Much has changed in the digital security landscape since the implementation of ISO 27001, 2013. The focus from literal paper security to cloud protocols couldn’t be more drastic. Luckily, the Anglepoint team has the complete pulse on the situation. In this ITAM Executive episode, Anglepoint’s Security Team leads—Avinash Kotikalapudi, Blake DeShaw, and Greg Free—discuss the implications of the updates to ISO 27002.
- The major changes from ISO 27001
- The benefits of streamlined control families
- How to be prepared for ISO 27002 enforcement
- When to anticipate ISO 27002 rollout
Learn more about our Anglepoint panel by connecting with them on LinkedIn.
Dig into more insights from ITAM executives by subscribing on Apple Podcasts, Spotify, or wherever you listen to podcasts.
Listening on a desktop & can’t see the links? Just search for The ITAM Executive in your favorite podcast player.
Blake DeSahw: When your company’s starting off with these certifications, it can be very hard to know where to start. What is the baseline? And ISO 27,002 I think, really paints that picture as well. It gives you examples to help you out on your way.
You’re listening to the ITAM Executive, a podcast for ITAM, leaders and practitioners.
Make sure to hit subscribe in your favorite podcast player and give us a rating. In each episode, we invite seasoned leaders to share their tips on how to define your strategy, promote the value of ITAM in your organization, and align your program with the latest IT trends and industry standards. Let’s dig in.
Avinash Kotikalapudi: Hi everybody. Welcome to the ITAM Executive podcast. We are going to speak about ISO 27,002, the new security protocols coming out to support the ISO 27,001. With me today, here are two of my colleagues, Blake DeShaw and Greg Free, who are part of the Anglepoint team here, and we are gonna talk about the new ISO 27,002, which was released earlier in the year.
And what are the different changes compared to the 2013 version and how that leads going to affect the organization’s going forward into adopting that. Blake and Greg, do you guys want to introduce yourself first?
Blake DeSahw: Yeah, thanks Avinash. My name’s Blake DeShaw. I’m the manager here with the Anglepoint Security team.
Definitely get my daily experience in doing ISO audits, other internal audit functions, third party risk management, different facets of the security world, and so I’m very happy to be here.
Greg Free: Hey, I’m Greg Free. I’m a senior manager here at Anglepoint.
Avinash Kotikalapudi: So before we dive into ISO 27,002, let’s talk about why ISO 27,001.
Seas of controls is important and how can organizations benefit from this and some of the main areas. I can hit few of them and I’m sure Blake and Greg, you guys can chime in here, but ISO 27,001 really is a set of controls by ISM or reference security and manual systems which help companies get organized and be more robust in their security practices.
And help make sure that they are ready for any kind of eventuality in terms of cybersecurity, other things as well. So it really provides guidelines for companies to be put together, some security protocols in place and policies in place, which will help them to be more compliant with industry and provide information to anybody who is needed from a standpoint of third party management as well.
But Blake, maybe I’ll bring you in here and try to get your viewpoint on why. If somebody is trying to adopt ISO 20 2001, why would you recommend that to anybody?
Blake DeSahw: Yeah. In today’s world of technology, security’s a huge part. So for any of these companies, And so depending on what a business does, they have expectations of security and privacy that become determined by customers or in some cases, even legal bodies as well.
And so there are several certifications that company can go after. And one of these that we of course, see in our experiences, of course, is the ISO 27,001 framework. I don’t know if I would say it’s a starting point for most companies, but it really is a framework for implementing an information system, safeguarding the information assets.
In some cases, if you’re diving into maybe a pci, which is more credit card focused, the ISO 27,001 really is for a company to, to start to instill the security values of an information system really across the board. It’s a good baseline and we see it at least in terms of our customers. It is something that every client is either already have one of their first certifications, or is definitely in their first three that they’re going after.
So not only is it important for the business, I think security maturity, but also to really stand out in the industry because it is an industry standard.
Avinash Kotikalapudi: Gotcha. No, that’s great with points. Blake, I think very well said and that really sets the tone for why should, if I’m looking at 27,001 or systems on two, why, what is the difference really between the two?
Because customers or clients get confused about ISO 27,000 1002 and I really not sure what the difference are between the two. Correct. Do you want to chime on that one?
Greg Free: Yeah. It makes a lot of sense to understand the differences on there. And just going off what Blake said before is 27,001 is really interesting to me is because.
It’s something that you can use, whether you’re an immature security organization or you’re extremely mature. It covers everything across the board on that, and so it’s a great springboard to help out any organization. Now, like we said, 27,001 kind of gives you a high level idea of what it is that you’re hoping to achieve or what areas you need to cover insecurity.
Whereas 27,002 comes along and it gives you guidance of how you want to go about that process on there, at least to a high level. I guess an example would be having the proper technological controls instilled in your organization, and that gives you a hint of, are you using like a blacklist, whitelist for different web addresses, things of that nature.
