware containing storage media may require a risk assessment to determine whether to physically destroy the items rather than have them repaired or disposed of. Information may be compromised through careless disposal or reuse of material. In addition to securing disk erasure, full disk encryption reduces the risk of disclosure of confidential information when hardware is discarded or reused, provided that: a) the encryption process is strong enough and covers the entire disk (including free space and swap files); b) cryptographic keys are long enough to resist brute force attacks; c) the cryptographic keys are themselves kept confidential (for example, they are not never stored on the same disk). 88 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) For additional guidance on cryptography, see 8.24. Storage media secure overwrite techniques differ depending on the storage media technology and the classification level of the information on the storage media. Overwrite tools should be reviewed to ensure that they are appropriate for the storage media technology. See ISO/IEC 27040 for more information on cleaning methods for storage media. 8 Technological security measures 8.1 End user terminals Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Asset_management Security domains #Protection #Protection_of_information Security measure It is necessary to protect the information stored, processed or accessible via end terminals of the users. Objective Protect information against the risks associated with the use of user end devices. Recommendations General The organization should establish a topic-specific policy for the secure configuration and handling of user end devices. The specific policy on this issue should be communicated to all relevant personnel and the following should be taken into consideration: (a) the type of information and the level of classification that end user terminals may hold, process, store or support; b) registration of end-user terminals; c) requirements for physical protection; d) restriction of software installation (e.g. controlled remotely by administrators system); e) requirements for end user end device software (including software versions) and application of updates (eg automatic updates enabled); f) rules for connection to information services, public networks or any other network in outside the premises (for example, requiring the use of a personal firewall); g) access controls; h) encryption of storage terminals; (i) malware protection; (j) remote deactivation, data wipe or lockout; © ISO/IEC 2022 – All rights reserved 89 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) k) backups; l) use of web services and web applications; m) end-user behavior analysis (see 8.16); n) use of removable terminals, including removable memory devices, and ability to disable physical ports (eg, USB ports); o) use of partitioning features, if supported by the user's end device, that can securely separate information and other related organizational assets (e.g. software) from other information and other associated assets present on the terminal. Consideration should be given to cases where the information is so sensitive that it can only be accessed through users' end devices, but not stored on those devices. In such cases, additional technical protection systems may be required on the terminal. For example, ensuring that file downloading for offline work is disabled and local storage, such as on the SD card, is disabled. Where possible, the recommendations of this security measure should be implemented through configuration management (see 8.9) or automated tools. User Responsibilities All users should be made aware of the security requirements and procedures for protecting users' end devices, as well as their responsibilities for implementing these security measures. Users should be advised to: a) disconnect from active sessions and stop Services when no longer needed; b) protect user end devices against unauthorized use using a physical security measure (e.g. key lock or special locks) and a logical security measure (e.g. password access password) when not in use; not leave endpoints containing important, sensitive or critical business information unattended; c) use terminals with special care in public places, open offices, meeting places and other unprotected areas (for example, avoid reading confidential information if people can read behind the user, use filters privacy screens); d) physically protect end users' terminals against theft (eg in cars or other means of transport, hotel rooms, conference centers or meeting rooms). A specific procedure taking into account the legal, statutory, regulatory, contractual (including insurance requirements) and other security requirements of the organization should be established, for the cases of theft or loss of terminals end users. Use of personal terminals When the organization authorizes the use of personal terminals [sometimes referred to by the acronym BYOD (bring your own device)], in addition to the recommendations given in this security measure, the following should be considered: a) separation between the personal use and the professional use of the terminals, in particular with the use of a software allowing this separation and the protection of the professional data on a private device; b) allow access to business information only when users have acknowledged their obligations (physical protection, software updates, etc.), waive ownership of the data 90 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) and allow the organization to erase data remotely in the event of theft or loss of the terminal, or when use of the service is no longer authorized. In these cases, the legislation on the protection of personal data should be taken into account; c) topic-specific policies and procedures to prevent disputes relating to intellectual property rights developed on private equipment; d) access to private equipment (to verify the security level of the device or during an investigation), which may be prohibited by law; e) Software licensing agreements that make organizations responsible for licensing client software on user end devices that are owned by staff and users of external parties. Wireless connections The organization should establish procedures for: a) the configuration of the wireless connections on the terminals (for example, deactivation of the vulnerable protocols); b) use of wired or wireless connections with appropriate bandwidth in accordance with relevant topicspecific policies (eg, if backups or software updates are required). Additional Information Security measures to protect user end device information vary depending on whether the user end device is used only within the organization's secure premises and network connections, or if it is exposed to an increase in physical and network threats outside the organization. Wireless connections for user end devices are similar to other types of network connections, but have important differences that should be considered when identifying security measures. In particular, the backup of information stored on end user terminals may sometimes fail due to limited bandwidth or because user end terminals are not connected when backups are scheduled. For some USB ports, such as USB-C, disabling the USB port is not possible because it is used for other purposes (eg power supply and display output). 8.2 Privileged access rights Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Identity_and_access_management #Protection #Integrity #Availablity Security measure The assignment and use of privileged access rights should be limited and managed. Objective Ensure that only authorized users, software components, and services are granted privileged access rights. © ISO/IEC 2022 – All rights reserved 91 AFNOR Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) Recommendations The assignment of privileged access rights should be controlled through an authorization process in accordance with the applicable access control topic-specific policy (see 5.15). The following should be considered: a) identify the users who need privileged access rights for each system or process (for example, operating systems, database management systems and applications); b) assign privileged access rights to users as needed and on a case-by-case basis, in accordance with the topic-specific access control policy (see 5.15) (i.e. only to persons with skills necessary to carry out activities requiring privileged access and on the basis of the minimum required for their operational functions); c) maintaining an authorization process (i.e. determining who can authorize privileged access rights, or not granting privileged access rights until the authorization process is not completed) and a record of all assigned privileges; d) define and implement requirements related to the expiration of privileged access rights; e) take steps to ensure that users are aware of their privileged access rights and know when they are in privileged access mode. Possible measures include using specific user identities, user interface settings, or even specific hardware; f) Authentication requirements for privileged access rights may be higher than requirements for normal access rights. Re-authentication or strong authentication may be required before performing work with privileged access rights; g) regularly and after any organizational change, review the users working with privileged access rights in order to verify whether their obligations, functions, responsibilities and skills still justify that they work with privileged access rights (see 5.18 ); h) establish specific rules in order to avoid the use of generic administrative user identifiers (such as "root"), depending on the configuration possibilities of the systems. Manage and protect the authentication information of these identities (see 5.17); i) grant temporary privileged access rights only for the duration necessary to implement the approved changes or activities (for example, for maintenance activities or certain critical changes), rather than granting access rights permanently privileged. This approach is often referred to as the “glassbreaking procedure” and it is often automated by privileged access management technologies; j) log all privileged access to systems for auditing purposes; k) not to share or link identities with privileged access rights between several people, assign each person a separate identity that allows the assignment of specific privileged access rights. Identities can be grouped (for example, by defining a group of administrators) in order to simplify the management of privileged access rights; l) use identities with privileged access rights only to carry out administrative tasks and not for general day-to-day tasks [i.e. checking email or accessing the Internet (users should users have a separate normal network identity for these activities)]. Additional Information Privileged access rights are access rights granted to an identity, function or process, which allow the performance of activities that normal users or processes cannot perform. System administrator functions generally require privileged access rights. 92 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) Improper use of system administrator privileges (any feature or infrastructure of an information system that allows the user to circumvent the security measures of a system or application) is a major contributing factor to failures or system breaches. More information on access management and secure management of access to information and communication technology resources can be found in ISO/IEC 29146. 8.3 Information Access Restrictions Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Identity_and_access_management Security domains #Protection #Integrity #Availablity Security measure Access to information and other related assets should be restricted in accordance with the subject-specific access control policy that has been established. Objective Ensure authorized access only and prevent unauthorized access to information and other associated assets. Recommendations Access to information and other related assets should be restricted in accordance with established topicspecific policies. The following should be considered to support the access restriction requirements: a) not allow access to sensitive information to unknown user identities or anonymously. Public or anonymous access should only be granted to storage locations that do not contain sensitive information; b) provide configuration mechanisms to control access to information in systems, applications et services; c) control what data can be accessed by a given user; d) controlling which identities or group of identities are granted a given type of access, as in read, write, delete and execute; e) provide physical or logical access controls allowing isolation of applications, data sensitive applications or systems. In addition, dynamic access management techniques and processes to protect sensitive information that has significant value to the organization should be considered when the organization: a) needs granular control over who can access this information, for how long, and in what way; b) wants to share this information with people outside the organization and keep control over who can access it; (c) wants to dynamically manage, in real time, the use and distribution of this information; d) wants to protect this information against unauthorized modification, reproduction and dissemination (including printing); © ISO/IEC 2022 – All rights reserved 93 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) e) wants to monitor the use of the information; f) wants to record any changes to this information in the event that a future investigation would be necessary. Dynamic access management techniques should protect information throughout its life cycle (i.e. creation, processing, storage, transmission and disposal), including: a) definition of dynamic access management rules based on specific use cases, taking into consideration: 1) the allocation of access authorizations based on identity, device, location or l'application; 2) use of the classification scheme to determine what information needs to be protected with dynamic access management techniques; b) the establishment of operational, monitoring and reporting processes, and a infrastructure technique support. Dynamic access management systems should protect information by: a) requiring authentication, appropriate credentials or a certificate to access the information; b) limiting access, for example to a specified period of time (for example, after a date given or until a given date); c) using encryption to protect information; d) setting print permissions for the information; (e) recording who accesses the information and how the information is used; f) generating alerts if attempts to misuse the information are detected. Additional Information Dynamic access management techniques and other dynamic information protection technologies can ensure information is protected even if the data is shared beyond the originating organization, where traditional access controls cannot be applied. They can be applied to documents, emails or other files containing information to limit who can access the content and how to access it. They can be at a given level of granularity and can be adapted throughout the information lifecycle. Dynamic access management techniques do not replace traditional access management [e.g., use of Access Control Lists (ACLs )], but they can add additional factors for conditionality, evaluation real-time, on-the-fly data reduction, and other enhancements that can be useful for the most sensitive information. They provide a way to control access outside of the organization's environment. Incident response can be supported by dynamic access management techniques, knowing that permissions can be changed or revoked at any time. Additional information on a framework for access management is available in ISO/IEC 29146. 94 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) 8.4 Access to source codes Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Identity_and_access_management Security domains #Protection #Application_Security #Secure_Configuration Security measure Read and write access to source code, development tools, and software libraries should be appropriately managed. Objective Prevent the introduction of unauthorized functionality, prevent unintended or malicious modification, and maintain the confidentiality of important intellectual property. Recommendations Strictly control access to source codes and related elements (such as designs, specifications, verification and validation plans) and development tools (for example compilers, generators, integration tools, platforms test and environments). With respect to source codes, this can be achieved by controlling the central storage of a code, preferably in the source code management system. Read access and write access to source codes may differ depending on the staff function. For example, read access to source code may be widely provided within the organization, but write access to source code is only granted to privileged employees or designated owners. When components of code are used by multiple developers within an organization, read access to a centralized code repository should be implemented. Additionally, if components of open source code or third party code are used in an organization, read access to these external code repositories can be widely provided. However, write access should always be restricted. Consideration should be given to the following guidelines for controlling access to program source code libraries to reduce the possibility of tampering with computer programs: a) manage access to the source codes of the programs and to the libraries of the source codes of programs in accordance with established procedures; b) assign read and write access to source code based on business needs and manage it to address risks of tampering or misuse and in accordance with established procedures; c) update source code and associated materials and assign access to source code in accordance with change control procedures (see 8.32) and perform access assignment only after receiving appropriate authorization; d) not grant developers direct access to the source code repository, but through developer tools that control source code activities and permissions; e) keep program listings in a secure environment, where online access should be read and write are managed and allocated appropriately; f) maintain an audit log of all source code access and changes. If the source code of the program is intended for publication, additional security measures should be considered to provide assurance of its integrity (eg electronic signature). © ISO/IEC 2022 – All rights reserved 95 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information If access to the source code is not properly controlled, the source code may be modified or some data in the development environment (e.g. copies of production data, configuration details) may be taken by unauthorized persons. allowed. 8.5Secure authentication Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Identity_and_access_management Security domains #Protection #Integrity #Availablity Security measure Secure authentication technologies and procedures should be implemented based on information access restrictions and topic-specific access control policy. Objective Ensure that a user or entity is securely authenticated when granted access to systems, applications and services. Recommendations An appropriate authentication technique should be chosen to verify the claimed identity of a user, software, messages and other entities. The robustness of the authentication should be adapted to the classification of the information to be consulted. Where strong authentication and identity verification are required, authentication methods other than passwords should be used, such as digital certificates, smart cards, tokens, or biometric means. The authentication information should be accompanied by additional authentication factors to access critical information systems (also referred to as "multi-factor authentication"). Using a combination of multiple authentication factors, such as what you know, what you have, and what you are, reduces the possibility of unauthorized access. Multi-factor authentication can be combined with other techniques to require additional factors under specific circumstances, based on predefined rules and patterns, such as access from an unusual location, from an unusual terminal or at an unusual hour. Biometric credentials should be invalidated if ever compromised. Biometric authentication may not be available depending on usage conditions (for example, humidity or aging). To anticipate these problems, the biometric authentication should be accompanied by at least one alternative authentication technique. The procedure for logging into a system or application should be designed to minimize the risk of unauthorized access. Connection procedures and technologies should be implemented taking into consideration the following: a) not to display sensitive system or application information until the login process is successfully completed, in order to avoid unnecessary assistance to an unauthorized user; b) display a warning advising that access to the system, application or service is restricted to authorized users only; 96 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) not provide help messages, during the login procedure, which could help an unauthorized user (for example, if an error occurs, the system should not indicate which part of the data is correct or incorrect ); d) validate the connection information only at the end of the capture of all the input data; e) protect against brute force login attempts on usernames and passwords (e.g. use CAPTCHA [ completely automated public Turing test to tell computers and humans apart], require password reset after a predefined number of failed attempts or block the user after a maximum number of errors); f) record successful and failed attempts; g) Trigger a security event on detection if a successful violation or possible attempted violation of login controls is detected (e.g. send an alert to user and organization system administrators when a certain number of attempts with entering incorrect passwords is reached); h) display or send the following information on a separate channel at the end of a successful connection: 1) the date and time of the last successful connection; 2) information about failed login attempts since the last successful login; i) not display a password in plain text while entering it; in some cases, it may be necessary to deactivate this functionality in order to facilitate the user's connection (for example, for accessibility reasons or to avoid blocking users due to repeated errors); j) do not transmit passwords in the clear over a network to prevent them from being recovered by a network listener; k) close inactive sessions after a defined period of inactivity, especially in high-risk locations, such as public or external areas that are outside the organization's security management perimeter, or on endpoints end users; l) restrict connection times to provide additional security to applications using high risk and reduce the possibility of unauthorized access. Additional Information Additional information on entity authentication assurance is available in ISO/IEC 29115. 