Scribd Logo
Upload

Welcome to Scribd!

  • MSECB ISO IEC 27002 Mapping

    Uploaded by

    Ahi Pola
    240 views10 pages

    Original Title

    MSECB-ISO-IEC-27002-Mapping

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    240 views10 pages

    MSECB ISO IEC 27002 Mapping

    Uploaded by

    Ahi Pola

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    Presentation of

    ISO/IEC 27002:2022
    Controls

    Copyright 2022 MSECB Management Systems Inc.


    Contents
    02 New Controls
    11 new controls have been added to
    the ISO/IEC 27002:2022

    03 Merged controls
    57 controls from the 2013 version,
    have been merged into 24 new
    controls.

    05 Renamed controls
    23 controls have changed their
    names. However, their purpose is the
    same as in the previous 2013 version.

    07 Same name, different


    control number
    35 controls remained the same, only
    changing their control number.

    Copyright 2022 MSECB Management Systems Inc.


    New Controls
    11 new controls have been added to the ISO/IEC 27002:2022

    ISO/IEC 27002:2022 Controls

    A.5.7 Threat Intelligence

    A.5.23 Information security for use of cloud services

    A.5.30 ICT readiness for business continuity

    A.7.4 Physical security monitoring

    A.8.9 Configuration management

    A.8.10 Information deletion

    A.8.11 Data masking

    A.8.12 Data leakage prevention

    A.8.16 Monitoring activities

    A.8.23 Web filtering

    A.8.28 Secure coding

    Copyright 2022 MSECB Management Systems Inc. 02


    Merged controls
    57 controls from the 2013 version, have been merged into 24 new controls:

    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control


    5.1.1 Policies for information security
    5.1.2 Review of the policies for 5.1 Policies for information security
    information security

    6.1.5 Information security in project


    management 5.8 Information security in project
    14.1.1 Information security requirements management
    analysis and specification

    8.1.1 Inventory of assets 5.9 Inventory of information and other


    8.1.2 Ownership of assets associated assets

    8.1.3 Acceptable use of assets 5.10 Acceptable use of information and


    8.2.3 Handling of assets other associated assets

    13.2.1 Information transfer policies and


    procedures
    13.2.2 Agreements on information transfer 5.14 Information transfer
    13.2.3 Electronic messaging

    9.1.1 Access control policy


    9.1.2 Access to networks and network services 5.15 Access control

    9.2.4 Management of secret authentication


    information of users
    5.17 Authentication information
    9.3.1 Use of secret authentication information
    9.4.3 Password management system

    9.2.2 User access provisioning


    9.2.5 Review of user access rights 5.18 Access rights
    9.2.6 Removal or adjustment of access rights

    15.2.1 Monitoring and review of supplier services 5.22 Monitoring, review and change
    15.2.2 Managing changes to supplier services management of supplier services

    Copyright 2022 MSECB Management Systems Inc. 03


    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    17.1.1 Planning information security continuity


    17.1.2 Implementing information security
    continuity 5.29 Information security during disruption
    17.1.3 Verify, review and evaluate information
    security continuity

    18.1.1 Identification of applicable legislation and


    contractual requirements 5.31 Legal, statutory, regulatory and
    18.1.5 Regulation of cryptographic controls contractual requirements

    18.2.2 Compliance with security policies and 5.36 Compliance with policies, rules and
    standards standards for information security
    18.2.3 Technical compliance review

    16.1.2 Reporting information security events


    16.1.3 Reporting information security 6.8 Information security event reporting
    weaknesses

    11.1.2 Physical entry controls


    7.2 Physical entry
    11.1.6 Delivery and loading areas

    8.3.1 Management of removable media


    8.3.2 Disposal of media
    7.10 Storage media
    8.3.3 Physical media transfer
    11.2.5 Removal of assets

    6.2.1 Mobile device policy


    11.2.8 Unattended user equipment 8.1 User endpoint devices

    12.6.1 Management of technical vulnerabilities


    8.8 Management of technical vulnerabilities
    18.2.3 Technical compliance review

    12.4.1 Event logging


    12.4.2 Protection of log information 8.15 Logging
    12.4.3 Administrator and operator logs

    12.5.1 Installation of software on operational 8.19 Installation of software on operational


    systems systems
    12.6.2 Restrictions on software installation

    10.1.1 Policy on the use of cryptographic


    controls 8.24 Use of cryptography
    10.1.2 Key management

    14.1.2 Securing application services on public


    networks
    8.26 Application security requirements
    14.1.3 Protecting application services
    transactions

    Copyright 2022 MSECB Management Systems Inc. 04


    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    14.2.8 System security testing 8.29 Security testing in development and


    14.2.9 System acceptance testing acceptance

    12.1.4 Separation of development, testing and


    8.31 Separation of development, test and
    operational environments
    production environments
    14.2.6 Secure development environment

    12.1.2 Change management


    14.2.2 System change control procedures
    14.2.3 Technical review of applications after
    8.32 Change management
    operating platform changes
    14.2.4 Restrictions on changes to software
    packages

    Renamed controls
    23 controls have changed their names. However, their purpose is the same as
    in the previous 2013 version.

