The 11 new controls in ISO 27001:2022, including their
purpose, key points, and audit procedures and Questions:
1. Threat Intelligence (5.7)
Purpose: Proactively collect and analyze information about threats, vulnerabilities, and incidents to enhance
decision-making and incident response.
Key Points:
•
Implement processes for gathering, analyzing, and disseminating threat intelligence.
•
Integrate threat intelligence into risk assessments and security controls.
•
Use threat intelligence to inform incident response plans.
Procedures:
•
Interview staff responsible for threat intelligence.
•
Review threat intelligence policies and procedures.
•
Examine evidence of threat intelligence gathering, analysis, and dissemination.
•
Assess how threat intelligence is integrated into risk assessments and security controls.
•
Review incident response plans for incorporation of threat intelligence.
2. Information Security for Use of Cloud Services (5.23)
Purpose: Address the security risks and challenges associated with cloud services.
Key Points:
•
Establish policies and procedures for secure cloud service usage.
•
Conduct risk assessments for cloud service providers.
•
Implement appropriate security controls for cloud-based data and systems.
Procedures:
•
Review policies and procedures for cloud service usage.
•
Examine risk assessments for cloud service providers.
•
Assess security controls implemented for cloud-based data and systems.
•
Verify compliance with contractual security obligations.
•
Test the effectiveness of cloud security controls.
3. ICT Readiness for Business Continuity (5.30)
Purpose: Ensure ICT systems can support business continuity in the event of a disruption.
Key Points:
•
Identify critical ICT systems and resources.
•
Develop ICT continuity plans and procedures.
•
Regularly test and update ICT continuity plans.
Procedures:
•
Review ICT continuity plans and procedures.
•
Verify identification of critical ICT systems and resources.
•
Test ICT continuity plans to ensure they meet recovery time and objectives.
•
Assess integration of ICT continuity with overall business continuity plans.
4. Physical Security Monitoring (7.4)
Purpose: Detect and respond to physical security breaches.
Key Points:
•
Implement physical security monitoring systems (e.g., CCTV, access control).
•
Regularly review and analyze physical security logs.
•
Investigate and respond to physical security incidents.
Procedures:
•
Inspect physical security monitoring systems.
•
Review physical security logs for anomalies and incident response.
•
Test the effectiveness of physical security monitoring systems.
•
Assess integration of physical security monitoring with overall security operations.
5. Configuration Management (8.9)
Purpose: Control and track changes to ICT systems and assets.
Key Points:
•
Implement configuration management processes and tools.
•
Identify and track all ICT assets.
•
Control changes to ICT assets through a formal change management process.
Procedures:
•
Review configuration management policies and procedures.
•
Inspect configuration management tools and records.
•
Verify that all ICT assets are identified and tracked.
•
Assess the change management process for ICT assets.
•
Test the effectiveness of configuration management controls.
6. Information Deletion (8.10)
Purpose: Securely delete data when it's no longer needed.
Key Points:
•
Implement policies and procedures for information deletion.
•
Use secure deletion tools and techniques.
•
Verify that data has been securely deleted.
Procedures:
•
Review information deletion policies and procedures.
•
Examine evidence of secure deletion practices and tools.
•
Test the effectiveness of deletion tools and techniques.
•
Verify that deleted data is irrecoverable.
7. Data Masking (8.11)
Purpose: Protect sensitive data by obscuring its true value.
Key Points:
•
Implement data masking techniques (e.g., encryption, substitution).
•
Use data masking for testing, development, and analytics.
Procedures:
•
Review data masking policies and procedures.
•
Inspect data masking tools and techniques.
•
Assess where and how data masking is applied.
•
Test the effectiveness of data masking controls.
8. Data Leakage Prevention (8.12)
Purpose: Prevent sensitive data from being accidentally or intentionally disclosed.
Key Points:
•
Implement DLP tools and techniques.
•
Monitor for sensitive data in emails, web traffic, and file transfers.
•
Block unauthorized data transfers.
Procedures:
1.
Review DLP Policies and Procedures:
o
Examine existing policies and procedures for DLP to ensure they align with organizational risk assessments and
security objectives.
o
Verify that policies outline the scope of sensitive data to be protected, the types of data channels to be
monitored, and the actions to be taken in case of potential leaks.
2.
Inspect DLP Tools and Logs:
o
Assess the DLP tool(s) in use, including their capabilities, deployment, configuration, and maintenance.
o
Review DLP logs to evaluate the effectiveness of detection and blocking functions.
o
Inspect any incident reports or alerts generated by the DLP tool to identify trends and potential vulnerabilities.
3.
Test Effectiveness of DLP Controls:
o
Conduct testing to verify that DLP controls can successfully detect and block attempts to transfer sensitive data in
a variety of scenarios (e.g., via email, web, file transfer, printing).
o
Assess the ability of DLP tools to identify sensitive data in different formats and locations.
4.
Assess Incident Response Processes for Data Leakage:
o
Review procedures for responding to DLP incidents, including investigation, notification, containment, and
remediation.
o
Verify that incident response processes are integrated with overall security incident response plans.
o
Assess the effectiveness of incident response measures and the organization's ability to learn from past incidents.