8.6 Sizing Type of security measure #Preventive #Detective Information Security Properties #Integrity #Availablity Cybersecurity concepts #Identifier #Protect #Detect Operational capabilities #Continuity Security domains #Governance_and_Ecosystem #Protection Security measure Resource usage should be monitored and adjusted based on current and projected scaling needs. Objective Ensure needs in terms of means of processing information, human resources, offices and other facilities. © ISO/IEC 2022 – All rights reserved 97 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations The necessary sizing of information processing resources, human resources, offices and other facilities should be identified, taking into account the level of business criticality of the systems and processes concerned. System optimization and monitoring should be applied to ensure and, if necessary, improve their availability and efficiency. The organization should stress test systems and services to ensure that systems are available with sufficient sizing to meet performance requirements during peak usage. Detection means should be in place to report problems in a timely manner. Projections of future provisioning needs should take into account new business and system requirements, and current and projected trends in the organization's information processing capabilities. Special attention should be paid to resources for which lead times are long or costs are high. Therefore, managers and owners of products or services should monitor the use of key system resources. Managers should use capacity information to identify and avoid potential resource limitations and dependence on key personnel, which may pose a threat to system security or services, and they plan the appropriate action. Providing sufficient sizing can be achieved by increasing capacity or reducing demand. The following should be considered to increase capacity: a) hire new staff; (b) obtain new facilities or new spaces; (c) acquire more efficient processing, memory and storage systems; d) use cloud computing, the inherent characteristics of which directly address sizing issues. Cloud computing has the elasticity and flexibility that allows the rapid, on-demand scaling up and down of available resources for specific applications and services. Consideration should be given to the following to reduce the demand on the organization's resources: a) deletion of obsolete data (disk space); b) disposal of paper documents that have reached their shelf life (freeing up space on the shelves); c) decommissioning of applications, systems, databases or environments; d) optimization of batch processes and schedules; e) optimization of application codes or database queries; f) denial or restriction of bandwidth for resource-intensive services, if not critical (eg video streaming). Consideration should be given to a documented scaling management plan for critical systems. 98 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information For more information on the elasticity and flexibility of cloud computing, see ISO/IECTS23167. 8.7 Malware Protection Type of security measure #Preventive #Detective #Corrective Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect #Detect Operational capabilities #System_and_network_security #Protection_of_information Security domains #Protection #Defense Security measure Malware protection should be implemented and reinforced by appropriate user awareness. Objective Ensure that information and other associated assets are protected against programs malicious. Recommendations Malware protection should be based on malware detection and remediation software, information security awareness, and appropriate systems access and change management. Using malware detection and repair software alone is generally not sufficient. The following recommendations should be considered: a) implement rules and security measures that prevent or detect the use of unauthorized software (e.g. application allowlisting (i.e. use of a list indicating authorized applications)) (see 8.19 and 8.32); b) implement security measures that prevent or detect the use of known or suspected malicious websites (eg blocklisting); c) reduce vulnerabilities that can be exploited by malicious programs [for example, through the management of technical vulnerabilities (see 8.8 and 8.19)]; d) regularly perform automatic validation of software and data content of systems, especially for systems that manage critical business processes; investigate the presence of any unapproved files or unauthorized modifications; e) put in place safeguards against the risks associated with obtaining files and software either from or via external networks, or on any other medium; f) install and regularly update malware detection and repair software to scan computers and electronic storage media. Conduct regular scans that include: 1) the analysis of any data received on the networks or via any form of electronic storage medium, to ensure the absence of malicious program before use; 2) scanning e-mail and instant message attachments, and downloaded files for malware before use. Perform this analysis in different places (eg on e-mail servers, desktop computers) and when accessing the organization's network; © ISO/IEC 2022 – All rights reserved 99 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) 3) the analysis of web pages when accessing them to ensure the absence of programs malicious; (g) determine the location and configuration of malware detection and repair tools based on the results of the risk assessment and taking into consideration: 1) the principles of defense in depth where they would be most effective. For example, it can lead to the detection of malware at a network gateway (in different application protocols such as email, file transfer, and the Internet) as well as user endpoints and servers; 2) attacker evasion techniques (eg, use of encrypted files) to introduce malware or use of encryption protocols to transmit malware; (h) ensure protection against the introduction of malware during maintenance and emergency procedures, which may circumvent normal malware security measures; i) implement a process for authorizing temporary or permanent disabling of some or all malware protection measures, including exception approval authorities, documented justifications, and review dates. This may be necessary when malware protection causes disruption of normal operations; j) Develop appropriate business continuity plans to enable recovery from malware attacks, including backup of all important software and data (including online as well as offline backup) and recovery measures (see 8.13); k) isolate environments where serious consequences may occur; l) define procedures and responsibilities for managing the protection of systems against malware, including training in their use, reporting and recovery from malware attacks; m) provide education or training (see 6.3) to all users on how to identify and possibly mitigate the receipt, sending or installation of maliciously infected emails, files or programs malicious [the information collected in n) and o) can be used to ensure that awareness and training is always up to date]; (n) implement procedures to regularly collect information about new malicious programs, such as subscribing to mailing lists or consulting relevant websites; o) check that information about malware, such as alert bulletins, comes from recognized and reputable sources (for example, reliable websites or malware detection software providers) and that it is correct and informative . Additional Information It is not always possible to install malware protection software on some systems (eg some industrial control systems). Some types of malware infect computer operating systems and their firmware, so common anti-malware security measures cannot clean the system and a complete reinstallation of the operating system and sometimes firmware is required to return to a secure state. 100 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIX Translated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.8 Managing technical vulnerabilities Information Security Properties Type of security measure #Preventive Cybersecurity concepts #Privacy #Identifier #Integrity #Availablity #Protect Operational capabilities Security domains #Governance_and_Ecosystems #Management_of_threats_and_vulnera #Protection #Defense bilities Security measure It is necessary to obtain information on the technical vulnerabilities of the information systems used, to assess the exposure of the organization to these vulnerabilities and to take the appropriate measures. Objective Prevent the exploitation of technical vulnerabilities. Recommendations Identification of technical vulnerabilities The organization should have an accurate inventory of assets (see 5.9 to 5.14) as a prerequisite for effective management of technical vulnerabilities; The inventory should include software vendors, software names, version numbers, current usage status (e.g., what software is installed on what systems), and the person(s) within organization who are responsible for the software. In order to identify technical vulnerabilities, the organization should consider: a) define and establish roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, updates, asset tracking, and any necessary coordination functions ; b) for software and other technologies (according to the list of the inventory of assets, see 5.9), determine the information resources that will be used to identify important technical vulnerabilities and raise awareness about these vulnerabilities. Update the list of information resources based on changes made in the inventory or when other new or useful resources are identified; c) require vendors of information systems (including their components) to provide vulnerability reporting, processing, and disclosure, including applicable contract requirements (see 5.20) ; d) use vulnerability analysis tools appropriate to the technologies used in order to identify vulnerabilities and verify whether the application of patches aimed at resolving vulnerabilities has been effective; e) conduct planned, documented and repeated penetration tests or vulnerability assessments performed by competent and authorized persons to reinforce the identification of vulnerabilities. Take precautions as these activities may lead to a compromise of system security; f) monitor the use of libraries and external source codes from third parties to detect vulnerabilities. This should be incorporated into secure coding (see 8.28). The organization should put in place procedures and develop means for: a) detect the existence of vulnerabilities in its products and services, including all external components used therein; © ISO/IEC 2022 – All rights reserved 101 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) receive vulnerability reports from internal or external sources. The organization should provide a public point of contact under a topic-specific policy for publishing vulnerabilities so that researchers and others can report issues. The organization should establish vulnerability reporting procedures, online reporting forms, and leverage appropriate threat intelligence or information sharing forums. The organization should also consider bug bounty programs where rewards are offered as an incentive to help organizations identify vulnerabilities in order to address them appropriately. The organization should also share information with relevant industry organizations or other interested parties. Assessment of technical vulnerabilities To assess the identified technical vulnerabilities, the following considerations should be taken into account: a) analyze and verify the statements to determine the response and remediation activities that are necessary; b) once a possible technical vulnerability has been identified, determine the associated risks and the actions to be taken. These actions may include updating vulnerable systems or applying other security measures. Taking appropriate measures to respond to technical vulnerabilities A software update management process should be implemented to ensure that the latest approved patches and application updates are installed for all authorized software. If changes are necessary, you should keep the original software and apply these changes to a copy intended for this purpose. All changes should be fully tested and documented so that they can be reapplied, if necessary, to future software updates. If necessary, changes should be tested and validated by an independent evaluation organization. Consideration should be given to the following recommendations for responding to technical vulnerabilities: a) take appropriate and prompt action in response to the identification of possible technical vulnerabilities; define a response time to notifications of possible significant technical vulnerabilities; b) depending on the degree of urgency with which the technical vulnerability needs to be addressed, perform the action in accordance with security measures relating to change management (see 8.32) or by following security incident response procedures information (see 5.26); c) use updates only from authorized sources (which may be internal or external to the organization); d) test and evaluate updates before installing them to ensure that they are effective and do not cause adverse effects that cannot be tolerated [i.e., if an update is available, assess the risks associated with installing this update (the risks arising from the vulnerability should be compared to the risks associated with installing the update)]; e) deal with high-risk systems first; f) develop corrective action (usually software updates or patches); g) perform tests to validate the effectiveness of the remediation or risk mitigation; h) provide mechanisms to verify the authenticity of the correction; 102 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) i) If no update is available or the update cannot be installed, consider other security measures, such as: 1) the application of any solution offered by the software supplier or other sources relevant; 2) termination of the services or functions affected by the vulnerability; 3) adapting or adding access controls (e.g. firewalls) to network boundaries (see 8.20 to 8.22); 4) the protection of vulnerable systems, terminals or applications against attacks through the deployment of suitable traffic filters (sometimes called "virtual patches"); 5) increasing surveillance to detect actual attacks; 6) sensitization to vulnerabilities. For purchased software, if vendors regularly release information about security updates to their software and provide a means to install those updates automatically, the organization should decide whether or not to use the update. automatique. Other Considerations An audit log should be kept of all steps taken when managing technical vulnerabilities. The technical vulnerability management process should be regularly monitored and evaluated to ensure its effectiveness and efficiency. An effective technical vulnerability management process should be aligned with incident management activities, to communicate data on vulnerabilities to the incident response function and provide technical procedures to be performed in the event of an incident. Where the organization uses a cloud service provided by a third-party cloud service provider, technical vulnerability management of the cloud service provider's resources should be provided by the cloud service provider. The cloud service provider's responsibilities for managing technical vulnerabilities should be included in the cloud service agreement and the cloud service agreement should include processes for reporting the cloud service provider's actions with respect to technical vulnerabilities. (see 5.23). For some cloud services, there are respective responsibilities for the cloud service provider and the cloud service customer. For example, the cloud service customer is responsible for vulnerability management of its own assets used for cloud services. Additional Information Managing technical vulnerabilities can be considered a sub-function of change management and as such can benefit from change management processes and procedures (see 8.32). It is possible that an update does not adequately address the issue and may produce unwanted effects. Also, in some cases, it may be difficult to uninstall an update once it has been applied. If it is not possible to test the updates adequately (for example, for cost reasons or due to lack of resources), an update deferral may be considered to assess the associated risks in s relying on the experience shared by other users. Use of ISO/IEC 27031 may be helpful. When software patches or updates are developed, the organization may consider providing an automated update process whereby those updates are installed on affected systems or products without requiring customer or the user. If a process © ISO/IEC 2022 – All rights reserved 103 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) automated update is provided, it may allow the customer or user to choose an option to stop the automatic update or control when the update is installed. When the software vendor provides an automated update process and updates can be installed on affected systems or products without the need for intervention, it is up to the organization to decide whether or not to apply the process. automated. One reason not to opt for automated updating is to retain control over when the update is applied. For example, software used for a business activity cannot be updated until the activity is complete. A weakness of vulnerability scanning is that it may not fully consider defense in depth: two countermeasures that are always called in the same order may have vulnerabilities that are hidden by the dots strong on the other. The composite countermeasure is not vulnerable, whereas a vulnerability scanning solution can declare both components to be vulnerable. Therefore, the organization should be careful in reviewing and dealing with vulnerability reports. Many organizations provide software, systems, products and services not only within the organization, but also to interested parties such as customers, partners or other users. These software, systems, products and services may contain information security vulnerabilities that affect user safety. Organizations can post a fix and disclose information about vulnerabilities to users (usually through a public notice) and provide appropriate information for software vulnerability database services. For more information on managing technical vulnerabilities when using cloud computing, see the ISO/IEC 19086 series and ISO/ IEC 27017. ISO/IEC 29147 provides detailed information on receiving vulnerability reports and issuing vulnerability bulletins. ISO/IEC 30111 provides detailed information on the handling and remediation of declared vulnerabilities. 8.9 Configuration management Type of security measure #Preventive Information Security Properties Cybersecurity concepts #Privacy #Protect Operational capabilities Security domains #Secure_Configuration #Protection #Integrity #Availablity Security measure Configurations, including security, hardware, software, service and network configurations, should be defined, documented, implemented, monitored and reviewed. Objective Ensure that hardware, software, services and networks are functioning properly with required security settings, and that the configuration is not altered by unauthorized or incorrect changes. Recommendations General The organization should define and implement processes and tools to enforce defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems throughout their lifetime. 104 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes. Standard models Standard templates should be defined for the secure configuration of hardware, software, services and networks: a) using publicly available recommendations (e.g. predefined templates from vendors and independent security organizations); b) taking into account the level of protection necessary in order to determine a level of security sufficient; c) supporting the organization's information security policy, its policies specific to a theme, standards and other security requirements; d) taking into consideration the feasibility and applicability of security configurations in the organizational context. Models should be reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new versions of hardware or software are introduced. The following should be considered when defining standard patterns for the secure configuration of hardware, software, services and networks: a) minimize the number of identities with privileged or administrator-level access rights; (b) disable unnecessary, unused, or insecure identities; c) disable or restrict unnecessary functions and services; d) restrict access to powerful utility programs and adjustment of their parameters; e) synchronize clocks; f) change vendor default authentication information, such as default passwords, immediately after installation and verify other important default security settings; g) using timeout means that automatically disconnect terminals computers after a predefined period of inactivity; h) check that licensing requirements are met (see 5.32). Configuration Management Defined configurations of hardware, software, services and networks should be recorded and a log of all configuration changes should be maintained. These records should be kept securely. This can be achieved in several ways, for example with configuration databases or configuration templates. Changes to configurations should follow the change management process (see 8.32). Configuration records may contain, if required: (a) updated information on the owner or point of contact associated with the asset; (b) the date of the last configuration change; c) version of the configuration model; © ISO/IEC 2022 – All rights reserved 105 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) d) the link with the configurations of other assets. Configuration Monitoring Configurations should be monitored with a full set of system management tools (for example, maintenance utilities, remote assistance, business management tools, and backup and restore software) and reviewed periodically to verify configuration settings, test password strength, and evaluate performed activities. The currently applied configurations can be compared to the defined target models. Any deviation should be addressed, either by automatic application of the defined target configuration, or by manual analysis of the deviation followed by corrective actions. Additional Information Systems documentation often contains hardware and software configuration details. System hardening is a common part of configuration management. Configuration management can be integrated with asset management processes and related tools. Automation is generally more effective at managing security configuration [eg, using “Infrastructure as Code” ]. Configuration templates and targets may constitute confidential information which should be protected accordingly against unauthorized access. 