The TEN controls ISO/IEC 27002 missed
Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either Missing In Action or inadequately covered by ISO/IEC 27002:2022, these nine TEN for example:
- Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details.
- Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information and opportunities for legitimate purposes within the constraints of applicable policies, laws, regulations etc., even when this means deliberately taking chances (accepting risks!) to secure business opportunities. Also, I'd like to see, somewhere in the ISO27k series, clearer advice on how to tackle the trade-off between control and utility: information that is too tightly secured loses its value, just as it does if inadequately secured ... and that in turn leads to the idea of at least mentioning financial and general business controls relating to information risk and security (e.g. budgeting, project investments, resourcing, cost accounting, incident and impact costing, valuing intangible assets, directing and motivating specialists: these are all important but tricky areas to address, so advice would help improve the effectiveness and efficiency of information security). [Some of this is covered, albeit quite academically rather than pragmatically, in ISO/IEC 27014 and '27016, and outside the ISO27k realm.]
- Health and safety controls protecting 'our most valuable assets', providing a supportive work environment that is conducive to getting the most out of our people, and ensuring the safety of our customers using our products. As with business continuity, H&S is pretty well covered by other standards plus laws and regs ... although, arguably, there's much more left to say, yet, on mental health (e.g. the long-term adverse health effects of excessive stress, both on and off the job), with significant implications for information risks (e.g. managers making inappropriate decisions, or delaying/refusing/being unable to decide at all) and security controls (e.g. the importance of workload and stress management).
- Controls against fraud perpetrated by insiders (managers or staff), partners, outsiders/unknown parties, and potentially several (collusion) is another weak area in the standard. I have in mind controls such as 'trust but verify'; discreet monitoring/surveillance, both general and targeted at fraud-prone groups, roles, individuals or situations; explicitly designing business processes and information systems to deter, avoid, detect and alert on, or at the very least securely log fraudulent activities; identifying, reporting and following-up on various fraud indicators; encouraging and facilitating whistleblowers etc.
- Ethics in general - another human issue inadequately covered by the controls in the standard, despite the opportunity offered by section 6.
- Assurance controls in general: although there are some assurance controls in the ISO27k standards, they are mostly constrained to compliance auditing for accredited certification purposes. Oversight, for instance, is a valuable control (or rather, a cloud of related controls) that is almost universally applicable.
- Security architecture plus security engineering: once more, there are already useful standards and methods in this area, so '27002 need not reinvent the wheel - rather I feel it should introduce the concepts (perhaps with some version of the diagram above, or any of the many excellent alternatives documented in various other framework standards and methods), explaining their value as an integral part of information risk and security management, and cite the appropriate reference sources.
- Professional services other than the provision of IT/networks/cloud: many organisations rely on third parties for strategic, legal, accounting, HR, marketing and/or other specialist services (advice or full outsourcing), hence they are giving, receiving and using very valuable and sensitive information. [This is such a significant omission from the current ISO27k suite that it deserves its own ISO27k standard, in my opinion.]
- Information security controls mitigating information risks affecting the Information Security Management System itself, plus other 'management systems' and in fact management information in general e.g. governance arrangements such as structures, roles and responsibilities, reporting lines, delegation and oversight; change controls for policies and procedures; access controls for sensitive ISMS-related information such as risk registers, logs, incident reports, strategies, budgets and plans.
- Diverse archives - for long-term secure archival of valuable information, duplicated across multiple storage locations to reduce the possibility of single site disasters. Since the control cost is roughly doubled compared to traditional single-site archives, it is even more important to ensure that only essential information is archived, implying the need for policies and procedures plus authorisation and assurance measures (e.g. regularly confirming that archived information can, in fact, be retreived successfully) using available technology. [Control 8.13 mentions "archive copies", in the plural, but it takes a keen eye to and experience to spot and mitigate the risks.]
The good news, however, is that '27002 is a popular, generic, advisory standard that adequately catalogues and describes the basics. We are free to interpret and apply the standard as we wish, even within the constraints of a ISO/IEC 27001 certified ISMS. The controls outlined in Annex A of '27001 are discretionary and not necessarily comprehensive - in other words, if you accept some or all what I've said above, determine that various other valuable controls are MIA or weak in '27002, or decide that the suggested controls (as described) are inappropriate in your particular business situation, you are positively encouraged to use the specified information risk management process to select, use, manage and maintain whichever controls are most relevant and valuable to your organisation, becoming integral parts of your unique ISMS.
Don't feel constrained by ISO/IEC 27001 Annex A and ISO/IEC 27002:2022. Do what's best for your organisation, for business, for Pete's sake!