In December 2022, Canberra Cyber Hub started exploring the 11 recent updates to the certification framework for information management systems, ISO 27001:2022. Our previous articles covered secure coding, monitoring activities and threat intelligence and ICT readiness for business continuity and physical security monitoring.
This month, the Canberra Cyber Hub sat down with Intrinsic Cyber's Managing Director, Peter O'Brien, and Kenny Thorley, the Managing Director of VMantra Group to explore the changes in ISO 27001:2022 in relation to data leakage, web filtering and information security for the use of Cloud services.
ISO/IEC 27001 is the central framework of the ISO/IEC 27000 series, which is a series of documents relating to various parts of information security management. It is the world’s best-known standard for information security management systems (ISMS) and their requirements.
“Implementing standards delivers best practice in data protection and cyber resilience.”
The ISO/IEC 27001 was originally published in 2005. ISO/IEC 27002 is a more detailed version of ISO/IEC 27001 for those interested in all the details. 2013 was the last update, until now.
The 2022 update to ISO/IEC 27001 and ISO/IEC 27002, brings changes from the 2013 version, that are intended to align the standard with the latest best practices and technologies in the field, as well as to address new and emerging security threats.
ISO 27001:2022 includes new controls for:
- Data Leakage Prevention: Financial losses, damage to reputation, legal/regulatory liabilities, and criminal charges to perpetrators are just a few of the potential impacts of a data leakage incident
- Web filtering: web filtering can help to prevent employees from accidentally exposing the organisation to cyber-attacks or inadvertently downloading malware
- Information security for the use of Cloud services: By carefully managing the risks associated with cloud services and implementing strong security controls, organisations can protect their sensitive information assets and minimise the risk of a data breach.
The ISO/IEC 27001 Standard has been updated to include clear guidance for organisations to consider, to ensure the appropriate controls are implemented, and governed through the organisation’s Information Security Management System (ISMS).
Data Leakage Prevention
The introduction of the Data Leakage Prevention (DLP) control in ISO 27001:2022 matters to organisations because it emphasises the importance of protecting sensitive information and helps organisations identify, assess and prevent the unauthorised disclosure of sensitive information. DLP control implementation is crucial for organisations that handle sensitive information such as personal data, financial information, intellectual property and other confidential information.
Whether public or private, family business or multi-national corporation, an organisation’s intellectual property is often a key component of its competitive advantage, in how it delivers value that its competitors cannot.
DLP controls help organisations identify and classify sensitive data, implement controls to prevent data exfiltration, and monitor for suspicious activity. This can help organisations detect and respond to data breaches quickly, reducing the risk of financial losses, reputational damage, and regulatory fines.
Financial losses, damage to reputation, legal/regulatory liabilities, and criminal charges to perpetrators are just a few of the potential impacts of a data leakage incident. To address this concern, the ISO 27001 Standard has been updated to include clear guidance on what organisations need to consider, to ensure the appropriate controls are implemented, and governed through the organisation’s Information Security Management System (ISMS).
Internet services and usage is fundamental to how we use modern technology, because of how embedded it is in our personal and professional day-to-day lives. The ISO 27001:2022 recommends identifying and blocking access to potentially malicious or inappropriate websites, web filtering can help to prevent employees from accidentally exposing the organisation to cyber-attacks or inadvertently downloading malware.
ISO 27001:2022’s specific guidance for implementing web filtering includes:
- Developing organisational policy statements on the appropriate and approved use of online resources.
- Incorporating guidance on use of online resources into mandatory security awareness training.
- Blocking access to websites which:
- Provide upload/download features unapproved by the business. i.e., OneDrive, Dropbox etc.
- Are malicious websites, whether identified by staff, or through Cyber Threat Intelligence (CTI) feeds.
- Websites hosting illegal content.
For example, the control recommends that organisations identify the types of websites that pose the greatest risk to their information assets, and put controls in place to prevent employees from accessing these sites. This could include blocking access to websites known to host malware or phishing attacks, or websites that contain sensitive or confidential information that could be compromised if accessed by unauthorised parties.
In addition to identifying and blocking high-risk websites, the 2022 update recommends regularly reviewing and updating the web filtering system to ensure that it is effective in protecting against new and emerging cyber threats. This could involve regularly updating the list of blocked websites, as well as implementing additional controls such as antivirus software or firewalls to further protect against cyber-attacks.
Web filtering can be implemented in a number of ways, including the use of software programs that block access to certain websites, or the use of hardware devices that monitor and control internet traffic. No matter what method is used, it is important that the web filtering system is regularly reviewed and updated to ensure that it is effective in protecting the organisation's information assets.
Overall, web filtering is an essential component of an organisation's cybersecurity strategy, with which organisations can effectively protect their sensitive data and reduce the risk of cyber threats.
Information security for the use of cloud services
The introduction of the 'information security for the use of cloud services' control (Control 5.23) to ISO27001:2022 is important for organizations as it ensures that they are able to adequately protect their data and systems when using cloud services. The control outlines a set of policies and procedures organizations should adhere to when working with cloud services.
The control includes:
- Defining roles and responsibilities of both the cloud service provider and the organization,
- Collecting and analysing threat intelligence,
- Implementing and monitoring security controls, and
- Ensuring data security and privacy.
While cloud services offer many benefits, including cost savings and increased efficiency, they also introduce new risks that need to be carefully managed.
For example, organisations need to ensure that they have contracts in place with their cloud service providers that outline the responsibilities of each party and clearly define the level of security that is expected.
In addition to appropriate contract management, organisations should also implement strong access controls and authentication protocols to ensure that only authorised users have access to sensitive data stored in the cloud. Regular security assessments and monitoring of cloud services are also important to ensure that any potential vulnerabilities are identified and addressed in a timely manner.
Overall, the use of cloud services can be a valuable tool for improving information security, as long as organisations follow best practices and adhere to the ISO 27001 standard, carefully managing the risks associated with cloud services and implementing strong security controls, organisations can protect their sensitive information assets and minimise the risk of a data breach.
Overall, the new controls will emphasis on identifying and protecting sensitive data, and implementing proactive measures to detect and respond to security incidents. Organisations that are able to implement these controls effectively will be better equipped to protect against data loss and unauthorised access to sensitive information.