8.10 Deletion of information Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Protection_of_information Security domains #Protection #Regulations_and_compliance Security measure Information stored in information systems, terminals or any other storage medium should be deleted when it is no longer needed. Objective Prevent unnecessary exposure of sensitive information and comply with legal, statutory, regulatory and contractual requirements for the removal of information. Recommendations General Sensitive information should not be retained longer than necessary to reduce the risk of unwanted disclosure. When deleting information from systems, applications and services, consideration should be given to the following: a) select a deletion method (e.g., electronic overwrite or cryptographic wipe) in accordance with business requirements and taking into account relevant laws and regulations; 106 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) record the deletion results as evidence; c) if using providers of information deletion services, obtain proof of the deletion of the information from them. Where third parties store the organization's information on behalf of the organization, the organization should consider including information deletion requirements in agreements with third parties to apply during and after termination of these services. Deletion methods In accordance with the organization's data retention topic-specific policy and taking into account relevant legislation and regulations, sensitive information that is no longer required should be deleted: a) configuring systems to securely destroy information when it is no longer needed (for example, after a period defined by the topic-specific data retention policy or following an access request); b) deleting obsolete versions, copies and temporary files, regardless of their location; c) using approved secure deletion software to permanently delete the information to help ensure that the information cannot be recovered using specialized recovery tools or computer forensic tools; (d) using approved and certified secure deletion service providers; e) using disposal mechanisms appropriate to the type of storage media to be disposed of (eg degaussing of hard drives and other magnetic storage media). Where cloud services are used, the organization should check whether the deletion method provided by the cloud service provider is acceptable and, if so, the organization should use it or ' she asks the cloud service provider to delete the information. Such deletion processes should be automated in accordance with topic-specific policies, where available and applicable. Depending on the sensitivity of the deleted information, logs may trace or verify that these deletion processes have taken place. To prevent inadvertent exposure of sensitive information when equipment is returned to suppliers, sensitive information should be protected by removing auxiliary storage media (e.g. hard drives) and memory before equipment leaves the premises. organisation. Since the secure deletion of certain endpoints (e.g. smartphones) can only be achieved through destruction or by using the functions integrated into these endpoints (e.g. restoring factory settings), the organization should choose the appropriate method according to the classification of the information held by these terminals. The security measures described in 7.14 should be applied to physically destroy the storage medium and at the same time delete the information it contains. An official document attesting to the deletion of information is useful when analyzing the cause of a possible information leak event. Additional Information Information on deleting user data in cloud services is available in ISO/IEC 27017. Information on FAD removal is available in ISO/IEC 27555. © ISO/IEC 2022 – All rights reserved 107 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.11 Data masking Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Protection_of_information Security domains #Protection Security measure Data masking should be used in accordance with the organization's access control topic-specific policy and other related topic-specific policies, as well as business requirements, while taking into account the applicable legislation. Objective Limit the exposure of sensitive data, including personal data, and comply with legal, statutory, regulatory and contractual requirements. Recommendations Where the protection of sensitive data (eg personal data) is a concern, the organization should consider concealing that data using techniques such as data masking, pseudonymization or anonymization. Pseudonymization or anonymization techniques may conceal personal data, disguise the true identity of data subjects or other sensitive information, and break the link between personal data and the identity of the data subject or the link between other information. sensitive. When using pseudonymization or anonymization techniques, it should be verified that the data has been appropriately pseudonymized or anonymized. Data anonymization should consider all elements of sensitive information to be effective. By way of example, if all elements of sensitive information are not taken into account correctly, a person can be identified even if the data which can identify this person directly is anonymized, by the presence of other data which makes it possible to identify the person indirectly. Other data masking techniques are: a) encryption (requiring authorized users to have a key); b) cancellation or deletion of characters (to prevent unauthorized users from viewing entire messages); (c) modification of numbers and dates; d) substitution (replacing one value with another to hide sensitive data); e) replacement of values by their hash. The following should be considered when implementing data masking techniques: (a) not grant all users access to all data; therefore, designing queries and masks to display only the minimum data required to the user; b) there are cases where some data should not be visible to the user for some records within a set of data; in this case, design and implement a data obfuscation system (for example, if a patient does not want hospital staff to have the ability to access all of their data, even in an emergency , then the hospital staff sees partially scrambled data and the data can 108 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) only be consulted by staff with the specific functions if they contain information useful to determine the appropriate treatment); c) when data is scrambled, give the data subject the possibility to require that users cannot know if this data is scrambled (scrambling of scrambling; this is used in healthcare facilities, for example if the patient does not do not want staff to see that sensitive data, such as pregnancies or blood test results, has been scrambled); d) any legal or regulatory requirements (for example, requiring the masking of information from payment cards during processing or storage). The following should be considered when using data masking, pseudonymization or anonymization: a) level of resistance of masking, pseudonymization or anonymization of data according to the use made of the processed data; b) access controls to the processed data; c) agreements or restrictions related to the use of the processed data; d) prohibition to combine the processed data with other information for the purpose of identifying the data subject; e) keep track of the provision and receipt of processed data. Additional Information Anonymisation modifies personal data irreversibly, so that the data subject can no longer be identified, directly or indirectly. Pseudonymization replaces credentials with an alias. Knowledge of the algorithm (sometimes called "additional information") used to achieve the pseudonymization allows at least some form of identification of the data subject. This “additional information” should then be kept separate and protected. While pseudonymization is thus less robust than anonymization, pseudonymized datasets may be more useful in statistical research. Data masking is a set of techniques for concealing, substituting or obfuscating sensitive data elements. Data masking can be static (when data items are masked in the originating database), dynamic (using automation and rules to secure data in real time), or on the fly (with masked data in the application's memory). Hash functions can be used to anonymize DCPs. To prevent enumeration attacks, they should always be combined with a salting function. DCPs in resource identifiers and their attributes [eg, filenames and Uniform Resource Locators (URLs)] should be avoided or appropriately anonymized. Additional security measures for protecting DCPs in public clouds are available in ISO/IEC 27018. Additional information on de-identification techniques is available in ISO/IEC 20889. © ISO/IEC 2022 – All rights reserved 109 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) 8.12 Data Leakage Prevention Type of security measure #Preventive #Detective Information Security Properties #Privacy Cybersecurity concepts #Protect #Detect Operational capabilities Security domains #Protection_of_information #Protection #Defense Security measure Data leakage prevention measures should be applied to systems, networks and all other endpoints that process, store or transmit sensitive information. Objective Detect and prevent unauthorized disclosure and extraction of information by people or systems. Recommendations The organization should consider the following to reduce the risk of data leakage: a) identify and classify the information to be protected against leakage (for example, information personal data, pricing models and product designs); b) monitor data leakage channels (eg, email, file transfers, mobile terminals and portable storage media); c) act to prevent information leakage (for example, quarantine mail email containing sensitive information). Data loss prevention tools should be used to: a) identify and monitor sensitive information at risk of unauthorized disclosure (eg, in unstructured data in a user's system); (b) detect the disclosure of sensitive information (for example, when information is uploaded to untrusted third party cloud services or sent by email); c) block user actions or network transmissions that expose sensitive information (for example, preventing the copying of database entries into a spreadsheet). The organization should determine whether it is necessary to limit a user's ability to copy and paste or upload data to services, devices, and storage media external to the organization. If so, the organization should implement solutions such as data loss prevention tools or configuring existing tools to allow users to view and manipulate data held remotely. , but prevent them from copying and pasting them outside of the organization's control. If data export is required, the data owner should have the ability to approve the export and hold users accountable for their actions. Screenshots or screenshots should be addressed in terms and conditions of use, training and audit. When data is backed up, care should be taken to ensure that sensitive information is protected using measures such as encryption, access control and physical protection of the storage media containing the backup. 110 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Data leak prevention should also be considered to protect against intelligence actions by an adversary seeking to obtain confidential or secret information (geopolitical, human, financial, commercial, scientific or other) that may be of interest for espionage purposes or which may be critical to the community. Actions to prevent data leakage should be directed in such a way as to confuse the adversary in his decisions, for example by replacing genuine information with false information, either as an independent action or in response to actions. adversary intelligence. Examples of such actions are reverse social engineering or using honeypots to lure attackers. Additional Information Data loss prevention tools are designed to identify data, monitor data usage and movement, and take action to prevent data loss (for example, alerting users to risky behavior and block data transfer to portable storage media). Preventing data leakage inherently involves monitoring the online communications and activities of staff and, by extension, the messages of external parties, which raises legal issues that need to be considered before use data loss prevention tools. There are several privacy, data protection, employment, data interception and telecommunications laws that are applicable to surveillance and data processing in the context of data leak prevention. Data leakage prevention can be ensured by standard security measures, such as topic-specific policies for access control and secure document management (see 5.12 and 5.15). 8.13 Backing up information Type of security measure #Corrective Information Security Properties #Integrity #Availablity Cybersecurity concepts #To re-establish Operational capabilities #Continuity Security domains #Protection Security measure Back-up copies of information, software and systems should be kept and tested regularly according to the agreed backup topic-specific policy. Objective Enable recovery in the event of loss of data or systems. Recommendations A specific backup policy should be defined to meet the organization's requirements in terms of data retention and information security. Adequate backup means should be provided to ensure that all essential software and information can be recovered following an incident, failure or loss of storage media. Plans should be developed and implemented indicating how the organization will back up information, software and systems to meet the specific backup topic policy. © ISO/IEC 2022 – All rights reserved 111 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) When designing a backup plan, consideration should be given to the elements following: a) produce accurate and complete records of backup copies and documented restoration procedures; b) integrate the business requirements of the organization (e.g. recovery point objective, see 5.30), the security requirements of the information concerned and the level of criticality of the information with respect to the continuous operation of the organization in the scope of backups (eg full or differential backup) and in the frequency of backups; c) keep the backups in a safe and secure remote location, at a sufficient distance to escape any damage resulting from a disaster at the main site; d) provide the backed up information with an appropriate level of physical and environmental protection (see Clause 7 and 8.1) consistent with the standards applied at the main site; e) regularly test backup media to ensure that they can be used in an emergency if necessary. Test the ability to restore backed up data to a test system, without overwriting the original storage media in the event that the backup or restore process fails and results in irreparable damage or data loss; f) protect the backups by means of encryption according to the identified risks (for example, in situations where confidentiality is important); g) take care to ensure that inadvertent data loss is detected prior to completion of the backup. Operational procedures should monitor the execution of backups and address scheduled backup failures to ensure backup completeness in accordance with policy specific to the backup topic. Backup measures for individual systems and services should be tested regularly to ensure that they meet the objectives of incident response and business continuity plans (see 5.30). This should be combined with a test of the recovery procedures checked against the recovery time required by the business continuity plan. In the case of critical systems and services, the backup measures should cover all systems information, applications and data necessary for the recovery of the complete system in the event of a disaster. When the organization uses a cloud service, backup copies of the organization's information, applications and systems in the cloud service environment should be made. The organization should determine whether and how backup requirements are met when using the information backup service provided as part of the cloud service. The retention period for critical business information should be determined, taking into account any requirements for retaining archival copies. The organization should consider deleting information (see 8.10) from storage media used for backup once the information retention period expires, taking into account legislation and regulations. Additional Information For additional information on storage security, including the preservation aspect, see ISO/IEC 27040. 112 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.14 Redundancy of information processing resources Type of security measure #Preventive Information Security Properties #Availablity Cybersecurity concepts #Protect Security domains Operational capabilities #Continuity #Asset_management #Protection #Resilience Security measure The means of processing information should be implemented with sufficient redundancy to meet availability requirements. Objective Ensure the continuous operation of information processing resources. Recommendations The organization should identify requirements for the availability of business services and information systems. The organization should design and implement a systems architecture with appropriate redundancy to meet these requirements. Redundancy can be provided by duplicating the information processing means in part or in whole (i.e. spare components or having duplicate everything). The organization should plan and implement procedures for enabling redundant components and processing resources. Procedures should determine whether redundant processing components and activities are always enabled or, in an emergency, whether they are enabled automatically or manually. Redundant components and information processing means should provide the same level of security as the main components and processing means. Mechanisms should be in place to alert the organization to any failure of the information processing means, to enable the planned procedure to be carried out and to ensure the continued availability during the repair or replacement of the information processing means. information. The organization should consider the following when implementing redundant systems: a) enter into a contract with two or more providers of networks and means of processing of critical information, such as Internet service providers; b) use redundant networks; c) use two geographically separated data centers with mirrored systems; d) use physically redundant power sources; e) use several parallel instances of the software components, with automatic load balancing between them (between instances from the same data center or from several data centers); f) have duplicate components in the systems (e.g. CPUs, hard drives, memories) or in networks (eg, firewalls, routers, switches). Where possible, and preferably in operational mode, redundant information systems should be tested to ensure that failover from one component to another component works as intended. © ISO/IEC 2022 – All rights reserved 113 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) Additional Information There is a close relationship between redundancy and ICT readiness for business continuity (see 5.30), particularly if short recovery times are required. Several redundancy measures can be part of business continuity strategies and solutions. The implementation of redundancies can introduce risks impacting integrity (for example, data copying processes on duplicate components can introduce errors) or confidentiality (for example, a weak security measure for duplicate components can lead to compromise) of information and information systems, which must be taken into consideration when designing information systems. The redundancy of the information processing means does not generally deal with the unavailability of the applications due to malfunctions of the application. With the use of public cloud computing, it is possible to have multiple real-time versions of information processing assets residing in multiple separate physical locations with automatic failover and load balancing between them. Some technologies and techniques for redundancy and automatic failover in the context of cloud services are covered in ISO/IEC TS 23167. 8.15 Logging Type of security measure #Detective Information Security Properties #Privacy Cybersecurity concepts #Detect #Integrity #Availablity Operational capabilities Security domains #Protection #Defense #Management_of_information_security_events_ Security measure Logs that record activities, exceptions, failures and other relevant events should be generated, maintained, protected and analyzed. Objective Log events, generate evidence, ensure the integrity of logging information, prevent unauthorized access, identify information security events that may lead to an information security incident and assist investigations. Recommendations General The organization should determine the purpose for which logs are created, what data is collected and logged, and any log-specific requirements for protecting and handling log data. This should be documented in a policy specific to the topic of logging. Event logs should include for each event, if possible: (a) user identifiers; b) system activities; c) dates, times and details of relevant events (e.g. openings and closings session); d) terminal identity, system identifier and location; 114 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) e) network addresses and protocols. Consideration should be given to events for logging: a) successful and failed attempts to access the system; b) attempts to access data and other resources, both successful and unsuccessful; c) changes to system configuration; d) the use of privileges; e) the use of utility programs and applications; f) files accessed and type of access, including deletion of important data files; g) alarms triggered by the access control system; h) the activation and deactivation of security systems, such as anti-virus systems and intrusion detection systems; i) the creation, modification or deletion of identities; j) operations performed by users in the applications. In some cases, applications are a service or product provided or performed by a third party. It is important for all systems to have synchronized time sources (see 8.17) as this allows correlation of logs between systems for analysis, alerting and investigation purposes d'un incident. Protecting Logs Users, including those with privileged access rights, should not have permission to delete or disable logs of their own activities. They can possibly manipulate the newspapers on the information processing means that they directly control. It is therefore necessary to protect and analyze the logs in order to ensure the accountability of privileged users. Security measures should be aimed at protecting the logging medium against unauthorized changes to information and operational problems, which include: a) alteration of the types of messages that are recorded; b) log files that have been edited or deleted; c) failure to record events or overwriting of events already recorded in the event of overflow of the storage medium containing the log file. For log protection, consideration should be given to using the following techniques: cryptographic hashing, saving to an append-only and read-only file, saving to a public transparency file. It may be necessary to archive some audit logs due to data retention requirements or evidence collection and retention requirements (see 5.28). When the organization needs to send system or application logs to a vendor to help resolve debugging or troubleshooting errors, the logs should be de-identified, if possible using masking techniques data (see 8.11) for information such as usernames, Internet Protocol (IP) addresses, hostnames, or organization name, before sending