9. Monitoring Activities (8.16)
Purpose: Monitor ICT systems and activities to detect security incidents.
Key Points:
•
•
•
Implement monitoring tools and techniques.
Log and analyze security events.
•
•
Review monitoring policies and procedures.
Investigate and respond to security incidents.
Procedures:
Inspect monitoring tools and logs.
•
•
•
Assess the types of events and activities being monitored.
Test the effectiveness of monitoring controls in detecting security incidents.
Assess incident response processes for security incidents.
10. Web Filtering (8.23)
Purpose: Block access to malicious and inappropriate websites.
Key Points:
•
•
Implement web filtering software or services.
•
•
•
•
Review web filtering policies and procedures.
Configure web filtering policies to block inappropriate content.
Procedures:
Inspect web filtering tools and logs.
Test the effectiveness of web filtering in blocking inappropriate content.
Assess the handling of exceptions and requests for access to blocked content.
11. Secure Coding (8.28)
Purpose: Develop secure software to reduce vulnerabilities.
•
•
•
Key Points:
Implement secure coding practices and guidelines.
Train developers on secure coding techniques.
Conduct code reviews and security testing.
Procedures:
•
•
•
•
Review secure coding policies and guidelines.
Inspect code for adherence to secure coding practices.
Assess developer training on secure coding techniques.
Examine code review and testing processes for security vulnerabilities.
Expected Audit Questions
A.5.7 Threat Intelligence:
•
•
Process and Procedures: Do you have defined methods for gathering, analyzing, and disseminating threat intelligence? Are these
documented and regularly reviewed? How do you integrate insights into risk assessments and security controls?
Integration and Usage: How do you leverage threat intelligence to inform incident response plans? Do you measure the
effectiveness and value of your threat intelligence program?
A.5.23 Information Security for Cloud Services:
•
•
Security Policies and Procedures: Do you have specific policies and procedures governing cloud security? How do you identify
and address risks associated with specific providers? Do you ensure compliance with contractual security obligations?
Security Controls: What controls are in place for cloud-based data and systems? How do you monitor and manage your cloud
environment's security? Do you regularly assess cloud providers and services?
A.5.30 ICT Readiness for Business Continuity:
•
•
Critical Systems and Resources: How do you prioritize and document critical ICT systems? Are backups and disaster recovery
plans readily available?
Continuity Plans and Testing: Do you have documented ICT continuity plans for various disruptions? How often do you test and
update them? How does ICT continuity integrate with overall business continuity strategies?
A.7.4 Physical Security Monitoring:
•
•
Monitoring Systems and Procedures: What physical security monitoring systems do you use (e.g., CCTV, access control)? Do you
have procedures for analyzing logs, investigating incidents, and responding effectively?
Effectiveness and Integration: How do you test the effectiveness of your monitoring systems? How is physical security monitoring
integrated with your overall security operations?
A.8.9 Configuration Management:
•
•
Processes and Tools: Do you have clearly defined processes and tools for managing ICT system configurations? How do you
ensure all assets are identified and tracked? How do you control changes through a formal change management process?
Testing and Effectiveness: How do you test the effectiveness of your configuration management controls? How do you monitor for
unauthorized or undocumented changes?
A.8.10 Information Deletion:
•
•
Policies and Procedures: Do you have documented policies and procedures for securely deleting information? How do you define
what information needs to be deleted and when? What methods and tools do you use for secure deletion?
Effectiveness and Verification: How do you verify that deleted data is irrecoverable? How do you train your personnel on secure
deletion procedures?
A.8.11 Data Masking:
•
•
Techniques and Applications: What data masking techniques do you use (e.g., encryption, substitution)? How do you apply data
masking and ensure its effectiveness?
Training and Control: How do you train your personnel on data masking procedures and best practices? How do you control
access to and use of data masking tools and techniques?
A.8.12 Data Leakage Prevention:
•
•
DLP Tools and Procedures: What DLP tools and techniques do you implement? How do you define sensitive data categories and
monitor data channels for potential leaks? What are your procedures for investigating and responding to DLP incidents?
Effectiveness and Testing: How do you test the effectiveness of your DLP controls in detecting and blocking leaks? How do you
manage false positives and negatives generated by your DLP tools?
A.8.16 Monitoring Activities:
•
•
Monitoring Systems and Scope: What monitoring tools and techniques do you use? What types of events and activities do you
monitor? How do you prioritize and analyze alerts?
Response and Effectiveness: How do you investigate and respond to security incidents identified through monitoring? How do you
measure the effectiveness of your monitoring activities?
A.8.23 Web Filtering:
•
•
Policies and Procedures: Do you have policies and procedures for web filtering? How do you define inappropriate content and
configure your filtering tools?
Effectiveness and Handling: How do you test the effectiveness of your web filtering? How do you handle exceptions and requests
for access to blocked content?
A.8.28 Secure Coding:
•
•
Practices and Guidelines: Do you have implemented secure coding practices and guidelines? How do you train developers on
these practices?
Code Reviews and Testing: How do you integrate code reviews and security testing into your development process to identify and
address vulnerabilities?