Best practice recommendations for mitigating cyber security risks

Alternate Text

The newly updated ISO/IEC 27002 supports and builds on the countermeasures — known as information security controls — set out in ISO/IEC 27001 for implementing and maintaining an information security management system (ISMS). It is designed to enable organizations of all types and sizes to manage their IT risks effectively.

ISO/IEC 27002 describes dozens of information security controls with guidelines for implementing them. These include, for example, controls for identifying information assets, defining appropriate protection responsibilities and maintaining an inventory that is up-to-date, consistent and aligned with an organization’s other inventories.

The revised edition adds more than 10 controls, while merging others and removing only one, reflecting advances in technology and best practices. The 114 controls in the 2013 edition have been consolidated down to 93.

It is worth underlining that Annex B maps the differences between the 2022 and 2013 editions. This will facilitate the transition to the new edition for organizations that already use ISO/IEC 27002.

ISO/IEC 27002 takes a risk management-based approach to managing people, processes, services and technology. Central to this is the notion that since trying to protect everything in equal measure is neither efficient nor sustainable, it is important to identify and focus resources on securing the most valuable assets that ensure business continuity.

The IEC advocates a holistic approach to cyber security, combining best practices with testing and certification, is the best way to build cyber resilience. ISO/IEC 27001 is part of the approved process scheme that provides for the independent assessment and issuing of an international IECQ certificate of conformity for organizations that have demonstrated compliance with the relevant publications.

IECQ ISMS facility assessments under the IECQ AP scheme ensure a focus on the key technical and administrative elements that provide confidence that the requirements of ISO/IEC 27001 have been met.

Many international standards contribute to the United Nations Sustainable Development Goal 16, which promotes peaceful and inclusive societies. The cyber security standards in the ISO/IEC 27000 family contribute by protecting key data and systems, while others, such as IEC 62443 help make critical infrastructure more resilient.

All these standards can be purchased from our e-shop.