to the provider. Event logs may contain sensitive data and personal data. Appropriate privacy safeguards (see 5.34) should be taken . © ISO/IEC 2022 – All rights reserved 115 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Log Analysis Log analysis should include the analysis and interpretation of information security events to enable the identification of abnormal activity or behavior, which may represent indicators of compromise. The analysis of events should be carried out taking into account: (a) the necessary skills for the experts carrying out the analysis; b) determining the log analysis procedure; c) attributes required for each security event; d) exceptions identified through the use of predefined rules (e.g., rules of SIEM or firewall and IDS or malware signatures); e) Patterns of known behaviors and standard network traffic compared to abnormal behavior and activity (User and Entity Behavior Analysis [UEBA]); f) results of the analysis of trends or patterns (for example, the result of the use of data analytics, big data techniques and specialized analysis tools); (g) available threat information. Log analysis should be supported by specific monitoring activities to facilitate the identification and analysis of abnormal behaviors, which include: a) analysis of successful and failed attempts to access protected resources (eg domain name system [DNS] servers, web portals and file shares); b) consulting DNS logs to identify outgoing network connections to malicious servers, such as those associated with botnet command and control servers; c) analysis of usage reports issued by service providers (e.g. invoices or service reports) to detect abnormal activity within systems and networks (e.g. by analyzing activity patterns) ; d) consideration of physical surveillance event logs, such as entries and outputs, to ensure more accurate incident detection and analysis; e) Correlation of logs to enable efficient and highly accurate analyses. Known and suspected information security incidents (such as malware infection or firewall probing) should be identified and investigated further (e.g. as part of an information security incident management process; see 5.25). Additional Information System logs often contain a significant amount of information, most of which is not relevant to information security monitoring. To facilitate the identification of significant events for information security monitoring purposes, the use of utility programs or appropriate auditing tools that allow file interrogation may be considered. Event logging forms the basis of automated monitoring systems (see 8.16), which are capable of generating consolidated reports and system security alerts. A SIEM tool or equivalent service can be used to store, correlate, normalize, and analyze log information and to generate alerts. SIEMs tend to require careful configuration to optimize their results. Configurations to consider include identifying and 116 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) selecting appropriate log sources, tuning and testing rules, and defining use cases. Public transparency files for recording logs are used, for example, in certificate transparency systems. These files can provide an additional detection mechanism that is useful to protect against log corruption. In cloud environments, log management responsibilities may be shared between the cloud service customer and the cloud service provider. Responsibilities vary depending on the type of cloud service used. Additional recommendations are available in ISO/IEC 27017. 8.16 Monitoring Activities Type of security measure #Detective #Corrective Information Security Properties Cybersecurity concepts #Privacy #Detect #Integrity #Availability #Respond Operational capabilities Security domains #Defense #Management_of_information_security_events_ Security measure Networks, systems and applications should be monitored for abnormal behavior and appropriate measures should be taken to assess possible information security incidents. Objective Detect abnormal behavior and possible information security incidents. Recommendations The scope and level of monitoring should be determined in accordance with business and information security requirements and taking into account relevant laws and regulations. Monitoring records should be retained for defined retention periods. Consideration should be given to including the following in the monitoring system: a) traffic entering and leaving networks, systems and applications; b) access to systems, servers, network equipment, monitoring system, critical applications, etc.; c) critical or administrator level system and network configuration files; d) logs generated by security tools [eg, antivirus, IDS, intrusion prevention system (IPS), web filters, firewalls, data leakage prevention]; e) event logs relating to system or network activities; f) checking that the running code is authorized to run in the system and that it has not been altered (for example, by a recompilation adding unwanted code); g) resource usage (e.g. CPU, hard drives, memory, bandwidth) and their performances. The organization should establish a baseline of normal behavior and monitor for abnormalities against this baseline. When establishing a baseline, consideration should be given to the following: a) analysis of system usage during normal and peak periods; © ISO/IEC 2022 – All rights reserved 117 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) b) the usual access time, access location and access frequency for each user or group of users. The monitoring system should be configured against the established baseline to identify abnormal behaviors, such as: (a) unexpected termination of processes or applications; b) activity commonly associated with malware or traffic originating from known malicious IP addresses or network domains (eg, those associated with botnet command and control servers); c) characteristics of known attacks (e.g. denial of service and memory overflows tampon); d) unusual system behavior (eg, keystroke logging, process injection, and deviations from the use of standard protocols); e) bottlenecks and overloads (e.g. network queues, latency levels and network jitter); (f) unauthorized access (actual or attempted) to systems or information; (g) unauthorized analysis of business applications, systems and networks; h) successful or unsuccessful attempts to access protected resources (e.g. DNS servers, web portals and file systems); i) Unusual user and system behavior compared to expected behavior. Continuous monitoring via a monitoring tool should be used. Monitoring should be done in real time or at regular intervals, subject to organizational needs and capabilities. Surveillance tools should incorporate the ability to handle large amounts of data, adapt to the ever-changing threat landscape and enable realtime notification. The tools should also be able to recognize specific signatures and specific patterns of data, network or application behavior. Automated monitoring software should be configured to generate alerts (eg, via management consoles, e-mail messages or instant messaging systems) based on predefined thresholds. The alert system should be set up and trained against the organization's baseline to minimize false positives. Staff should be dedicated to responding to alerts and properly trained to accurately interpret potential incidents. Redundant systems and processes should be in place to receive and respond to alert notifications. Abnormal events should be communicated to the relevant affected parties in order to improve the following activities: auditing, security assessment, vulnerability analysis and monitoring (see 5.25). Procedures should be in place to respond to positive indicators from the monitoring system promptly to minimize the consequences of adverse events (see 5.26) on information security. Procedures should also be defined to identify and deal with false positives, including tuning monitoring software to reduce the number of future false positives. Additional Information Safety monitoring can be improved by: a) operation of threat intelligence systems (see 5.7); b) exploitation of machine learning and intelligence capabilities artificial; 118 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) c) the use of blocklists or allowlists ; d) conducting a series of technical security assessments (e.g. vulnerability assessments, penetration tests, cyber attack simulations and cyber attack response exercises) and using the results of these assessments to help determine baselines for reference or acceptable behaviors; e) use of performance monitoring systems to help define and detect abnormal behavior; f) operation of logs in conjunction with monitoring systems. Surveillance activities are often carried out using specialized software, such as intrusion detection systems. These can be configured against a baseline of system and network activity considered normal, acceptable, and expected. Monitoring anomalous communications makes it easier to identify botnets (i.e., a collection of endpoints under the malicious control of the botnet owner, typically used to launch distributed denial of service attacks on other computers in other organizations). If the computer is controlled by an external terminal, communication is established between the infected terminal and the controller. The organization should therefore employ technologies to monitor abnormal communications and take such action as often as necessary. 8.17 Synchronization of clocks Type of security measure #Detective Information Security Properties #Integrity Cybersecurity concepts #Protect #Detec to have Operational capabilities Security domains #Protection #Defense #Management_of_information_security_events_ Security measure The clocks of the information processing systems used by the organization should be synchronized with approved time sources. Objective Enable the correlation and analysis of security events and other recorded data, assist in the investigation of information security incidents. Recommendations External and internal requirements for time representation, reliable synchronization and accuracy should be documented and implemented. These requirements may arise from legal, statutory, regulatory, contractual or normative needs and from internal monitoring. A standard reference time for use within the organization should be defined and taken into account by all systems, including building management systems, entry and exit systems and others. which can be used to assist investigations. A clock synchronized to a radio signal broadcasting the time from a national atomic clock or a global positioning system (GPS ) should be used as the reference clock for logging systems; a consistent and reliable date and time source, to ensure accurate timestamps. Protocols such as Network Time Protocol (NTP ) or Precision Time Protocol (PTP) should be used to keep all networked systems synchronized with a reference clock. The organization can use two external time sources at the same time to improve the reliability of the external clocks, and manage any deviations appropriately. © ISO/IEC 2022 – All rights reserved 119 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Synchronizing clocks can be complicated when using multiple cloud services or when using cloud and on-premises services together. In this case, the clock of each service should be managed and the offsets recorded in order to mitigate the risks arising from these offsets. Additional Information Proper setting of computer clocks is important to ensure accurate event logs that may be needed in investigations or used as evidence in legal cases and disciplinary proceedings. Inaccurate audit logs can hamper these investigations and undermine the credibility of this evidence. 8.18 Using Privileged Utility Programs Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities Security domains #System_and_network_security #Protection #Secure_Configuration #Application_Security Security measure The use of utility programs with the ability to circumvent system and application security measures should be limited and tightly controlled. Objective Ensure that the use of utility programs does not compromise the information security measures of systems and applications. Recommendations The following guidelines regarding the use of utility programs that have the ability to circumvent system and application security measures should be considered: a) limit the use of utility programs to a minimum acceptable number of authorized trusted users (see 8.2); (b) use identification, authentication and authorization procedures for utility programs, including the unique identification of the person using the utility program; c) define and document authorization levels for utility programs; d) allow ad hoc uses of utility programs; e) not to make utility programs available to users who have access to applications installed on systems requiring segregation of duties; f) remove or disable any unused utility programs; g) at a minimum, logically separate utility programs from application software. To the extent possible, separate the network communications of these programs from application traffic; h) limit the availability of utility programs (for example, the duration of a modification authorized); i) log all usage of utility programs. 120 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Most information systems have one or more utility programs that may have the ability to circumvent system and application security measures, such as diagnostics, patching, anti-virus, disk defragmentation, debuggers, backup tools and network tools. 8.19 Installing software on operational systems Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Secure_Configuration #Application_Security Security domains #Protection Security measure Procedures and measures should be implemented to securely manage the installation of software on operational systems. Objective Ensure the integrity of operational systems and prevent the exploitation of technical vulnerabilities. Recommendations The following guidelines should be considered for securely managing software changes and installation on live systems: a) Have operational software updates installed only by trained administrators, after management approval (see 8.5); b) ensure that only approved executable code and not code in development or compilers are installed on operational systems; c) install and update software only after thorough and successful testing (see 8.29 and 8.31); d) update all the libraries of the corresponding source programs; e) use a configuration control system to maintain control of all software operational, as well as system documentation; f) define a rollback strategy before applying changes; g) maintain an audit log of all operational software updates; h) archive older versions of software, with all necessary information and settings, procedures, configuration details and associated support software as a backup measure, and for as long as the software is used to read or process archived data. Any decision to install a new version should take into account the business requirements of the change, as well as the security aspects of the new version (for example, the introduction of a new information security feature or the number and severity of information security vulnerabilities affecting the current version). Software patches should be applied when they remove or reduce information security vulnerabilities (see 8.8 and 8.19). Computer Software may use software and packages provided by an external third party (e.g., software programs using modules hosted on external sites) that it © ISO/IEC 2022 – All rights reserved 121 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) should be monitored and controlled to avoid unauthorized changes, as they may introduce information security vulnerabilities. Software provided by vendors and used in operational systems should be maintained by the vendor. Over time, software vendors will stop servicing older versions of software. The organization should consider the risks associated with the use of out-of-maintenance software. Open source software used in operational systems should be maintained at the latest appropriate software version. Over time, maintenance of open source codes may cease, but these codes remain available in an open source software repository. The organization should also consider the risks associated with unmaintained open source software when used in operational systems. Where vendors are involved in installing or updating software, physical or logical access should be granted only as necessary and with appropriate authorization. Supplier activities should be monitored (see 5.22). The organization should define and enforce strict rules about the types of software that users can install. The principle of least privilege should be applied to the installation of software on operational systems. The organization should determine the types of software installations that are allowed (for example, updates and security patches for existing software) and the types of installations that are prohibited (for example, software intended for for personal use only, and software of unknown or suspicious origin with the possibility of being malicious). These privileges should be granted according to the functions of the users concerned. Additional Information No additional information. 8.20 Network Security Type of security measure #Preventive #Detective Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect #Detect Operational capabilities Security domains #System_and_network_security #Protection Security measure Networks and network devices should be secured, managed and controlled to protect system and application information. Objective Protect the information in the networks and the means of processing the supporting information against compromise via the network. Recommendations Security measures should be implemented to ensure information security in networks and to protect connected services against unauthorized access. In particular, the following should be considered: a) the type and level of information classification that the network can support; b) define responsibilities and procedures for the management of network equipment and terminals; 122 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) maintain documentation, including network diagrams and equipment configuration files (eg routers, switches); d) separate operational responsibility for networks and activities on ICT systems, if necessary (see 5.3); e) define security measures to preserve the confidentiality and integrity of data transiting over public networks, third-party networks or wireless networks and to protect connected systems and applications (see 5.22, 8.24 , 5.14 and 6.6). Additional security measures may also be necessary to ensure the availability of network services and computers connected to the network; f) provide appropriate logging and monitoring to enable recording and detection of actions that may affect, or are relevant to, information security (see 8.16 and 8.15 ) ; g) closely coordinate network management activities both to optimize the service provided to the organization and to ensure that security measures are applied consistently across the information processing infrastructure; h) authenticate systems on the network; i) restricting and filtering the connection of systems to the network (for example, by using firewalls); j) detect, restrict and authenticate the connection of equipment and terminals to the network; k) harden network terminals; l) separate network administration channels from other network traffic; m) temporarily isolate critical subnets [e.g., with drawbridges ] if the network is being attacked; n) disable vulnerable network protocols. The organization should ensure that appropriate security measures are applied for the use of virtual networks. Virtualized networks also include software-defined networking (SDN, SD-WAN). Virtualized networks can be attractive from a security perspective as they can allow logical separation of communications that take place over physical networks, especially for systems and applications that are implemented using IT distributed. Additional Information Additional information on network security is available in the ISO/IEC 27033 series. More information on virtualized networks is available in ISO/IEC TS 23167. 8.21 Network Services Security Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #System_and_network_security #Protection #Integrity #Availablity Security measure Security mechanisms, service levels and service requirements for network services should be identified, implemented and monitored. © ISO/IEC 2022 – All rights reserved 123 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Ensure security when using network services. Recommendations The security measures necessary for certain services, such as security features, service levels and service requirements, should be identified and implemented by internal or external network service providers. The organization should ensure that network service providers implement these measures. The ability of the network service provider to manage the agreed services securely should be determined and regularly monitored. The right to audit should be agreed between the organization and the supplier. The organization should also consider third-party attestations issued by service providers to demonstrate that they maintain appropriate security measures. Rules for the use of networks and network services should be defined and applied to cover the following: (a) the networks and network services to which access has been granted; b) authentication requirements for access to different network services; (c) authorization procedures for determining which persons are authorized to access which networks and what network services; d) network management and technological security measures and procedures to protect access to network connections and network services; e) the means used to access networks and network services [for example, use of virtual private networks (VPNs) or wireless networks]; f) time, location and other attributes of the user at the time of access; g) monitoring the use of network services. Consideration should be given to the following security features for network services: a) technologies used for the security of network services, such as authentication, encryption and network connection controls; b) the technical parameters necessary for a secure connection to network services, in accordance with security and network connection rules; c) caching [e.g., in a content delivery network ] and its settings that allow users to choose the use of caching according to performance, availability, and privacy; d) procedures for using network services to restrict access to services or network applications, if necessary. Additional Information Network services include the provision of connections, private network services and managed network security solutions, such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings. Additional recommendations on a framework for access management are available in ISO/IEC 29146. 