Implementation of the measures from Annex A in the current version is supported by the identically structured implementation guidance of ISO/IEC 27002:2022, which was already updated in February. Generic controls for strategic attack prevention and faster detection are newly included.
Three new controls for detection and prevention
The now 93 measures in Annex A of ISO/IEC 27001:2022 are now reorganized under the update into four topics
- Organizational measures,
- Personal measures,
- Physical measures and
- Technological measures.
Three of the eleven newly introduced information security controls relate to the prevention and timely detection of cyber attacks. These three controls are
- 5.7 Threat intelligence (organizational).
- 8.16 Monitoring activities (technological)
- 8.23 Web filtering (technological).
Below we will take a closer look at these 3 new controls.
Organizational control 5.7 deals with the systematic collection and analysis of information about relevant threats. The purpose of the measure is to make organizations aware of their own threat situation so that they can subsequently take appropriate action to mitigate the risk. Threat data should be analyzed in a structured manner according to three aspects: strategic, tactical and operational.
Strategic threat analysis provides insights into changing threat landscapes, such as attack types and the actors, e.g., state-motivated actors, cybercriminals, contract attackers, hacktivists. National and international government agencies (such as BSI - German Federal Office for Information Security, enisa - European Union Agency for Cybersecurity, U.S. Department of Homeland Security or NIST - National Institute of Standards and Technology), as well as non-profit organizations and relevant forums, provide well-researched threat intelligence across all industries and critical infrastructures.