To me, it’s a really helpful tool in that regard because it really fleshes up the different areas that if you were just to do this unorganized, you probably would find yourself with a lot of gaps. So I think they do a great job in covering the board.
Avinash Kotikalapudi: Nope, that’s a great point. And what do you think from a 27,002 perspective, what is the basic difference with the tool?
Blake DeSahw: Really, before maybe we dive into the details, how I think about it or how I would explain maybe to my mother who is not too tech savvy, or at least not security wise, is that ISO 27,001 is the test. It’s the exam. It’s the controls that you’re going to be measured against by an auditor. Whereas ISO 27,002 is really the study.
It will provide that additional guidance to really ensure that you’re able to pass those controls when the time comes. I have one example at least that I think is good to think about. So from ISO management, responsibilities and procedures shall be established to ensure a quick, effective and orderly response to a security incident.
Now overall that makes sense. We know what security incidents are to some degree, but. If you’re really being audited against that, it can be difficult to, what does a quick or effective response mean? And so what’s nice is the ISO 27,002 gives you examples of what that looks like and especially, or even what, obviously a security incident is going to be defined within your company.
But those kind of specific, what does this actually look like in a typical organization when you’re a company starting off with these certifications? It can be very hard to know where to start. What is the baseline? And ISO 27,002 I think, really paints that picture as well, gives you examples to help you out on your way.
Avinash Kotikalapudi: Awesome. Blake, thank you for putting that in a very easy manner to understand now, and I’m curious, right? We are trying to understand 27 0 0 2 more specifically for this podcast here for us. The new one, which got released earlier in the year as we were talking about it. There are some differences based on what we understand high level of what those differences are from a just a guide perspective.
We’re talking only about the guide over here because we don’t have the new twin sensor zero one still. That’ll be probably coming on later in the year sometime. Let’s start over it, Greg, maybe, I don’t know if you want to highlight as the actual differences.
Greg Free: Yeah, that’d be great. So I guess one of the things that you’ll notice is that the control groups have gone from 14 to 4.
Now makes it a lot simpler to keep track of what should go where. The new control group is organizational people, physical and technological controls. Now, where you see most of the change happened is in the organization, the technological controls on there where physical was a little more just reorganized in some aspects.
But technological controls is where you see the most of the changes. There are eight changes that happen in that environment on there, which I think are fairly interesting. And another thing that I think is interesting is you’re actually seeing references now to the ITAM controls. So you’ll see ISO 197070 being referenced in three different controls, 5.9, which is the inventory of information, other associate assets.
5.21, which is the managing information security in the ICT supply chain and 5.3 to the intellectual property rights. So in the past, there wasn’t any direct connections between the cybersecurity and the ITAM paperwork. So to me, this is kinda an exciting development for someone who, for the most part of my career has worked more on the ITAM side.
Avinash Kotikalapudi: Gotcha. Okay. That’s interesting. That’s interesting, and I’m glad you pointed that out because as a follow up, ask you a question about why do you think. Or how do you think ISO 27,001 can really guide customers who looking for more optimization on ITAM or Software Asset management? What role do you think ISO 27,000 can help or can play in that?
Greg Free: So I think there’s some interesting things on there. Like you said, coming 2022 cybersecurity controls were never even mentioned I 10, and this to me explains a little bit why some organizations don’t have a lot of synergy between security and I 10, but I think. A couple of the items that I thought was interesting and though it’s not related exactly to the item controls, I thought just configuration management.
That new control is 8.9. Really, I think, plays into the strengths of both organizations, right? Where the IT asset management team can tell you exactly how the con, how items are configured on there. The IT service management training can take that information. And relate to their management security of what changes have occurred and keep track of that.
So I think that’s one of the first places where you’ll start seeing the synergy that’s come from this new version of 27,002 in IAM on there, is that not recognizing that there is a certain level of value between these two different organizations
Avinash Kotikalapudi: now, it just reinforces the fact that. Both Security and IT time are integral to each other, and security plays an important role in making sure the IT time elements also taken care.
Greg Free: I thought that cloud security, one of the big differences I noticed with the control families and the second edition in 2013 that there was 14 of them. It was tricky to memorize all those and there wasn’t like a rational pattern completely always just what tied to what, and some of the controls looked like they could either be in one or the other.
You had the information security policy and then you had organization of information security, which were two different control families, but they really crossed lines on that. So there was a lot of like duplicate coverage on there. I think now that we’ve gone to just four families of controls, organizational people, physical, technological, I think it makes it really easy for people to look at an item and come to a quick realization of what con control family you’re going to work with.
Before there were questions on whether someone was onboarded, whether they had access to a data center. They’ve broken those apart now, and I think it makes a lot easier out of the organizational controls. The two out of the three, the two that I thought were the most interesting was the threat intelligence.