124 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.22 Network partitioning Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #System_and_network_security #Protection #Integrity #Availablity Security measure Groups of information services, users, and information systems should be siled within the organization's networks. Objective Divide the network into security perimeters and control traffic between them based on business needs. Recommendations The organization should consider managing the security of large networks by dividing them into separate network domains and separating them from the public network (i.e. the Internet). Domains can be chosen according to levels of trust, criticality and sensitivity (for example, public access domain, workstation domain, server domain, high and low risk systems), according to administrative services (for example, example, human resources, finance, marketing) or according to certain combinations (for example, connection of the domain of servers to several administrative services). The partitioning can be achieved by using either different physical networks or different logical networks. It is important to clearly define the scope of each domain. If access between network domains is allowed, it should be controlled at the perimeter using a gateway (eg, firewall, filtering router). Criteria for partitioning networks into domains and authorized access through gateways should be based on an assessment of the security requirements of each domain. The assessment should be consistent with topic-specific access control policy (see 5.15), access requirements, value and classification of information processed, and take into account the cost relative and performance impacts of integrating appropriate gateway technologies. Wireless networks require special treatment due to an insufficiently defined network perimeter. Radio coverage adjustment should be considered for the partitioning of wireless networks. For sensitive environments, consideration should be given to treating all wireless accesses as external connections and isolating such accesses from internal networks until such accesses pass through a gateway in accordance with the security measures of the networks (see 8.20), before granting access to internal systems. Wireless access networks intended for guests should be separated from those intended for staff if staff use only controlled user end devices that comply with the organization's topic-specific policies. Wi-Fi intended for guests should be subject to at least the same restrictions as staff Wi-Fi, in order to deter staff from using guest Wi-Fi. Additional Information Networks often extend beyond organizational boundaries, and the business partnerships that are formed require the interconnection or sharing of information processing resources and network facilities. These extensions can increase the risk of unauthorized access to the organization's information systems that use the network, some of which need to be protected from other network users because of their level of sensitivity or criticality. © ISO/IEC 2022 – All rights reserved 125 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.23 Web filtering Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #System_and_network_security #Protection #Integrity #Availablity Security measure Access to external websites should be managed to reduce exposure to malicious content. Objective Protect systems from malware compromise and prevent access to unauthorized web resources. Recommendations The organization should reduce the risk of its staff accessing websites that contain illegal information or are known to contain viruses or phishing content. One technique to achieve this is to block the IP addresses or domains of the affected website(s). Some browsers and antimalware technologies do this automatically or can be configured to do so. The organization should identify the types of websites to which staff should or should not have access. The organization should consider blocking access to the types of websites following: a) websites with an information download function, unless this is permitted for valid business reasons; b) websites known to be or suspected of being malicious (for example, those which distribute malware or phishing content); c) command and control servers; d) malicious website from threat intelligence (see 5.7); e) websites sharing illegal content. Prior to using this security measure, the organization should establish rules for the safe and appropriate use of online resources, including any restrictions regarding unwanted or inappropriate websites and web applications. These rules should be kept up to date. Staff should be trained in the safe and appropriate use of online resources, including web access. Training should include the organization's rules, point of contact for discussing security issues, and the exception process when staff need access to restricted web resources for legitimate business reasons. Staff should also be trained to ensure that they do not dismiss any browser warnings that a website is not secure, but allow the user to proceed. Additional Information Web filtering can include a combination of techniques, such as signatures, heuristics, list of acceptable websites or domains, list of prohibited websites or domains, and custom configuration, to help prevent malware and malicious software. 'other malicious activities to attack the organization's networks and systems. 126 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 8.24 Use of cryptography Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities Security domains #Secure_Configuration #Protection #Integrity #Availablity Security measure Rules for the effective use of cryptography, including the management of cryptographic keys, should be defined and implemented. Objective Ensure the correct and effective use of cryptography to protect the confidentiality, authenticity or integrity of information in accordance with business and information security requirements, and taking into account legal, statutory, regulatory and contractual requirements relating to cryptography. Recommendations General When using cryptography, the following should be considered: a) the policy specific to the topic of cryptography defined by the organization, including the general principles for the protection of information. A topic-specific policy on the use of cryptography is useful to maximize the benefits and minimize the risks associated with the use of cryptographic techniques, and to prevent inappropriate or incorrect uses; b) the identification of the level of protection required and the classification of the information, and thus the determination of the type, strength and quality of the cryptographic algorithms required; (c) the use of cryptography for the protection of information held on end terminals of mobile users or on storage media and information transmitted by network to such terminals or storage media; d) the key management approach, in particular the methods that manage the generation and protection of cryptographic keys and the recovery of encrypted information in the event of loss, compromise or damage to the keys; e) duties and responsibilities for: 1) the implementation of rules for the effective use of cryptography; 2) key management, including key generation (see 8.24); f) the standards to be adopted as well as the cryptographic algorithms, cipher strength, cryptographic solutions and usage practices approved or required in the organization; g) the consequences of the use of encrypted information on security measures that use content analysis (eg malware detection or content filtering). When implementing organizational rules for the effective use of cryptography, national regulations and restrictions that may apply to the use of cryptographic techniques in different regions of the world should be considered. , as well as the problems of cross-border circulation of encrypted information (see 5.31). © ISO/IEC 2022 – All rights reserved 127 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) The contents of service agreements or contracts with external cryptographic service providers (e.g., with a certificate authority) should address issues of responsibilities, reliability of services, and response times for the provision of services. (see 5.22). Key management Proper key management requires secure processes for generating, storing, archiving, retrieving, distributing, retiring, and destroying cryptographic keys. A key management system should be based on an agreed set of standards, procedures and secure methods for: a) generate keys for different cryptographic systems and different applications; (b) issue and obtain public key certificates; c) distribute keys to recipient entities, indicating how to activate the keys when they are received; d) store keys, including how authorized users gain access to the keys; e) change or update keys, including rules on when to change keys and how to proceed; f) manage compromised keys; g) revoke keys, including how to remove or deactivate keys (eg when keys have been compromised or when a user leaves an organization (in which case keys should also be archived)); h) recover lost or altered keys; (i) backup or archive keys; j) destroy the keys; k) log and audit key management activities; l) set key activation and deactivation dates so that keys can only be used for the period of time provided by the organization's key management rules; m) process legal requests for access to cryptographic keys (for example, encrypted information may need to be made available in unencrypted form as evidence in a legal case). All cryptographic keys should be protected against modification or loss. Additionally, secret and private keys need to be protected from unauthorized use, as well as disclosure. Equipment used to generate, store and archive keys should be physically protected. In addition to integrity, for many use cases, consideration should be given to the authenticity of public keys. Additional Information Authenticity of public keys is usually ensured by public key management processes, through certification authorities and public key certificates, but it is also possible to ensure it using technologies such as application of manual processes for a small number of keys. 128 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Cryptography can be used to meet different information security objectives, for example: a) confidentiality: using information encryption to protect sensitive information or critical, whether stored or transmitted; b) integrity or authenticity: using electronic signatures or message authentication codes to verify the authenticity or integrity of sensitive or critical information stored or transmitted. Use algorithms for file integrity checking; c) non-repudiation: using cryptographic techniques to provide proof of occurrence or the non-occurrence of an event or action; d) Authentication: Using cryptographic techniques to authenticate users and other system entities requesting access or communicating with system users, entities and resources. The ISO/IEC 11770 series provides additional information on key management. 8.25 Secure Development Lifecycle Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Application_Security Security domains #Protection #System_and_network_security Security measure Rules should be defined and applied for the secure development of software and systems. Objective Ensure that information security is designed and implemented during the secure development life cycle of software and systems. Recommendations Secure development is a requirement for developing a secure service, architecture, software, and system. To achieve this, the following aspects should be taken into consideration: a) separation of development, test and production environments (see 8.31); b) recommendations on security in the software development life cycle: 1) security of software development methodologies (see 8.28 and 8.27); 2) secure coding guidelines for each programming language used (see 8.28); c) safety requirements in the specification and design phases (see 5.8); d) security checkpoints in projects (see 5.8); e) security and system testing, such as regression testing, code analysis, and testing penetration (see 8.29); f) secure directories for source codes and configurations (see 8.4 and 8.9); g) security in version control (see 8.32); © ISO/IEC 2022 – All rights reserved 129 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) h) required knowledge and training regarding application security (see 8.28); i) the ability of developers to prevent, identify and correct vulnerabilities (see 8.28); j) Licensing requirements and other alternatives to benefit from cost-effective solutions while avoiding future licensing issues (see 5.32). If development is outsourced, the organization should obtain assurance that the supplier complies with the organization's secure development policies (see 8.30). Additional Information Developments can also take place within applications such as office applications, scripts, browsers and databases. 8.26 Application security requirements Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities Security domains #Protection #System_and_network_security #Defense #Application_Security Security measure Information security requirements should be identified, specified and approved when developing or acquiring applications. Objective Ensure that all information security requirements are identified and addressed when developing or acquiring applications. Recommendations General Application security requirements should be identified and specified. These requirements are usually determined through a risk assessment. Requirements should be developed with the support of information security specialists. Application security requirements can cover a wide range of topics, depending on the purpose of the application. Application security requirements should include, where applicable: a) the level of confidence in the identity of entities [e.g., through authentication (see 5.17, 8.2 and 8.5)]; b) identifying the type of information and level of classification to be processed by the application; c) the need to separate access and levels of access to data and application functions; d) resilience against malicious attacks or inadvertent disruptions (e.g. protection against buffer overflows or structured query language ( SQL) injections ); e) legal, statutory and regulatory requirements in the jurisdiction where the transaction is generated, processed, completed or stored; f) the need for privacy protection in relation to all parties involved; (g) requirements for the protection of all confidential information; 130 © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 ISO/IEC 27002:2022(F) h) data protection during processing, in transit and at rest; i) the need to securely encrypt communications between all parties involved; j) input data checks, including integrity checks and data validation input; k) automated controls (eg, approval limits or double approvals); l) output data controls, also taking into account who can access data from output and associated permissions; m) restrictions related to the content of "free text" fields, knowing that they may lead to uncontrolled storage of confidential data (eg personal data); n) business process requirements, such as transaction logging and monitoring, non-repudiation requirements; o) requirements imposed by other security measures (eg interfaces to logging and monitoring systems or data leak detection systems); p) handling of error messages. Transactional services Additionally, for applications that provide transactional services between the organization and a partner, the following should be considered when identifying information security requirements: a) the level of trust each party needs in the claimed identity of the others; b) the level of confidence required in the integrity of the information exchanged or processed, and the mechanisms for identifying the lack of integrity (eg cyclic redundancy check, hashing , digital/electronic signatures); c) approval processes associated with who can approve content, issue or sign important transactional documents; d) confidentiality, integrity, proof of sending and receipt of material documents and non-repudiation (eg contracts associated with tendering and contracting processes); e) confidentiality and integrity of all transactions (e.g. orders, contact details of delivery and acknowledgments of receipt); f) requirements for how long the transaction is kept confidential; g) insurance and other contractual requirements. Electronic ordering and payment applications Additionally, for applications that include electronic orders and payments, the following should be considered: a) the requirements for maintaining the confidentiality and integrity of the information of order; (b) the appropriate degree of verification to verify the payment information provided by a customer; c) prevention against loss or duplication of transaction information; d) storing transaction information outside of any publicly accessible environment (for example, on an existing storage platform within the organization's intranet, and not © ISO/IEC 2022 – All rights reserved 131 ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) keep them or display them on electronic storage media directly accessible from the Internet); e) where a trusted authority is used (for example, for the purpose of issuing and maintaining electronic signatures or certificates), security is integrated and embedded throughout the end-to-end management process certificates or signatures. Many of the above considerations can be addressed by the application of cryptography (see 8.24), taking into account legal requirements (see 5.31 to 5.36, and see in particular 5.31 for cryptography legislation). Additional Information Applications accessed through networks are exposed to a range of network-associated threats, such as fraudulent activity, contractual disputes, or disclosure of information to the general public; incomplete transmission, misdirection, unauthorized alteration, duplication or replay of messages. Therefore, detailed risk assessments and the careful determination of safety measures are essential. Required security measures often include cryptographic methods for authentication and securing data transfers. More information on application security is available in the ISO/IEC 27034 series. 8.27 Principles of secure system engineering and architecture Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Application_Security Security domains #Protection #System_and_network_security Security measure Secure systems engineering principles should be established, documented, maintained, and applied to all information system development activities. Objective Ensure that information systems are designed, implemented and operated securely during the development life cycle. Recommendations Security engineering principles should be established, documented and applied to information systems engineering activities. Security should be designed in all layers of the architecture (business, data, applications and technologies). New technologies should be analyzed for security risks and redesigned against known attack patterns. Secure Engineering Principles provide guidance on user authentication techniques, secure session controls, and data validation and cleansing. Engineering principles for secure systems should include the analysis of: a) all the security measures required to protect the information and systems against identified threats; b) the ability of the security measures to prevent, detect or respond to security events; respond; 132 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) c) specific security measures required for certain business processes (eg encryption of sensitive information, integrity checking and digital signing of information); d) where and how the security measures should be applied (for example, by integrating them into security architecture and technical infrastructure); e) how the individual security measures (manual and automated) work together to produce an integrated set of security measures. Safety engineering principles should take into account: a) the need for integration into a security architecture; b) technical security infrastructure [eg public key infrastructure (PKI), identity and access management (IAM), data leakage prevention and dynamic access management]; c) the organization's ability to develop and maintain the selected technologies; d) the cost, time and complexity of meeting security requirements; e) existing good practices. The engineering of secure systems should involve: a) application of security architecture principles, such as 'security by design' , 'defence in depth' , 'security by default ', 'denial of default" (default deny), " fail securely", "distrust input from external applications" , "security in deployment" , " assume breach” , “ least privilege”, “usability and manageability” and “least functionality”; b) security-oriented design analysis to help identify information security vulnerabilities, ensure that security controls are specified and meet security requirements; c) documentation and formal recognition of security measures that do not fully meet the requirements (eg due to priority security requirements); d) system hardening. The organization should consider zero trust principles such as: a) assume that the organization's information systems are already compromised and not rely on network perimeter security alone; b) use a “ never trust and always verify” approach to access to information systems; c) ensure that requests to information systems are end-to-end encrypted; d) verify every request to an information system as if it came from an open external network, even if these requests come from inside the organization (i.e. trust nothing in any way automatic inside or outside its perimeters); e) use least privilege and dynamic access control techniques (see 5.15, 5.18 and 8.2). This includes authenticating and authorizing information requests or queries to systems based on contextual information, such as authentication information (see 5.17), user identities (5.16), device data user end and data classification (see 5.12); © ISO/IEC 2022 – All rights reserved 133 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) f) always authenticate requestors and always validate authorization requests to information systems based on information, including authentication information (see 5.17 ) and user identities (5.16), data on the terminal end user and data classification (see 5.12), e.g. apply strong authentication (e.g. multi-factor, see 8.5). Established security engineering principles should be applied, where possible, to the outsourced development of information systems through contracts and other enforceable agreements between the organization and the vendor to whom the organization is outsourcing the development. The organization should ensure that the vendor's security engineering practices are aligned with the organization's needs. Safety engineering principles and established engineering procedures should be reviewed regularly to ensure that they contribute effectively to improving safety levels in the engineering process. They should also be reviewed regularly to ensure that they remain up to date to combat possible new threats and to remain applicable in relation to technological advances and the solutions used. Additional Information Security engineering principles can be applied to the design or configuration of a set of techniques, such as: — fault tolerance and other resilience techniques; — partitioning (eg through virtualization or containerization); — inviolability (tamper resistance). Secure virtualization techniques can be used to avoid interference between applications running on the same physical terminal. If a virtual instance of an application is compromised by an attacker, only that instance is affected. The attack has no effect on other applications or data. Tamper-evident techniques can be used to detect tampering with information containers, both physical (eg, tamper alarm) and logical (eg, data file). A feature of these techniques is that there is a record of the attempt to tamper with the container. Additionally, the security measure may prevent the successful extraction of the data by destroying it (for example, a terminal's memory may be erased). 