    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    15.1.1 Information security policy for supplier 5.19 Information security in supplier
    relationships relationships

    15.1.2 Addressing security within supplier 5.20 Addressing information security


    agreements within supplier agreements

    15.1.3 Information and communication 5.21 Managing information security in


    technology supply chain the ICT supply chain

    5.24 Information security incident


    16.1.1 Responsibilities and procedures
    management planning and preparation

    16.1.4 Assessment of and decision on 5.25 Assessment and decision on


    information security events information security events

    18.1.4 Privacy and protection of personally


    5.34 Privacy and protection of PII
    identifiable information

    7.3.1 Termination or change of employment 6.5 Responsibilities after termination or


    responsibilities change of employment

    6.2.2 Teleworking 6.7 Remote working

    Copyright 2022 MSECB Management Systems Inc. 05


    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    9.4.2 Secure log-on procedures 8.5 Secure authentication

    12.2.1 Controls against malware 8.7 Protection against malware

    17.2.1 Availability of information processing 8.14 Availability of information processing


    facilities facilities

    13.1.1 Network controls 8.20 Networks security

    13.1.3 Segregation in networks 8.22 Segregation of networks

    14.2.1 Secure development policy 8.25 Secure development life cycle

    8.27 Secure system architecture and


    14.2.5 Secure system engineering principles
    engineering principles

    14.3.1 Protection of test data 8.33 Test information

    8.34 Protection of information systems


    12.7.1 Information systems audit controls during audit testing

    11.1.1 Physical security perimeter 7.1 Physical security perimeters

    11.2.9 Clear desk and clear screen policy 7.7 Clear desk and clear screen

    11.2.6 Security of equipment and assets


    off-premises 7.9 Security of assets off-premises

    9.2.3 Management of privileged


    8.2 Privileged access rights
    access rights

    9.4.5 Access control to program source code 8.4 Access to source code

    Copyright 2022 MSECB Management Systems Inc. 06


    Same name, different
    control number
    These 35 controls remained the same, only changing their control number:

    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    6.1.1 Information security roles and 5.2 Information security roles and
    responsibilities responsibilities

    6.1.2 Segregation of duties 5.3 Segregation of duties

    7.2.1 Management responsibilities 5.4 Management responsibilities

    6.1.3 Contact with authorities 5.5 Contact with authorities

    6.1.4 Contact with special interest groups 5.6 Contact with special interest groups

    8.1.4 Return of assets 5.11 Return of assets

    8.2.1 Classification of information 5.12 Classification of information

    8.2.2 Labelling of information 5.13 Labelling of information

    16.1.5 Response to information security 5.26 Response to information security


    incidents incidents

    16.1.6 Learning from information security 5.27 Learning from information security
    incidents incidents

    16.1.7 Collection of evidence 5.28 Collection of evidence

    18.1.2 Intellectual property rights 5.32 Intellectual property rights

    18.1.3 Protection of records 5.33 Protection of records

    18.2.1 Independent review of information 5.35 Independent review of information


    security security

    Copyright 2022 MSECB Management Systems Inc. 07


    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    12.1.1 Documented operating procedures 5.37 Documented operating procedures

    7.1.1 Screening 6.1 Screening

    7.1.2 Terms and conditions of employment 6.2 Terms and conditions of employment

    7.2.2 Information security awareness, 6.3 Information security awareness,


    education and training education and training

    7.2.3 Disciplinary process 6.4 Disciplinary process

    13.2.4 Confidentiality or non-disclosure 6.6 Confidentiality or non-disclosure


    agreements agreements

    11.1.3 Securing offices, rooms and facilities 7.3 Securing offices, rooms and facilities

    11.1.4 Protecting against external and 7.5 Protecting against external and
    environmental threats environmental threats

    11.1.5 Working in secure areas 7.6 Working in secure areas

    11.2.1 Equipment siting and protection 7.8 Equipment siting and protection

    11.2.2 Supporting utilities 7.11 Supporting utilities

    11.2.3 Cabling security 7.12 Cabling security

    11.2.4 Equipment maintenance 7.13 Equipment maintenance

    11.2.7 Secure disposal or re-use of equipment 7.14 Secure disposal or re-use of equipment

    9.4.1 Information access restriction 8.3 Information access restriction

    12.1.3 Capacity management 8.6 Capacity management

    Copyright 2022 MSECB Management Systems Inc. 08


    ISO/IEC 27002:2013 Control ISO/IEC 27002:2022 Control

    12.3.1 Information backup 8.13 Information backup

    12.4.4 Clock synchronization 8.17 Clock synchronization

    9.4.4 Use of privileged utility programs 8.18 Use of privileged utility programs

    13.1.2 Security of network services 8.21 Security of network services

    14.2.7 Outsourced development 8.30 Outsourced development

    To learn more about the updated ISO/IEC 27002:2022, click here,

    [email protected]
    www.msecb.com

    Copyright 2022 MSECB Management Systems Inc.

    You might also like