Just identifying and sharing strategic, tactical and operational risks. A big value in that is you really have to collaborate with different organizations, not just internally, but externally, to stay on top of the changing landscape of threats.
Avinash Kotikalapudi: Some of the changes which I have seen are specifically around focusing on more on the S I EM tools, which the companies are and relations are using, talking about business content, disaster recovery.
I’ve seen areas where the focus is on a lot of carrying out B, in order to conduct the BCP things as well. Fairly, quite lot of changes covering the elements of. Asset management sounds, cloud security sounds like privacy sounds like as well, and some of the business content areas as well. So what other questions, which we’ve been getting quite a lot is what about implementing this new version?
If somebody is going into 27,001 for this year? How does this new version of 27002 affect them? Basically, what is the timeline for implementations at all? Blake, can you help us answer that?
Blake DeSahw: Yeah, definitely. For those companies that you know are implementing ISO 27,001 right now, I think it’s important to start looking at the newly released 27,002 as you begin to plan for that audit.
However, for now, until that’s released, the new 27,001 controls. The statement of applicability must refer to two ISO 27,001 2013, and typically what we’re looking at, or what we’re hearing at least from the external audit side, is it’s typically a two-year transition period, although it gives companies some time to maybe update their common control frameworks and prepare for this external audit.
It definitely isn’t going to hurt to start looking at the 27,002 and start setting up that plan to reach it. So you’re prepared in time for the auditors. Yeah.
Greg Free: Even if you want to use the new version, you can’t certify that because the certifying bodies will have to have the new ISO 27,001 for six months prior to them being able to certify organizations.
So there’s still a lot of window on that and sure it’s a little. This time because in 2013, both of them came out simultaneously. This time we’ve got, I joked that they provided us the cheat sheet on what 27,002 will look like because they gave that to us presumably about eight months earlier. People think that it should come out the 27,001 new editions in October.
We’ll see in the approval board right now. But that’s an interesting point on there that now it’s not going to all drop at once. We’ve actually a little bit a, a cheat on that. What’s going to be expected, at least from the Control side.
Blake DeSahw: Sure, and based on the overview we gave, it’s not just minor changes, right?
You’re seeing the whole control. Families change. Not only are companies going to have to adapt to this, but all the external auditors, they’ve been performing the same ISO 27,001, 2013 audits for a decade, and now having to update their teams in terms of training and their resources and evidence requests, all that’s going to be baked into that transition period.
So I think it’s always best to start now internally to prepare, but it’s good to know that it’s not. Right around the corner, at least in terms of the external auditors knocking on the door. I’m asking for the latest ISO 27,001
Greg Free: Blake. I’d be curious to get your thoughts on the new 5.23, which covers cloud security.
I’m, I know you see a lot of questions about that all the time. I’m sure it’s a huge difference from cloud security questions from five years ago. What’s the biggest thing that you’re seeing with clients Now, I know this is front running a control that’s not been out, but I know these are questions that have to be answered currently.
Blake DeSahw: Yeah, I think when we are looking at 27,001 and the way that addresses infrastructure production now, what we would consider covered by this new control, I think companies get creative a little bit because of the ISO is so broad, it’s interpreted in kind of a multitude of ways, whether that’s relying on maybe external third parties that you’re hosting, things like that, you can get away with it.
But I do believe. Likely because of that cloud, really specific control that it will change how companies have to prepare for that. And whether they were able to come up with a, maybe a mixed answer earlier, a less broad, now that they’re asking specifics, I think we could see a lot of implementation around the cloud.
Whether that is management of this cloud security side all the way down to updating the policies to reflect that change in language. I think that’ll be a very interesting thing that we see is not only are these controls have to be met, but of course this is all policy and procedure driven. So we’ll start to see maybe uplifts or facelifts of a lot of this documentation, specifically that control.
Avinash Kotikalapudi: Great new changes coming in to look into that and I think we’re all excited and waiting to see how the 27,001 controls, which as Blake mentioned earlier, are going to be specific requirements coming out of the 27 0 2 as well. Thank you everybody for the time here. Thanks for in and tuning in this time.
Greg Free: The ITAM executive is proud to be supported by Anglepoint, A better way to manage software. Anglepoint helps the global 2000 reduce their costs and mitigate risk in their software and technology assets. Angle Point is a leader in SAM and ITAM projects, thanks to their team of uniquely experienced experts from across the industry.
Anglepoint’s managed services provides you immediate access to the people, processes, and technology you need to optimize your entire software estate. To learn more, visit Anglepoint.com/schedule.
You’ve been listening to the ITAM executive brought to you by Anglepoint. Make sure to hit subscribe in your favorite podcast player and give us a rating. Thanks for being part of the ITAM community. Until next time.