8.28 Secure Coding Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities #Application_Security Security domains #Protection #System_and_network_security Security measure Secure coding principles should be applied to software development. Objective Ensure that software is developed in a secure manner to reduce the number of possible information security vulnerabilities in software. 134 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations General Organization-wide processes should be defined to ensure good governance of secure coding. A minimum secure baseline should be established and enforced. Additionally, these processes and governance should be extended to cover software components from third parties and open source software. The organization should monitor real-world threats and up-to-date guidance, as well as information on software vulnerabilities, to guide the organization's secure coding principles through continuous improvement and learning. This can help ensure that effective secure coding practices are implemented to combat the rapidly changing threat landscape. Coding planning and prerequisites Secure coding principles should be used for both new development and reuse cases. These principles should be applied to development activities both within the organization and to products and services provided by the organization to third parties. Planning and prerequisites before coding should include: a) organization-specific approved expectations and principles for secure coding, apply to both in-house and outsourced code developments; b) current and historical coding practices and coding flaws that lead to information security vulnerabilities; c) configuration of development tools, such as Integrated Development Environments (IDEs ), to support the creation of secure code; d) the follow-up of the recommendations issued by the suppliers of development tools and execution environments, if applicable; e) maintenance and use of updated development tools (eg compilers); f) qualification of developers in writing secure code; g) secure design and architecture, including threat modelling; (h) secure coding standards and, if necessary, obligation to use them; i) the use of controlled environments for development. During coding Consideration should be given during coding: a) secure coding practices specific to the programming languages and techniques used; b) the use of secure programming techniques, such as pair programming, refactoring , peer review, secure iterations, and test-driven development; c) the use of structured programming techniques; d) documentation of code and elimination of programming defects that may allow exploitation of information security vulnerabilities; e) prohibiting the use of insecure design techniques (eg, the use of hard-coded passwords, unapproved code samples, and unauthenticated web services). © ISO/IEC 2022 – All rights reserved 135 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Testing should be performed during and after development (see 8.29). Static application security testing (SAST) processes identify software security vulnerabilities. Before any software becomes operational, the following should be assessed: a) the attack surface and the principle of least privilege; b) performing an analysis of the most common programming errors and documenting of their attenuation. Overhaul and maintenance After the code has become operational: a) updates should be packaged and deployed securely; b) declared information security vulnerabilities should be addressed (see 8.8); c) Errors and suspected attacks should be logged and regularly reviewed. review logs to make adjustments to the code, if needed; d) the source code should be protected against unauthorized access and alteration (eg by using configuration management tools, which usually include functions such as access control and version control). When using external tools and libraries, the organization should consider the following: a) ensure that external libraries are managed (eg, maintaining an inventory of libraries used and their versions) and regularly updated with release cycles; b) selection, authorization and reuse of verified components, in particular components authentication and cryptographic; c) licenses, security and history of external components; (d) ensure that software is maintained and tracked and comes from reliable and reputable sources; e) sufficient long-term availability of development resources and artefacts. When a software package needs to be modified, the following points should be considered: (a) the risk that built-in controls and integrity processes are corrupted; b) the need to obtain or not obtain the supplier's consent; c) the possibility of obtaining the necessary changes from the supplier, as updates standard program; d) the consequences if the organization becomes responsible for the future maintenance of the software as a result of Changes; e) compatibility with other software used. Additional Information A fundamental principle is to ensure that security-related codes are called when needed and that they are tamper-proof. Programs installed from compiled binary codes also have these properties, but only for data held by the application. For interpreted languages, 136 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) the concept only works when the code is executed on a server that is otherwise inaccessible to users and processes that use it and whose data is kept in a database with similar protection. For example, interpreted code may be running in a cloud service where access to the code itself requires administrator privileges. Administrator access should be protected by security mechanisms such as just-in-time administration principles and strong authentication. If the application owner can access the scripts through direct remote access to the server, then an attacker can also do the same, in principle. In these cases, web servers should be configured to prevent directory browsing. Application codes are best designed with the assumption that they are always under attack, through errors or malicious actions. Additionally, critical applications can be designed to be internal fault tolerant. For example, the output data from a complex algorithm can be checked to ensure that it is within safe limits before it is used in an application such as a safety or financial critical application. The code that does the bounds checking is simple and therefore it is much easier to prove correctness. Some web applications are subject to a set of vulnerabilities that are introduced by weaknesses in design and coding, such as database injection attacks and XSS (Cross-site scripting) attacks . In these attacks, requests can be manipulated to misuse web server functionality. More information on ICT security assessment is available in the ISO/IEC 15408 series. 8.29 Security testing in development and acceptance Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier Operational capabilities #Application_Security #Information_Security_Assurance Security domains #Protection #System_and_network_security Security measure Processes for security testing should be defined and implemented during the development lifecycle. Objective Validate compliance with information security requirements when applications or code are deployed in the environment. Recommendations New information systems, upgrades and releases should be thoroughly tested and verified during development processes. Security testing should be an integral part of system or component testing. Security testing should be conducted against a set of requirements that can be expressed as functional or non-functional. Security testing should include the tests: a) security features [eg user authentication (see 8.5), access restrictions (see 8.3) and use of cryptography (see 8.24)]; b) secure encryption (see 8.28); © ISO/IEC 2022 – All rights reserved 137 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) c) secure configurations (see 8.9, 8.20 and 8.22), including those of operating systems, firewalls and other security components. Test plans should be determined based on a set of criteria. The scope of the tests should be proportional to the importance, the nature of the system and the potential impact of the change introduced. The test plan should include: a) a detailed program of activities and tests; b) input data and expected output data under a set of conditions; c) the criteria for evaluating the results; d) the decision to take further action, if necessary. The organization can take advantage of automated tools, such as code analysis tools or vulnerability scanners, and should verify the correction of security flaws. In the case of developments carried out internally in the organization, these tests should first be carried out by the development team. Independent acceptance testing should then be performed to ensure that the system operates as intended and only as intended (see 5.8). The following should be considered: a) perform code analysis activities for as an important element to test vulnerabilities security, including input data and unanticipated conditions; b) perform a vulnerability scan to identify insecure configurations and system vulnerabilities; c) perform penetration testing to identify insecure codes and designs. In the case of outsourced developments and the purchase of components, an acquisition process should be followed. Contracts with the supplier should address the identified security requirements (see 5.20). Products and services should be assessed against these criteria prior to acquisition. Testing should be performed in a test environment that resembles the target operational environment as closely as possible to ensure that the system does not introduce vulnerabilities into the organization's environment and that the tests are reliable (see 8.31 ) . Additional Information Multiple test environments can be set up and used for different types of testing (eg, functional and performance testing). These different environments can be virtual, with individual configurations to simulate multiple operational environments. Testing and monitoring of test environments, tools and technologies also need to be considered to ensure effective testing. The same goes for monitoring deployed surveillance systems in development, test, and operational settings. Judgment is needed based on the sensitivity of the systems and data, to determine how many layers of meta-testing are needed. 8.30 Outsourced development Type of security measure #Preventive #Detective 138 Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Identifier #Protect #Detect Operational capabilities #System_and_network_security #Application_Security #Security_of_supplier_relations Security domains #Governance_ and_Ecosystem #Protection © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING Machine Translated by Google ISO/IEC 27002:2022(F) Security measure The organization should direct, control and verify activities relating to outsourced systems development. Objective Ensure that the information security measures required by the organization are implemented as part of the outsourced development of systems. Recommendations When systems development is outsourced, the organization should communicate and agree on requirements and expectations, and continuously monitor and verify whether the delivery of outsourced work meets those expectations. Consideration should be given to the following throughout the organization's external supply chain: a) license agreements, code ownership and intellectual property rights relating to the outsourced content (see 5.32); b) contractual requirements for secure test design, coding and practices (see 8.25 to 8.29); c) providing threat models for consideration by external developers; d) acceptance testing to ensure the quality and accuracy of deliverables (see 8.29); e) provision of evidence to show that minimum acceptable levels of security and means of protecting privacy are in place (eg assurance reports); f) providing evidence that sufficient testing has been performed to protect against the presence of malicious content (intentional or unintentional) at delivery; g) the provision of evidence showing that sufficient tests have been carried out to protect against the presence of known vulnerabilities; h) escrow agreements regarding the source code of the software (for example, if the supplier ceases his activity); i) the contractual right to audit development processes and controls; j) security requirements for the development environment (see 8.31); k) taking into account the applicable legislation (for example, on the protection of personal data). Additional Information More information on supplier relationships is available in the ISO/IEC 27036 series. 8.31 Separation of development, test and operational environments Type of security measure #Preventive Security properties information concepts #Privacy #Integrity #Availablity Cybersecurity #Protect Operational capabilities #Application_Security Security domains #Protection #System_and_network_security Security measure Development, test, and operational environments should be separated and secured. © ISO/IEC 2022 – All rights reserved 139 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Protect the operating environment and related data from compromises that may arise from development and testing activities. Recommendations The level of separation needed between development, test, and operational environments should be determined and implemented to prevent operational issues. Consideration should be given to the following: a) adequately separate development and production systems and operate them in different domains (eg, in separate physical or virtual environments); b) define, document and implement rules and permissions for software deployment from development to production; c) test changes to operational systems and applications in a test or simulation environment before applying them to operational systems (see 8.29); d) not perform testing in operational environments except in defined and approved circumstances; e) make the compilers, editors and other development tools or programs inaccessible utilities from operating systems when not needed; f) display appropriate environmental identification marks in menus to reduce the risks of error; g) not to copy sensitive information into the environments of the development and test systems unless equivalent security measures are in place for the development and test systems. In all cases, the development and test environments should be protected by taking into consideration: a) the application of patches and updates to all development, integration and test tools (including generators, integrators, compilers, configuration systems and libraries); b) secure configuration of systems and software; c) control of access to environments; (d) monitoring changes to the environment and the code therein; e) secure monitoring of environments; f) environment backups. A single person should not have the ability to make development and production changes without prior verification and approval. This can be achieved, for example, through the separation of access rights or through rules subject to monitoring. In exceptional situations, additional measures such as detailed logging and real-time monitoring should be implemented to detect and act on unauthorized changes. 140 © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Additional Information Without adequate measures and procedures, developers and testers with access to production systems can introduce significant risks (for example, unwanted modification of files or the system environment, failure of the system, execution of unauthorized and untested code in production systems, disclosure of confidential data, data integrity and availability issues). It is necessary to maintain a stable and known environment in which significant testing is performed and to prevent inappropriate developer access to the production environment. Policies and procedures include carefully assigned functions along with the implementation of segregation of duties requirements and the establishment of adequate monitoring processes. Development and testing personnel also pose a threat to the confidentiality of operational information. Development and testing activities may result in unintended changes to software or information if they share the same computing environment. Separation of development, test, and operational environments is therefore desirable to reduce the risk of accidental changes or unauthorized access to production software and operational data (see 8.33 for protection of test information). In some cases, the distinction between development, test and production environments may be deliberately blurred and testing may then be conducted in a development environment or through controlled deployments to users or live servers (e.g. example, a small number of pilot users). In some cases, product testing may take place while the product is being used in operational mode within the organization. Additionally, to reduce downtime in production deployments, two identical production environments can be supported, only one of which is operational at any given time. Support processes for using production data in development and test environments (8.33) are required. Organizations may also want to consider the guidelines given in this section for training environments when conducting training for end users. 8.32 Change Management Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect #Integrity #Availablity Operational capabilities #Application_Security Security domains #Protection #System_and_network_security Security measure Changes to information processing facilities and information systems should be subject to change management procedures. Objective Preserve information security when executing changes. Recommendations The introduction of new systems and major changes to existing systems should follow agreed rules and a formal process of documentation, specification, testing, quality control and managed implementation. Management responsibilities and procedures should be in place to ensure satisfactory control of all changes. © ISO/IEC 2022 – All rights reserved 141 ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Change control procedures should be documented and implemented to ensure the confidentiality, integrity and availability of information in information processing facilities and information systems during the life cycle of development of the entire system, from the initial design stages to subsequent maintenance activities. If possible, change control procedures for ICT infrastructure and software should be integrated. Change control procedures should include: a) planning and assessment of the potential impacts of changes taking into account all dependencies; b) authorization of changes; (c) communicating changes to relevant interested parties; d) testing and acceptance testing of changes (see 8.29); e) implementation of changes, including deployment plans; f) emergency and back-up considerations, including fallback procedures; g) maintaining up-to-date records of changes, which include all of the above; h) ensuring that operating documentation (see 5.37) and user procedures are modified as necessary to remain appropriate; i) ensuring that ICT continuity plans and response and recovery procedures (see 5.30) are modified as necessary to remain appropriate. Additional Information Inadequate control of changes to information processing facilities and information systems is a common cause of system or security failures. Changes to the operational environment, particularly when moving software from the development environment to the operational environment, can impact the integrity and availability of applications. Software changes can impact the operating environment and vice versa. It is good practice, among other things, to test ICT components in an environment separate from the operational and development environments (see 8.31). This provides a way to maintain control of new software and add additional protections to operational information used for testing purposes. This should include software patches, service packs and other updates. The operating environment includes operating systems, databases, and middleware platforms. The security measure should apply to changes to applications and infrastructure. 8.33 Test information Type of security measure #Preventive Information Security Properties #Privacy Cybersecurity concepts #Protect Operational capabilities #Protection_of_information Security domains #Protection #Integrity Security measure Test information should be appropriately selected, protected and managed. 142 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Objective Ensure the relevance of the tests and the protection of the operational information used for the tests. Recommendations Test information should be selected to ensure the reliability of test results and the confidentiality of associated operational information. Sensitive information (including personal data) should not be copied to development and test environments (see 8.31). The following recommendations should be applied to protect copies of operational information when used for testing purposes, regardless of the location of the test environment, internal to the organization or in a department. in cloud: a) apply the same access control procedures to the test environments as to the operating environments; b) obtain a new authorization each time operational information is copied in a test environment; c) log the copying and use of operational information, to ensure a system of traceability; d) protect sensitive information by deleting or masking it (see 8.11) if used for testing purposes; e) properly remove (see 8.10) operational information from the test environment immediately upon completion of testing to prevent unauthorized use of test information. Test information should be stored securely (to prevent tampering that may lead to invalid results) and used only for testing purposes. Additional Information Systems and acceptance testing can require large volumes of test information that is as close to operational information as possible. 8.34 Protection of information systems during audit testing Type of security measure #Preventive Information Security Properties #Privacy #Integrity #Availablity Cybersecurity concepts #Protect Operational capabilities Security domains #System_and_network_security #Governance_ #Protection_of_information and_Ecosystem #Protection Security measure Audit testing and other assurance activities involving the evaluation of operational systems should be planned and agreed between the tester and the appropriate level of management. Objective Minimize the impact of audit and other assurance activities on operational systems and business processes. © ISO/IEC 2022 – All rights reserved 143 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Recommendations The following guidelines should be considered: a) agree audit requests for access to systems and data with the appropriate level management; b) agree and control the scope of the technical audit tests; c) limit audit testing to read-only access to software and data. If read-only access does not allow obtaining the necessary information, have the test carried out by an experienced administrator who has the necessary access rights, on behalf of the auditor; d) if access is granted, establish and verify the security requirements (eg, anti-virus and patching) of endpoints used to access the systems (eg, laptops or tablets) before permitting access. access; e) allow non-read-only access only to isolated copies of system files. Delete them when the audit is complete, or protect them appropriately if there is an obligation to keep these files according to the documentation requirements of the audit; f) identify and agree on requests for special or additional treatments, such as running audit tools; g) run audit tests that may impact the availability of the system outside of business hours. work; h) monitor and log all access for auditing and testing purposes. Additional Information Audit testing and other assurance activities may also take place on development and test systems, where such testing may impact, for example, code integrity or lead to the disclosure of sensitive information held in these environments. 144 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Annexe A (informative) Using attributes A.1 General This appendix provides a table to show the use of attributes as a means of creating different views of security controls. The five examples of attributes are (see 4.2): a) Types of security measures (#Preventive, #Detective, #Corrective) b) Information security properties (#Confidentiality, #Integrity, #Availability) c) Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Restore) d) Operational Capabilities (#Governance, #Asset_Management, #Information_Protection, #Security_of_human_resources, #Physical_Security, #System_and_network_security, #Security_of_applications, #Secure_configuration, #Management_of_identities_and_access, #Management_of_threats_and_vulnerabilities, #Continuity, #Security_of_supplier_relations, #Management_of_information_security_events, #Regulations_and_compliance, #Information_Security_Assurance) e) Security domains (#Governance_and_Ecosystem, #Protection, #Defence, #Resilience) Table A.1 contains a matrix of all the security measures that appear in this document along with their attribute values. Filtering or sorting the matrix can be done using a tool such as a simple spreadsheet or database, which can include more information like security measure text, recommendations, recommendations or organization-specific attributes (see A.2). Table A.1 — Matrix of security controls and attribute values Means identifier in ISO/ IEC 27002 Security measure name Type of security measure Properties of Cybersecurity Operational Information Security capabilities Concepts 5.1 Information Security Policies #Confidence #Preventiveness #Integrity #Availablity 5.2 Information Security Duties and Responsibilities #Preventive #Confidentiality #Integrity #Availablity Separation of duties #Preventive #Confidentiality #Integrity #Availablity #Protect Management Responsibilities #Preventive #Confidentiality #Integrity #Availablity #Identify #Governance 5.3 5.4 © ISO/IEC 2022 – All rights reserved #Identify #Governance #Identify #Governance Security domains #Governance_and_Ecosys #Resilience #Governance_and_Ecosys #Protection #Resilience #Governance #Governance_and_Ecosys #Identity_and_access_management #Governance_and_Ecosys 145 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means identifier in ISO/ IEC 27002 5.5 Security measure name Type of security measure Contacts with the authorities #Preventive #Corrective Contacts with 5.6 5.7 5.8 5.9 5.10 5.11 specific interest groups Threat intelligence #Preventive #Corrective #Preventive #Detective #Corrective Information Security Properties #Confidentiality #Integrity #Availablity #Confidentiality #Integrity #Availablity #Confidentiality #Integrity #Availablity Information Security in #Confidence #Preventiveness#Integrity Project Management #Availablity Inventory of information and other related assets Correct use of information investments and other related assets Return of assets #Confidence #Preventiveness#Integrity #Availablity Cybersecurity concepts #Integrity #Availablity Security domains #Identifier #Protect #Respond #Governance #Defense #Resilience #Governance #Defense #To re-establish #Protect #Respond #To re-establish #Identifier #Detect #Respond #Identifier #Protect #Identifier #Confidentiality #Preventive Operational capabilities #Protect #Defense #Resilience #Management_of_threats_and_vulnerabilities #Governance #Governance_and_Ecosystem #Protection #Asset_Management #Governance_and_Ecosystem #Protection #Asset_Management #Information_Protection #Governance_and_Ecosystem #Protection #Confidence #Preventiveness#Integrity #Availablity #Protect #Identifier #Protection #Protection_of_information #Defense #Protect #Defense #Protection_of_information #Protection #Protect #Asset_Management #Information_Protection#Protection 5.12 Classification of information #Confidence #Preventiveness#Integrity #Availablity 5.13 Marking information #Preventive 5.14 Transfer of information #Preventive 5.15 #Preventive access control #Confidentiality #Integrity #Availablity #Confidentiality #Integrity #Availablity #Asset_Management #Protection #Confidentiality 5.16 Identity management #Integrity #Availablity #Protect #Protection #Identity_and_access_management #Protect #Protection #Identity_and_access_management #Confidentiality #Preventive #Integrity #Availablity 5.17 Authentication information #Confidence #Preventiveness#Integrity #Availablity #Protect #Protection #Identity_and_access_management 5.18 Access rights #Confidence #Preventiveness#Integrity #Availablity #Protect #Protection #Identity_and_access_management #Identifier #Security_of_relationships_supplied #Governance_and_Ecosystem sisters #Protection 5.19 146 Information security in relations with suppliers #Confidentiality #Preventive #Integrity #Availablity © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means Security measure name identifier in ISO/ IEC 27002 5.20 5.21 Consideration of information security in agreements with suppliers Information security management in the Type of security measure Information Security Properties Cybersecurity concepts #Integrity #Availablity #Confidence #Preventiveness #Integrity #Identifier #Security_of_relationships_supplied #Governance_and_Ecosystem sisters #Protection #Identifier #Security_of_relationships_supplied #Governance_and_Ecosystem sisters #Protection #Availablity Oven Services 5.22 5.23 Information security in the use of online services Security domains #Confidentiality #Preventive ICT supply chain Monitoring, Review and Change Management nisers Operational capabilities #Security_of_relationships_supplied #Confidentiality #Preventive #Integrity #Availablity #Confidence #Preventiveness #Integrity sisters #Identifier #Governance_and_Ecosystem #Protection #Defense #Information_Security_Assurance #Protect #Security_of_relationships_supplied #Governance_and_Ecosystem sisters #Protection #Availablity cloud Information security 5.24 incident management planning and preparation #Governance #Confidentiality #Corrective #Integrity #Availablity #Respond #Defense #To re-establish #Management_of_information_security_events 5.25 5.26 Information security event assessment and decision making Responding to Information Security Incidents #Confidentiality #Detective #Integrity #Availablity #Detect #Defense #Respond #Management_of_information_security_events #Confidentiality #Corrective #Integrity #Availablity #Respond #Defense #To re-establish #Management_of_information_security_events Learning lessons 5.27 from information security incidents #Confidentiality #Preventive #Integrity #Availablity #Identifier #Management_of_information_security_events tion 5.28 Collection of #Confidentiality #Corrective evidence 5.29 5.30 Information security during a disruption Preparation of ICT for business continuity © ISO/IEC 2022 – All rights reserved #Preventive #Corrective #Integrity #Availablity #Defense #Protect #Detect #Defense #Respond #Management_of_information_security_events #Confidentiality #Integrity #Availablity #Protect #Respond #Fix #Availability #Respond #Continuity #Continuity #Protection #Resilience #Resilience 147 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIX Translated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means Security measure name Type of security measure Information Security Properties 5.31 Legal, statutory, regulatory and contractual requirements #Preventive #Integrity #Availablity 5.32 #Confidence Intellectual property #Preventiveness #Integrity rights #Availablity identifier in ISO/ IEC 27002 5.33 5.34 5.35 Protection of recordings #Confidentiality #Confidentiality #Preventive #Integrity #Availablity #Confidence Privacy and #Preventiveness #Integrity personal data protection #Availablity Independent Information Security Review tion Cybersecurity concepts #Preventive #Corrective #Confidentiality #Integrity #Availablity #Identifier #Identifier #Identifier #Protect #Identifier #Protect Operational capabilities Security domains #Governance_and_Eco #Regulations_ and_system compliance #Protection #Regulations_ #Governing nance_and_Eco and_system_compliance #Regulations_and_compliance #Asset_Management #Defense #Information_Protection #Protection_of_information #Protection #Regulations_and_compliance #Identifier #Protect #Information_Security_Assurance #Governance_and_Ecosystem Compliance 5.36 with information security policies, rules and standards #Confidentiality #Preventive #Integrity #Availablity #Identifier #Protect #Governance_and_Ecosystem #Regulation_and_Compliance #Information_Security_Assu #Asset_Management #Physical_Security #System_and_network_security #Application_Security Documented 5.37 operating procedures #Preventive #Corrective #Confidentiality #Integrity #Availablity #Protect #To re-establish #Governance_and_Ecosystem #Secure_configuration#Protection #Management_of_identi ties_and_a #Defense #Management_of_threats_and_vulnerabilities #Continuity #Management_of_information_security_events #Confidence 6.1 6.2 148 Preselection General conditions of employment #Preventiveness #Integrity #Availablity #Protect #Security_of_human_resources #Governance_and_Ecosystem #Confidentiality #Preventive #Integrity #Availablity #Protect #Security_of_human_resources #Governance_and_Ecosystem © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means identifier in ISO/ IEC 27002 6.3 6.4 6.5 Security measure name Information security awareness, learning and training Plinary disk Type of security measure #Confidence #Preventiveness#Integrity #Availablity processing #Preventive #Corrective Responsibilities following the end or change of #Preventive 6.6 covenants #Confidentiality #Integrity #Availablity Cybersecurity concepts Operational capabilities Security domains #Protect #Security_of_human_resources #Governance_and_Ecosyste #Protect #Respond #Security_of_human_resources #Governance_and_Ecosyste #Confidentiality employment Confidentiality or non-disclosure Information Security Properties #Preventive #Integrity #Availablity #Confidence lite #Protect #Governance_and_Ecosyste #Security_of_human_resources #Management_of_ #Protect #Governance_and_Ecosyste #Security_of_human_resources #Protection_of_info #Asset_Management #Information_Protection #Confidentiality 6.7 Remote work #Preventive #Integrity #Availablity #Protect #Physical_Security #Protection #System_and_Network_Security 6.8 7.1 Reporting of information security events Physical security perimeters #Confidentiality #Detective #Integrity #Availablity #Confidence #Preventiveness#Integrity #Availablity #Detect #Management_of_information_security_events #Protect 7.3 7.4 Physical Access #Preventiveness #Integrity #Availablity Securing offices, rooms and equipment Physical Security Monitoring 7.5 Protection against physical and environmental threats #Preventive #Detective #Confidentiality #Integrity #Availablity #Confidence #Preventiveness#Integrity #Availablity #Management_of_identities_and_access #Protect #Protect #Detect #Protect #Confidentiality 7.6 Work in secure areas #Preventive 7.7 Clean desktop and blank screen #Preventive © ISO/IEC 2022 – All rights reserved #Integrity #Availablity #Integrity #Availablity #Confidence lite #Protection #Protection #Protect #Confidentiality #Preventive #Physical_Security #Physical_Security #Confidence 7.2 #Defense #Protect #Protect #Physical_Security #Asset_Management #Protection #Physical_Security #Protection #Defense #Physical_Security #Protection #Physical_Security #Protection #Physical_Security #Protection 149 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means Security measure name identifier in ISO/ IEC 27002 7.8 Location and protection of equipment Type of security measure Information Security Properties Cybersecurity concepts #Confidence #Preventiveness #Integrity #Availablity #Physical_Security #Asset_Management #Protection #Protect #Physical_Security #Asset_Management #Protection #Physical_Security #Asset_Management #Protection #Confidence Off-Premises Asset Security 7.10 Supports stock #Preventive #Integrity #Availablity #Protect General services #Preventive #Detective #Integrity #Availablity #Protect #Detect #Preventive #Confidentiality #Availability #Protect 7.11 7.12 ral Wiring Safety 7.13 Hardware Maintenance 7.14 or recycling of hardware #Confidentiality #Confidentiality #Preventive #Integrity #Availablity 8.1 8.2 End user terminals Privileged access rights #Confidence lite #Integrity #Availablity Restriction of access to information 8.4 Code access source 8.5 Secure authentication #Preventive #Integrity #Availablity 8.6 Dimensions ment #Preventive #Detective #Integrity #Availablity Malware Protection #Preventive #Detective #Corrective #Integrity #Availablity 8.8 150 Management of technical vulnerabilities #Physical_Security #Protection #Protect #Physical_Security #Asset_Management #Protection #Asset_Management #Protect #Protection #Information_Protection #Protect #Protection #Identity_and_access_management #Protect #Protection #Identity_and_access_management #Protect #Protection #Identity_and_access_management #Security_of_applicat #Secure_Configuration #Protect #Protection #Identity_and_access_management #Confidentiality #Preventive 8.3 8.7 #Protection #Physical_Security #Protection #Asset_Management #Resilience #Confidence #Preventiveness #Integrity #Availablity #Physical_Security #Protect Safe disposal #Preventive Security domains #Protect 7.9 #Preventiveness #Integrity #Availablity Operational capabilities #Confidentiality #Preventive #Integrity #Availablity #Confidence #Preventiveness #Integrity #Availablity #Confidentiality #Confidentiality #Confidentiality #Preventive #Integrity #Availablity #Identifier #Protect #Detect #Continuity #Protect #Detect #Protection #System_and_network_security #Defense #Protection_of_information #Identifier #Protect #Governance_and_Ecosystem #Protection #Governance_and_Ecosystem #Management_of_threats_and_vulnerabilities #Protection #Defense © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means identifier in ISO/ IEC 27002 8.9 8.10 Security measure name Configuration Type of security measure Information Security Properties Cybersecurity concepts #Confidence Operational capabilities Security domains #Protect #Secure_Configuration#Protection #Protect #Protection_of_information #Protection Management #Preventiveness #Integrity #Availablity Suppression d'information #Preventive #Confidence lite Data masking #Preventive #Confidence lite #Protect #Protection #Protection_of_information Data leak prevention #Preventive #Detective #Confidence lite #Protect #Detect #Protection #Protection_of_information #Defense Backing up information #Corrective #Integrity #Availablity #To re-establish #Continuity #Regulations_and_compliance 8.11 8.12 8.13 #Protection Redundancy of 8.14 #Continuity #Protection #Asset_Management #Resilience information processing resources #Preventive #Availability #Protect mation #Confidentiality 8.15 8.16 Logging #Detective Monitoring activities #Detective #Corrective 8.17 Synchronization of clocks 8.18 privileged utility programs #Integrity #Availablity #Confidentiality #Integrity #Availablity #Detective #Integrity The use of #Detect #Detect #Respond #Defense #Management_of_information_security_events #Protect #Detect #Protection #Defense #Management_of_information_security_events #System_and_network_security #Confidence #Preventiveness #Integrity #Availablity #Protection #Defense #Management_of_information_security_events #Protect #Protection #Secure_configuration #Security_of_applications Installation of 8.19 8.20 8.21 8.22 software on operating systems Network security Network Services Security Network partitioning #Confidence #Preventiveness #Integrity #Availablity #Preventive #Detective #Confidentiality #Integrity #Availablity #Protect #Secure_configuration #Protection #Security_of_applications #Protect #Detect #Protection #System_and_network_security #Protect #Protection #System_and_network_security #Protect #Protection #System_and_network_security #Protect #Protection #System_and_network_security #Confidence #Preventiveness #Integrity #Availablity #Confidence #Preventiveness #Integrity #Availablity #Confidence 8.23 Internet Filtering #Preventiveness #Integrity #Availablity © ISO/IEC 2022 – All rights reserved 151 AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Tableau A.1 (suite) Means identifier in ISO/ IEC 27002 8.24 8.25 8.26 Security measure name Use of cryptography Secure Development Lifecycle Application Security Type of security measure #Confidence #Preventiveness#Integrity #Availablity Principles of secure system engineering and architecture Cybersecurity concepts #Protect #Preventive #Integrity #Availablity #Integrity #Availablity #Confidence #Preventiveness#Integrity #Availablity Secure Coding #Preventiveness #Integrity #Availablity #Protection #System_and_network_security #Application_Security #Protect #Protection #Defense #System_and_network_security #Application_Security #Protection #Protect #System_and_network_security #Application_Security #Confidence 8.28 Security domains #Secure_Configuration#Protection #Protect #Confidentiality #Preventive Operational capabilities #Application_Security #Confidentiality Requirements 8.27 Information Security Properties #Protection #Protect #System_and_network_security #Application_Security Security testing in 8.29 development and acceptance #Confidentiality #Preventive #Integrity #Availablity #Identifier #Protection #Information_Security_Assurance #System_and_network_security 8.30 Outsourced development #Preventive #Detective #Confidentiality #Identifier #Integrity #Availablity #Protect #Detect #System_and_network_security #Application_Security #Governance_and_Ecosystem #Protection #Security_of_relationships_supplied sisters Separation of development, test 8.31 8.32 8.33 and production environments Change management Information relating to tests Protection of 8.34 information systems undergoing audit testing #Confidence #Preventiveness#Integrity #Application_Security #Availablity #System_and_network_security #Application_Security #Confidentiality #Preventive #Preventive #Integrity #Availablity #Confidentiality #Integrity #Confidence #Preventiveness#Integrity #Availablity #Protection #Protect #Protect #Protection #System_and_network_security #Protect #Protection #Protection_of_information #Protect #System_and_network_security #Governance_and_Ecosystem #Protection_of_information #Protection Table A.2 shows an example of how to create a view by filtering on a particular attribute value, in this case #Corrective. 152 © ISO/IEC 2022 – All rights reserved AFNOR LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 Machine Translated by Google ISO/IEC 27002:2022(F) Table A.2 — #Corrective security measures view Means identifier in ISO/ IEC 27002 5.5 Security measure name Contacts with the authorities Contacts with 5.6 specific interest Type of security measure #Preven tive #Cor rective #Preven tive #Cor rective Information Security Properties mation #Confi dentialité #Integrity #Availablity #Confi dentialité #Integrity #Availablity Security Cybersecurity concepts Operational capabilities domains #Identifier #Protect #Respond #Governance #Defense #Resilience #Governance #Defense #To re-establish #Protect #Respond #To re-establish groups 5.7 Information on threat #Prevention #Détec tive #Cor rective #Confi dentialité #Integrity #Availablity #Identifier #Detect #Respond #Defense #Resilience #Management_of_threats_and_vulnerabilities Information security incident 5.24 5.26 5.28 management planning and preparation Information Security Incident Response Collection of evidence 5.29 5.30 5.35 Information security during a disruption ICT readiness for business continuity #Correc tive #Correc tive #Correc tive #Preven tive #Cor rective #Correc tive Independent #Preven Information Security Review tive #Cor rective © ISO/IEC 2022 – All rights reserved #Confi dentialité #Integrity #Availablity #Respond #To re-establish #Governance #Defense #Management_of_information_security_events #Confi dentialité #Integrity #Availablity #Confi dentialité #Integrity #Availablity #Respond #To re-establish #Detect #Respond #Defense #Management_of_information_security_events_ #Defense #Management_of_information_security_events_ #Confi dentialité #Integrity #Availablity #Availablity #Confi dentialité #Integrity #Availablity #Protect #Respond #Continuity #Reply #Continuity #Identifier #Protection #Resilience #Resilience #Information_Security_Assurance #Protect #Governance_and_ Ecosy 153 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau A.2 (suite) Means identifier in ISO/ IEC 27002 Security measure name Type of security Information security properties Cybersecurity concepts Security Operational capabilities domains measure #Asset_management Documented 5.37 operating procedures #Preven tive #Cor rective #Confi dentialité #Integrity #Availablity #Protect #To re-establish #Physical_security #System_and_network_security #Application_Security #Governance_and_ #Secure_Configuration Ecosystem #Management_of_identities_and_access #Pro tection #Management_of_threats_and_vulnerabilities #Defense #Continuity #Management_of_information_security_events 6.4 Disciplinary process 8.7 Protection against malicious programs 8.13 8.16 Backup of information Monitoring activities #Preven tive #Cor rective #Prevention #Détec tive #Cor rective #Correc tive #Détec tive #Cor rective #Confi dentialité #Integrity #Availablity #Protect #Respond #Confi dentialité #Integrity #Availablity #Integrity #Availablity #Confi dentialité #Integrity #Availablity #Protect #Detect #To re-establish #Detect #Respond #Security_of_human_resources #Governance_and_ Ecosys theme #System_and_network_security #Protection_of_information #Continuity #Pro tection #Defense #Protec tion #Defense #Management_of_information_security_events_ A.2 Organizational views Because attributes are used to create different views of security controls, organizations can skip the example attributes provided in this document and create their own attributes with different values to meet specific organizational needs. . Additionally, the values assigned to each attribute may differ from one organization to another as organizations may have different views on the use or applicability of a security measure or the values associated with an attribute ( when the values are specific to the context of the organization). The first step is to understand why an organization-specific attribute is desirable. For example, if an organization has developed its risk treatment plans [see ISO/IEC 27001:2013, 6.1.3 e)] against events, it may wish to associate a risk scenario attribute with each measure. security of this document. The benefit of such an attribute is to speed up the process of meeting the ISO/IEC 27001 risk treatment requirement, which is to compare the security measures determined through the risk treatment process. (referred to as “necessary” security measures) with those of ISO/IEC 27001:2013, Annex A (which are derived from this document) to ensure that no necessary security measures have been omitted. Once the purpose and benefits are known, the next step is to determine the attribute values. For example, the organization might identify 9 events: 1) loss or theft of a mobile terminal; 154 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) 2) loss or theft on the premises of the organization; 3) force majeure, vandalism and terrorism; 4) failure of software, hardware, power supply, Internet and communications; 5) fraud; 6) hacking; 7) disclosure; 8) violation of law; 9) social engineering. The second step can therefore be carried out by assigning identifiers to each event (for example, E1, E2, ..., E9). The third step is to copy the Security Measure IDs and Security Measure Names from this document into a spreadsheet or database and associate the attribute values to each security measure, keeping in mind Keep in mind that each security measure can have multiple attribute values. The last step is to sort the spreadsheet or query the database to extract the required information. Other examples of organization attributes (and possible values) are: a) maturity (values from the ISO/IEC 33000 series or other maturity models); (b) status of implementation (to be done, in progress, partially implemented, fully implemented); c) priority (1, 2, 3, etc.); d) areas of the organization involved (security, ICT, human resources, general management, etc.); e) events; (f) affected assets; g) develop and execute, to differentiate the security measures used in the different service life cycle stages; g) other frameworks that the organization uses or from which it may arise. © ISO/IEC 2022 – All rights reserved 155 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Annexe B (informative) Correspondence of ISO/IEC 27002:2022 (this document) with ISO/ IEC 27002:2013 The purpose of this annex is to provide backward compatibility with ISO/IEC 27002:2013 for organizations that currently use this standard and now wish to upgrade to the current edition. Table B.1 provides the correspondence of the security measures given in Clauses 5 to 8 with those of ISO/IEC 27002:2013. Table B.1 — Correspondence between the security measures of this document and the security measures of ISO/IEC 27002:2013 Identifier of the security measure in the Security measure identifier in ISO/IEC 27002:2013 Security measure name ISO/ IEC 27002:2022 5.1 05.1.1, 05.1.2 Information Security Policies 5.2 06.1.1 Information Security Duties and Responsibilities 5.3 06.1.2 Separation of duties 5.4 07.2.1 Management Responsibilities 5.5 06.1.3 Contacts with the authorities 5.6 06.1.4 Contacts with specific interest groups 5.7 New Threat intelligence 5.8 06.1.5, 14.1.1 Information Security in Project Management 5.9 08.1.1, 08.1.2 Inventory of information and other related assets 5.10 08.1.3, 08.2.3 Proper Use of Information and Other Associated Assets 5.11 08.1.4 Return of assets 5.12 08.2.1 Classification of information 5.13 08.2.2 Marking information 5.14 13.2.1, 13.2.2, 13.2.3 Transfer of information 5.15 09.1.1, 09.1.2 Access control 5.16 09.2.1 Identity Management 5.17 09.2.4, 09.3.1, 09.4.3 Authentication information 5.18 09.2.2, 09.2.5, 09.2.6 Access rights 5.19 15.1.1 Information security in relations with suppliers 5.20 15.1.2 Consideration of information security in agreements with suppliers 5.21 15.1.3 Information security management in the ICT supply chain 5.22 15.2.1, 15.2.2 5.23 New 156 Supplier services monitoring, review and change management Information security in the use of cloud services © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.1 (suite) Identifier of the Security measure security identifier in measure in the ISO/IEC 27002:2013 Security measure name ISO/ IEC 27002:2022 5.24 16.1.1 Information security incident management planning and preparation 5.25 16.1.4 Information security event assessment and decision making 5.26 16.1.5 Information Security Incident Response 5.27 16.1.6 Learning from information security incidents 5.28 16.1.7 collection of evidence 5.29 17.1.1, 17.1.2, 17.1.3 Information security during a disruption 5.30 New ICT readiness for business continuity 5.31 18.1.1, 18.1.5 Legal, statutory, regulatory and contractual requirements 5.32 18.1.2 Intellectual property rights 5.33 18.1.3 Protection of recordings 5.34 18.1.4 Personal data privacy and protection 5.35 18.2.1 Independent Information Security Review 5.36 18.2.2, 18.2.3 5.37 12.1.1 Documented operating procedures 6.1 07.1.1 Preselection 6.2 07.1.2 General conditions of employment 6.3 07.2.2 Information security awareness, learning and training 6.4 07.2.3 Disciplinary process 6.5 07.3.1 Responsibilities following the end or change of employment Compliance with information security policies, rules and standards 6.6 13.2.4 Confidentiality or Non-Disclosure Covenants 6.7 06.2.2 Remote work 6.8 16.1.2, 16.1.3 Reporting of information security events 7.1 11.1.1 Physical security perimeters 7.2 11.1.2, 11.1.6 Physical access 7.3 11.1.3 Securing offices, rooms and equipment 7.4 New Physical Security Monitoring 7.5 11.1.4 Protection against physical and environmental threats 7.6 11.1.5 Work in secure areas 7.7 11.2.9 Clean desktop and blank screen 7.8 11.2.1 Location and protection of equipment 7.9 11.2.6 Off-Premises Asset Security 7.10 08.3.1, 08.3.2, 08.3.3, 11.2.5 Storage media 7.11 11.2.2 General Services 7.12 11.2.3 Wiring Safety 7.13 11.2.4 Hardware Maintenance 7.14 11.2.7 Safe disposal or recycling of hardware © ISO/IEC 2022 – All rights reserved 157 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.1 (suite) Identifier of the security measure in the Security measure identifier in ISO/IEC 27002:2013 Security measure name ISO/ IEC 27002:2022 8.1 06.2.1, 11.2.8 End user terminals 8.2 09.2.3 Privileged access rights 8.3 09.4.1 Restriction of access to information 8.4 09.4.5 Access to source code 8.5 09.4.2 Secure authentication 8.6 12.1.3 Sizing 8.7 12.2.1 Malware Protection 8.8 12.6.1, 18.2.3 Management of technical vulnerabilities 8.9 New Configuration Management 8.10 New Suppression d'information 8.11 New Data masking 8.12 New Data leak prevention 8.13 12.3.1 Backing up information 8.14 17.2.1 Redundancy of information processing resources 8.15 12.4.1, 12.4.2, 12.4.3 Logging 8.16 New Monitoring activities 8.17 12.4.4 Synchronization of clocks 8.18 09.4.4 Use of privileged utility programs 8.19 12.5.1, 12.6.2 Installation of software on operating systems 8.20 13.1.1 Network security 8.21 13.1.2 Network Services Security 8.22 13.1.3 Network partitioning 8.23 New Internet filtering 8.24 10.1.1, 10.1.2 Use of cryptography 8.25 14.2.1 Secure Development Lifecycle 8.26 14.1.2, 14.1.3 Application Security Requirements 8.27 14.2.5 Principles of secure system engineering and architecture 8.28 New Secure coding 8.29 14.2.8, 14.2.9 Security testing in development and acceptance 8.30 14.2.7 Outsourced development 8.31 12.1.4, 14.2.6 8.32 12.1.2, 14.2.2, 14.2.3, 14.2.4 Change Management 8.33 14.3.1 Test Information 8.34 12.7.1 Protection of information systems during audit testing Separation of development, test and production environments Table B.2 provides the correspondence of the security measures given in ISO/IEC 27002:2013 with those of this document. 158 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Table B.2 — Correspondence between the security measures of ISO/IEC 27002:2013 and the security measures of this document Identifier of the security measure Identifier of the in the ISO/ IEC 27002:2013 security Security measure name according to ISO/IEC 27002:2013 measure in the ISO/ IEC 27002:2022 5 Information Security Policies 5.1 Management guidance on information security 5.1.1 5.1 Information Security Policies 5.1.2 5.1 Review of information security policies 6 Information security organization 6.1 Internal organization 6.1.1 5.2 Information Security Duties and Responsibilities 6.1.2 5.3 Separation of duties 6.1.3 5.5 Contacts with the authorities 6.1.4 5.6 Contacts with specific interest groups 6.1.5 5.8 Information Security in Project Management 6.2 Mobile devices and remote working 6.2.1 8.1 Mobile Device Policy 6.2.2 6.7 Telework 7 Human Resources Security 7.1 Before hiring 7.1.1 6.1 Preselection 7.1.2 6.2 General conditions of employment During the term of the contract 7.2 7.2.1 7.2.2 7.2.3 5.4 6.3 6.4 7.3 7.3.1 Management Responsibilities Information security awareness, learning and training Disciplinary process Termination, term or modification of the employment contract 6.5 Completion or modification of responsibilities associated with the employment contract Asset management 8 8.1 Asset Liabilities Asset inventory 8.1.1 5.9 8.1.2 5.9 Ownership of assets 8.1.3 5.10 Correct use of assets 8.1.4 5.11 Return of assets 8.2.1 5.12 Classification of information 8.2.2 5.13 Marking information 8.2.3 5.10 Asset handling Classification of information 8.2 8.3 Media handling 8.3.1 7.10 Removable media management 8.3.2 7.10 Disposal of media 8.3.3 7.10 Physical transfer of media © ISO/IEC 2022 – All rights reserved 159 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.2 (suite) Identifier of the security measure Identifier of the in the ISO/ IEC 27002:2013 security Security measure name according to ISO/IEC 27002:2013 measure in the ISO/ IEC 27002:2022 Access control 9 9.1 Access control business requirements 9.1.1 5.15 Access control policy 9.1.2 5.15 Access to networks and network services User Access Management 9.2 9.2.1 5.16 Registration and deregistration of users 9.2.2 5.18 Mastery of user access management 9.2.3 8.2 Management of privileged access rights 9.2.4 5.17 Managing User Authentication Secret Information sators 9.2.5 5.18 Review of user access rights 9.2.6 5.18 Removal or adaptation of access rights 5.17 Using Secret Authentication Information 9.3 9.3.1 User responsibilities 9.4 System and application access control 9.4.1 8.3 Restriction of access to information 9.4.2 8.5 Secure login procedures 9.4.3 5.17 Password management system 9.4.4 8.18 Use of privileged utility programs 9.4.5 8.4 Program source code access control 10 Cryptography 10.1 Cryptographic means 10.1.1 8.24 Policy for the use of cryptographic means 10.1.2 8.24 Key management 11 Physical and environmental security 11.1 Secure areas 11.1.1 7.1 Physical security perimeter 11.1.2 7.2 Physical access controls 11.1.3 7.3 Securing offices, rooms and equipment 11.1.4 7.5 Protection against external and environmental threats 11.1.5 7.6 Work in secure areas 11.1.6 7.2 Delivery and loading areas 11.2 Materials 11.2.1 7.8 Location and protection of equipment 11.2.2 7.11 General Services 11.2.3 7.12 Wiring Safety 11.2.4 7.13 Hardware Maintenance 11.2.5 7.10 Exit of assets 11.2.6 7.9 Security of equipment and assets outside the premises 11.2.7 7.14 Safe disposal or recycling of hardware 160 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.2 (suite) Identifier of the security measure in the ISO/ IEC 27002:2013 Identifier of the security measure Security measure name according to ISO/IEC 27002:2013 in the ISO/ IEC 27002:2022 11.2.8 8.1 User equipment left unattended 11.2.9 7.7 Clean Desktop and Blank Screen Policy 12 Operational Security 12.1 Operating Procedures and Responsibilities 12.1.1 5.37 Documented operating procedures 12.1.2 8.32 Change Management 12.1.3 8.6 Sizing 12.1.4 8.31 12.2 12.2.1 Malware Protection 8.7 12.3 12.3.1 Separation of development, test and operating environments Means against malicious programs Backup 8.13 12.4 Backing up information Logging and monitoring 12.4.1 8.15 Event Logging 12.4.2 8.15 Protection of logged information 12.4.3 8.15 Administrator and operator logs 12.4.4 8.17 Synchronization of clocks 12.5 12.5.1 Mastery of operating software 8.19 12.6 Installation of software on operating systems Management of technical vulnerabilities 12.6.1 8.8 Management of technical vulnerabilities 12.6.2 8.19 Software Installation Restrictions 12.7 12.7.1 Information System Audit Considerations 8.34 Means relating to the audit of information systems Communications Security 13 13.1 Network Security Management Facilities 13.1.1 8.20 Means related to networks 13.1.2 8.21 Network Services Security 13.1.3 8.22 Network partitioning Transfer of information 13.2 13.2.1 5.14 Information transfer policies and procedures 13.2.2 5.14 Information Transfer Agreements 13.2.3 5.14 Email 13.2.4 6.6 Confidentiality or Non-Disclosure Covenants 14 Acquisition, development and maintenance of information systems 14.1 Security requirements applicable to information systems 14.1.1 5.8 Analysis and specification of information security requirements 14.1.2 8.26 Securing Application Services on Public Networks 14.1.3 8.26 Application Services Transaction Protection © ISO/IEC 2022 – All rights reserved 161 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.2 (suite) Identifier of the security measure in the ISO/ IEC 27002:2013 Identifier of the security measure Security measure name according to ISO/IEC 27002:2013 in the ISO/ IEC 27002:2022 14.2 Security of development and technical support processes 14.2.1 8.25 Secure Development Policy 14.2.2 8.32 System Change Control Procedures 8.32 Technical review of applications after changes to the operating platform 14.2.4 8.32 Restrictions on Changes to Software Packages 14.2.5 8.27 Principles of Systems Security Engineering 14.2.6 8.31 Secure development environment 14.2.7 8.30 Outsourced development 14.2.8 8.29 System security testing phase 14.2.9 8.29 System compliance test 8.33 Protection of test data 14.2.3 Test data 14.3 14.3.1 Relations with suppliers 15 Information security in relations with suppliers 15.1 sisters 15.1.1 5.19 Information security policy in relations with suppliers 15.1.2 5.20 Security in agreements with suppliers 15.1.3 5.21 IT supply chain 5.22 Supplier Services Monitoring and Review 5.22 Management of changes in supplier services 15.2 15.2.1 15.2.2 Service delivery management 16 Information Security Incident Management 16.1 Information Security Incident Management and Improvements 16.1.1 5.24 Responsibilities and Procedures 16.1.2 6.8 Reporting of information security events 16.1.3 6.8 Declaration of vulnerabilities related to information security 16.1.4 16.1.5 16.1.6 16.1.7 5.25 Information security event assessment and decision making 5.26 Information Security Incident Response 5.27 Learning from information security incidents 5.28 collection of evidence 17 Aspects of Information Security in Business Continuity Management Information Security Continuity 17.1 17.1.1 5.29 Information security continuity organization 17.1.2 5.29 Implementing Information Security Continuity 17.1.3 162 5.29 Check, review and assess the continuity of information security © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Tableau B.2 (suite) Identifier of the security measure Identifier of the in the ISO/ IEC 27002:2013 Security measure name according to ISO/IEC 27002:2013 security measure in the ISO/ IEC 27002:2022 Redundancies 17.2 17.2.1 8.14 Availability of means of information processing 18 Compliance 18.1 Compliance with legal and regulatory obligations 18.1.1 5.31 Identification of applicable legislation and contractual requirements 18.1.2 5.32 Intellectual property rights 18.1.3 5.33 Protection of recordings 5.34 Protection of privacy and protection of personal data 5.31 Regulations relating to cryptographic means 18.1.4 18.1.5 Information Security Review 18.2 18.2.1 5.35 Independent Information Security Review 18.2.2 5.36 Compliance with security policies and standards 18.2.3 5.36, 8.8 Technical Compliance Review © ISO/IEC 2022 – All rights reserved 163 AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) Bibliography [1] ISO 9000, Quality management systems — Fundamentals and vocabulary [2] ISO 55001, Asset management — Management systems — Requirements [3] ISO/IEC 11770 (all parts), Information security — Key management [4] ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT security [5] ISO 15489 (all parts), Information and documentation — Records management [6] ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary [7] ISO/IEC 17789, Information technology — Cloud computing — Reference architecture [8] ISO/IEC 19086 (all parts), Cloud computing — Service level agreement framework [9] ISO/IEC 19770 (all parts), Information technology — Software asset management [10] ISO/IEC 19941, Information technology — Cloud computing — Interoperability and portability [11] ISO/IEC 20889, Terminology and classification of data de-identification techniques for the protection of privacy [12] ISO 21500, Project, program and portfolio management — Background and concepts [13] ISO 21502, Project, program and portfolio management — Guidance on the project management [14] ISO 22301, Security and resilience — Business continuity management systems — Requirements [15] ISO 22313, Security and resilience — Business continuity management systems — Guidance on using ISO 22301 [16] ISO/TS 22317, Security and resilience — Business continuity management systems — Business Impact Statement Guidelines [17] ISO 22396, Security and resilience — Community resilience — Guidelines for information exchange between organizations [18] ISO/IEC TS 23167, Information technology — Cloud computing — Common technologies and techniques [19] ISO/IEC 23751, Information technology — Cloud computing and distributed platforms — Data sharing agreement (DSA) framework [20] ISO/IEC 24760 (all parts), IT security and privacy — Framework for managing identity [21] ISO/IEC 27001:2013, Information technology — Security techniques — Security systems information security management — Requirements [22] ISO/IEC 27005, Information technology — Security techniques — Information security risk management 164 © ISO/IEC 2022 – All rights reserved AFNOR ISO/ IEC 27002:20222022-02 Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) [23] ISO/IEC 27007, Information security, cybersecurity and privacy protection — Guidelines for auditing information security management systems [24] ISO/IEC TS 27008, Information technology — Security techniques — Guidelines for auditors of information security controls [25] ISO/IEC 27011, Information technology — Security techniques — Code of practice for information security controls based on ISO/ IEC 27002 for telecommunications organizations [26] ISO/IEC TR 27016, Information technology — Security techniques — Security management information security — Organizational economics [27] ISO/IEC 27017, Information technology — Security techniques — Code of practice for information security controls based on ISO/ IEC 27002 for cloud services [28] ISO/IEC 27018, Information technology — Security techniques — Code of practice for the protection of personally identifiable information (PII) in public cloud computing acting as a processor of PII [29] ISO/IEC 27019, Information technology — Security techniques — Security measures for information for the energy operators industry [30] ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity [31] ISO/IEC 27033 (all parts), Information technology — Security techniques — Network Security [32] ISO/IEC 27034 (all parts), Information technology — Application security [33] ISO/IEC 27035 (all parts), Information technology — Security techniques — Information Security Incident Management [34] ISO/IEC 27036 (all parts), Information technology — Security techniques — Information security for the relationship with the supplier [35] ISO/IEC 27037, Information technology — Security techniques — Guidelines for the identification, collection, acquisition and preservation of digital evidence [36] ISO/IEC 27040, Information technology — Security techniques — Storage security [37] ISO/IEC 27050 (all parts), Information technology — Electronic discovery [38] ISO/IEC/TS 27110, Information security, cybersecurity and privacy protection — Guidelines for developing a cybersecurity framework [39] ISO/IEC 27701, Security techniques — Extension of ISO/ IEC 27001 and ISO/ IEC 27002 to privacy management — Requirements and guidelines [40] ISO 27799, Health informatics — Health information security management using ISO/ IEC 27002 [41] ISO/IEC 29100, Information technology — Security techniques — Privacy framework [42] ISO/IEC 29115, Information technology — Security techniques — Entity authentication assurance framework [43] ISO/IEC 29134, Information technology — Security techniques — Guidelines for privacy impact study [44] ISO/IEC 29146, Information technology — Security techniques — Framework for managing access © ISO/IEC 2022 – All rights reserved 165 AFNOR ISO/ IEC 27002:20222022-02 Machine by Google LACROIXTranslated John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) [45] ISO/IEC 29147, Information technology — Security techniques — Disclosure of vulnerability [46] ISO 30000, Ships and marine technology — Ship recycling management systems — Specifications for management systems for safe and non-polluting ship recycling yards [47] ISO/IEC 30111, Information technology — Security techniques — Vulnerability handling process [48] ISO 31000:2018, Risk management — Guidelines [49] IEC 31010, Risk management — Risk assessment techniques [50] ISO/IEC 22123 (all parts), Information technology — Cloud computing [51] ISO/IEC 27555, Information security, cybersecurity and privacy protection — Guidelines for the removal of personally identifiable information [52] Information Security Forum (ISF). ISF Standard of Good Practice for Information Security 2020, August 2018. Available at: 1) [53] ITIL® Foundation, ITIL 4 edition, AXELOS, February 2019, ISBN: 9780113316076 [54] National Institute of Standards and Technology (NIST). SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Révision 2. Décembre 2018 [consulté le 2020-07-31]. Disponible à l'adresse: https:// doi.org/10.6028/NIST.SP.800-37r2 [55] Open Web Application Security Project (OWASP). OWASP Top Ten — 2017, The Ten Most Critical Web Application Security Risks, 2017 [consulté le 2020-07-31]. Disponible à l'adresse https:// owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ [56] Open Web Application Security Project (OWASP). OWASP Developer Guide, [online] [accessed 2020-10-22]. Available at https://github.com/OWASP/DevGuide [57] National Institute of Standards and Technology (NIST). SP 800-63B, Digital Identity Guidelines; Authentication and Lifecycle Management. Février 2020 [consulté le 2020-07-31]. Available at: https://doi.org/10.6028/NIST.SP.800-63b [58] OASIS, Structured Threat Information Expression. Available at https://www.oasis -open.org/standards#stix2.0 [59] OASIS, Trusted Automated Exchange of Indicator Information. Available at https:// www.oasis-open.org/standards#taxii2.0 1) https://www.securityforum.org/tool/standard-of-good-practice-for-information-security-2020/ 166 © ISO/IEC 2022 – All rights reserved AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/ IEC 27002:20222022-02 AFNOR Machine Translated by Google LACROIX John (john.lacroix@jcld-consulting.com) For: JCLD CONSULTING ISO/IEC 27002:2022(F) ICSÿ35.030 Price based on 152 pages © ISO/IEC 2022 – All rights reserved ISO/ IEC 27002:20222022-02

ISO 27002 V 2022 (1)

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib