1 300 899 443
Get An Estimate

Transitioning Certification to the 2022 Standard – Part Two

The new requirements for Annex A:

Additionally, there are changes to Annex A. Many of the previous controls have been renamed but remain ostensibly the same. Below are the 11 ‘new’ controls with a few operational hints:

A.5.7 Threat Intelligence

Overview: This control focuses on gathering and analysing information about threats to the organisation. It involves identifying potential threats, assessing their impact, and developing strategies to mitigate them. Threat intelligence helps organisations stay ahead of potential security risks by providing actionable insights.

Operational Controls:

  • Threat Intelligence Platforms (TIPs): Implementing a TIP to collect, analyse, and share threat data from various sources. This platform can help in identifying emerging threats and providing timely alerts.
  • Regular Threat Assessments: Conducting regular threat assessments to identify potential threats and vulnerabilities. This can involve analysing threat data, conducting penetration testing, and reviewing security incidents.
  • Collaboration with External Entities: Collaborating with external entities such as industry groups, government agencies, and cyber security vendors to share threat intelligence and stay updated on the latest threats.

A.5.23 Information Security for Use of Cloud Services

Overview: This control ensures that information security measures are in place when using cloud services. It involves assessing the security of cloud providers, implementing appropriate security controls, and monitoring the security of data stored in the cloud.

Operational Controls:

  • Cloud Security Assessments: Conducting security assessments of cloud service providers to ensure they meet the organisation’s security requirements. This can involve reviewing their security certifications, conducting audits, and assessing their security controls.
  • Data Encryption: Implementing encryption for data stored in the cloud to protect it from unauthorised access. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
  • Access Controls: Implementing access controls to restrict access to cloud resources. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.5.30 ICT Readiness for Business Continuity

Overview: This control ensures that the organisation’s ICT systems are prepared to support business continuity in the event of a disruption. It involves developing and implementing plans to ensure that critical systems can continue to operate during a crisis.

Operational Controls:

  • Business Continuity Planning (BCP): Developing and maintaining a BCP that outlines the steps to be taken in the event of a disruption. This plan should include procedures for data backup, system recovery, and communication.
  • Disaster Recovery (DR) Solutions: Implementing DR solutions such as data replication, failover systems, and cloud-based recovery services to ensure that critical systems can be quickly restored in the event of a disruption.
  • Regular Testing and Drills: Conducting regular testing and drills to ensure that the BCP and DR solutions are effective. This can involve simulating different types of disruptions and evaluating the organisation’s response.

A.7.4 Physical Security Monitoring

Overview: This control focuses on monitoring the physical security of the organisation’s premises. It involves implementing measures such as surveillance cameras, access controls, and security personnel to protect against unauthorised access and physical threats.

Operational Controls:

  • Surveillance Systems: Installing surveillance cameras to monitor key areas of the organisation’s premises. This can help in detecting and responding to unauthorised access and other security incidents.
  • Access Control Systems: Implementing access control systems to restrict access to sensitive areas. This can involve using key cards, biometric authentication, and security gates.
  • Security Personnel: Employing security personnel to monitor the premises and respond to security incidents. This can involve conducting regular patrols, monitoring surveillance systems, and responding to alarms.

A.8.9 Configuration Management

Overview: This control ensures that the organisation’s ICT systems are configured securely and consistently. It involves maintaining an inventory of system configurations, implementing change management processes, and regularly reviewing configurations to ensure they meet security requirements.

Operational Controls:

  • Configuration Management Database (CMDB): Maintaining a CMDB to track the configuration of all ICT
    systems. This can help in identifying and managing configuration changes.
  • Change Management Processes: Implementing change management processes to ensure that all configuration changes are reviewed, approved, and documented. This can involve using change management tools and conducting regular change reviews.
  • Regular Configuration Audits: Conducting regular audits of system configurations to ensure they meet security requirements. This can involve using automated tools to scan for configuration issues and conducting manual reviews.

A.8.10 Information Deletion

Overview: This control focuses on securely deleting sensitive information that is no longer needed. It involves implementing processes and technologies to ensure that data is permanently erased and cannot be recovered.

Operational Controls:

  • Data Deletion Policies: Developing and implementing data deletion policies that outline the procedures for securely deleting sensitive information. This can involve specifying the types of data to be deleted, the methods to be used, and the retention periods.
  • Secure Deletion Tools: Using secure deletion tools to permanently erase data. This can involve using software tools that overwrite data multiple times to prevent recovery.
  • Regular Data Deletion Audits: Conducting regular audits to ensure that data deletion policies are being followed. This can involve reviewing deletion logs and conducting spot checks.

A.8.11 Data Masking

Overview: This control involves obscuring sensitive data to protect it from unauthorised access. It involves replacing sensitive information with fictitious data or masking it in a way that prevents identification.

Operational Controls:

  • Data Masking Tools: Implementing data masking tools to obscure sensitive information. This can involve using tools that replace sensitive data with fictitious data or mask it in a way that prevents identification.
  • Data Masking Policies: Developing and implementing data masking policies that outline the procedures for masking sensitive information. This can involve specifying the types of data to be masked, the methods to be used, and the retention periods.
  • Regular Data Masking Audits: Conducting regular audits to ensure that data masking policies are being followed. This can involve reviewing masking logs and conducting spot checks.

A.8.12 Data Leakage Prevention

Overview: This control focuses on preventing unauthorised access to sensitive data. It involves implementing measures to detect and prevent data leaks, such as encryption, access controls, and monitoring.

Operational Controls:

• Data Leakage Prevention (DLP) Solutions: Implementing DLP solutions to detect and prevent data leaks. This can involve using tools that monitor data flows, detect sensitive data, and block unauthorised transfers.
• Encryption: Implementing encryption to protect sensitive data. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
• Access Controls: Implementing access controls to restrict access to sensitive data. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.8.16 Monitoring Activities

Overview: This control involves monitoring the organisation’s ICT systems and activities to detect and respond to security incidents. It involves implementing technologies and processes to continuously monitor system activity, identify potential threats, and take appropriate action.

Operational Controls:

  • Security Information and Event Management (SIEM) Systems: Implementing SIEM systems to collect, analyse, and correlate security event data from various sources. This can help in detecting and responding to security incidents.
  • Intrusion Detection and Prevention Systems (IDPS): Implementing IDPS to detect and prevent unauthorised access to the organisation’s ICT systems. This can involve using network-based and host- based IDPS.
  • Regular Security Monitoring: Conducting regular security monitoring to detect potential threats. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.

A.8.23 Web Filtering

Overview: This control focuses on controlling access to websites and online content to protect against security threats. It involves implementing technologies to block access to malicious websites, filter inappropriate content, and monitor web activity.

Operational Controls:

  • Web Filtering Solutions: Implementing web filtering solutions to control access to websites and online content. This can involve using tools that block access to malicious websites, filter inappropriate content, and monitor web activity.
  • Web Filtering Policies: Developing and implementing web filtering policies that outline the procedures for controlling access to websites and online content. This can involve specifying the types of websites to be blocked, the methods to be used, and the retention periods.
  • Regular Web Filtering Audits: Conducting regular audits to ensure that web filtering policies are being followed. This can involve reviewing filtering logs and conducting spot checks.

A.8.28 Secure Coding

Overview: This control ensures that software development practices prioritise security. It involves implementing coding standards, conducting code reviews, and using secure coding techniques to prevent vulnerabilities.

Operational Controls:

  • Secure Coding Standards: Developing and implementing secure coding standards that outline the best practices for writing secure code. This can involve specifying the types of vulnerabilities to be avoided, the methods to be used, and the retention periods.
  • Code Reviews: Conducting regular code reviews to ensure that secure coding standards are being followed. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.
  • Secure Coding Training: Providing secure coding training to developers to ensure they have the necessary skills and knowledge to write secure code. This can involve conducting regular training sessions and providing access to online resources.
GO BACK

Get an Estimate

More about us and what we need
By submitting this request your email address will be added to our communication list. This list is not shared with anyone else. You will receive our monthly e-news so that we stay in touch. You can unsubscribe at any time if the information we provide is not helpful.
QualityIQ Website © 2024 All Rights Reserved
Facebook Linkedin

The new requirements for Annex A:

Additionally, there are changes to Annex A. Many of the previous controls have been renamed but remain ostensibly the same. Below are the 11 ‘new’ controls with a few operational hints:

A.5.7 Threat Intelligence

Overview: This control focuses on gathering and analysing information about threats to the organisation. It involves identifying potential threats, assessing their impact, and developing strategies to mitigate them. Threat intelligence helps organisations stay ahead of potential security risks by providing actionable insights.

Operational Controls:

  • Threat Intelligence Platforms (TIPs): Implementing a TIP to collect, analyse, and share threat data from various sources. This platform can help in identifying emerging threats and providing timely alerts.
  • Regular Threat Assessments: Conducting regular threat assessments to identify potential threats and vulnerabilities. This can involve analysing threat data, conducting penetration testing, and reviewing security incidents.
  • Collaboration with External Entities: Collaborating with external entities such as industry groups, government agencies, and cyber security vendors to share threat intelligence and stay updated on the latest threats.

A.5.23 Information Security for Use of Cloud Services

Overview: This control ensures that information security measures are in place when using cloud services. It involves assessing the security of cloud providers, implementing appropriate security controls, and monitoring the security of data stored in the cloud.

Operational Controls:

  • Cloud Security Assessments: Conducting security assessments of cloud service providers to ensure they meet the organisation’s security requirements. This can involve reviewing their security certifications, conducting audits, and assessing their security controls.
  • Data Encryption: Implementing encryption for data stored in the cloud to protect it from unauthorised access. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
  • Access Controls: Implementing access controls to restrict access to cloud resources. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.5.30 ICT Readiness for Business Continuity

Overview: This control ensures that the organisation’s ICT systems are prepared to support business continuity in the event of a disruption. It involves developing and implementing plans to ensure that critical systems can continue to operate during a crisis.

Operational Controls:

  • Business Continuity Planning (BCP): Developing and maintaining a BCP that outlines the steps to be taken in the event of a disruption. This plan should include procedures for data backup, system recovery, and communication.
  • Disaster Recovery (DR) Solutions: Implementing DR solutions such as data replication, failover systems, and cloud-based recovery services to ensure that critical systems can be quickly restored in the event of a disruption.
  • Regular Testing and Drills: Conducting regular testing and drills to ensure that the BCP and DR solutions are effective. This can involve simulating different types of disruptions and evaluating the organisation’s response.

A.7.4 Physical Security Monitoring

Overview: This control focuses on monitoring the physical security of the organisation’s premises. It involves implementing measures such as surveillance cameras, access controls, and security personnel to protect against unauthorised access and physical threats.

Operational Controls:

  • Surveillance Systems: Installing surveillance cameras to monitor key areas of the organisation’s premises. This can help in detecting and responding to unauthorised access and other security incidents.
  • Access Control Systems: Implementing access control systems to restrict access to sensitive areas. This can involve using key cards, biometric authentication, and security gates.
  • Security Personnel: Employing security personnel to monitor the premises and respond to security incidents. This can involve conducting regular patrols, monitoring surveillance systems, and responding to alarms.

A.8.9 Configuration Management

Overview: This control ensures that the organisation’s ICT systems are configured securely and consistently. It involves maintaining an inventory of system configurations, implementing change management processes, and regularly reviewing configurations to ensure they meet security requirements.

Operational Controls:

  • Configuration Management Database (CMDB): Maintaining a CMDB to track the configuration of all ICT
    systems. This can help in identifying and managing configuration changes.
  • Change Management Processes: Implementing change management processes to ensure that all configuration changes are reviewed, approved, and documented. This can involve using change management tools and conducting regular change reviews.
  • Regular Configuration Audits: Conducting regular audits of system configurations to ensure they meet security requirements. This can involve using automated tools to scan for configuration issues and conducting manual reviews.

A.8.10 Information Deletion

Overview: This control focuses on securely deleting sensitive information that is no longer needed. It involves implementing processes and technologies to ensure that data is permanently erased and cannot be recovered.

Operational Controls:

  • Data Deletion Policies: Developing and implementing data deletion policies that outline the procedures for securely deleting sensitive information. This can involve specifying the types of data to be deleted, the methods to be used, and the retention periods.
  • Secure Deletion Tools: Using secure deletion tools to permanently erase data. This can involve using software tools that overwrite data multiple times to prevent recovery.
  • Regular Data Deletion Audits: Conducting regular audits to ensure that data deletion policies are being followed. This can involve reviewing deletion logs and conducting spot checks.

A.8.11 Data Masking

Overview: This control involves obscuring sensitive data to protect it from unauthorised access. It involves replacing sensitive information with fictitious data or masking it in a way that prevents identification.

Operational Controls:

  • Data Masking Tools: Implementing data masking tools to obscure sensitive information. This can involve using tools that replace sensitive data with fictitious data or mask it in a way that prevents identification.
  • Data Masking Policies: Developing and implementing data masking policies that outline the procedures for masking sensitive information. This can involve specifying the types of data to be masked, the methods to be used, and the retention periods.
  • Regular Data Masking Audits: Conducting regular audits to ensure that data masking policies are being followed. This can involve reviewing masking logs and conducting spot checks.

A.8.12 Data Leakage Prevention

Overview: This control focuses on preventing unauthorised access to sensitive data. It involves implementing measures to detect and prevent data leaks, such as encryption, access controls, and monitoring.

Operational Controls:

• Data Leakage Prevention (DLP) Solutions: Implementing DLP solutions to detect and prevent data leaks. This can involve using tools that monitor data flows, detect sensitive data, and block unauthorised transfers.
• Encryption: Implementing encryption to protect sensitive data. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
• Access Controls: Implementing access controls to restrict access to sensitive data. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.8.16 Monitoring Activities

Overview: This control involves monitoring the organisation’s ICT systems and activities to detect and respond to security incidents. It involves implementing technologies and processes to continuously monitor system activity, identify potential threats, and take appropriate action.

Operational Controls:

  • Security Information and Event Management (SIEM) Systems: Implementing SIEM systems to collect, analyse, and correlate security event data from various sources. This can help in detecting and responding to security incidents.
  • Intrusion Detection and Prevention Systems (IDPS): Implementing IDPS to detect and prevent unauthorised access to the organisation’s ICT systems. This can involve using network-based and host- based IDPS.
  • Regular Security Monitoring: Conducting regular security monitoring to detect potential threats. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.

A.8.23 Web Filtering

Overview: This control focuses on controlling access to websites and online content to protect against security threats. It involves implementing technologies to block access to malicious websites, filter inappropriate content, and monitor web activity.

Operational Controls:

  • Web Filtering Solutions: Implementing web filtering solutions to control access to websites and online content. This can involve using tools that block access to malicious websites, filter inappropriate content, and monitor web activity.
  • Web Filtering Policies: Developing and implementing web filtering policies that outline the procedures for controlling access to websites and online content. This can involve specifying the types of websites to be blocked, the methods to be used, and the retention periods.
  • Regular Web Filtering Audits: Conducting regular audits to ensure that web filtering policies are being followed. This can involve reviewing filtering logs and conducting spot checks.

A.8.28 Secure Coding

Overview: This control ensures that software development practices prioritise security. It involves implementing coding standards, conducting code reviews, and using secure coding techniques to prevent vulnerabilities.

Operational Controls:

  • Secure Coding Standards: Developing and implementing secure coding standards that outline the best practices for writing secure code. This can involve specifying the types of vulnerabilities to be avoided, the methods to be used, and the retention periods.
  • Code Reviews: Conducting regular code reviews to ensure that secure coding standards are being followed. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.
  • Secure Coding Training: Providing secure coding training to developers to ensure they have the necessary skills and knowledge to write secure code. This can involve conducting regular training sessions and providing access to online resources.
Transitioning Certification to the 2022 Standard – Part Two

Transitioning Certification to the 2022 Standard – Part Two

The new requirements for Annex A:

Additionally, there are changes to Annex A. Many of the previous controls have been renamed but remain ostensibly the same. Below are the 11 ‘new’ controls with a few operational hints:

A.5.7 Threat Intelligence

Overview: This control focuses on gathering and analysing information about threats to the organisation. It involves identifying potential threats, assessing their impact, and developing strategies to mitigate them. Threat intelligence helps organisations stay ahead of potential security risks by providing actionable insights.

Operational Controls:

  • Threat Intelligence Platforms (TIPs): Implementing a TIP to collect, analyse, and share threat data from various sources. This platform can help in identifying emerging threats and providing timely alerts.
  • Regular Threat Assessments: Conducting regular threat assessments to identify potential threats and vulnerabilities. This can involve analysing threat data, conducting penetration testing, and reviewing security incidents.
  • Collaboration with External Entities: Collaborating with external entities such as industry groups, government agencies, and cyber security vendors to share threat intelligence and stay updated on the latest threats.

A.5.23 Information Security for Use of Cloud Services

Overview: This control ensures that information security measures are in place when using cloud services. It involves assessing the security of cloud providers, implementing appropriate security controls, and monitoring the security of data stored in the cloud.

Operational Controls:

  • Cloud Security Assessments: Conducting security assessments of cloud service providers to ensure they meet the organisation’s security requirements. This can involve reviewing their security certifications, conducting audits, and assessing their security controls.
  • Data Encryption: Implementing encryption for data stored in the cloud to protect it from unauthorised access. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
  • Access Controls: Implementing access controls to restrict access to cloud resources. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.5.30 ICT Readiness for Business Continuity

Overview: This control ensures that the organisation’s ICT systems are prepared to support business continuity in the event of a disruption. It involves developing and implementing plans to ensure that critical systems can continue to operate during a crisis.

Operational Controls:

  • Business Continuity Planning (BCP): Developing and maintaining a BCP that outlines the steps to be taken in the event of a disruption. This plan should include procedures for data backup, system recovery, and communication.
  • Disaster Recovery (DR) Solutions: Implementing DR solutions such as data replication, failover systems, and cloud-based recovery services to ensure that critical systems can be quickly restored in the event of a disruption.
  • Regular Testing and Drills: Conducting regular testing and drills to ensure that the BCP and DR solutions are effective. This can involve simulating different types of disruptions and evaluating the organisation’s response.

A.7.4 Physical Security Monitoring

Overview: This control focuses on monitoring the physical security of the organisation’s premises. It involves implementing measures such as surveillance cameras, access controls, and security personnel to protect against unauthorised access and physical threats.

Operational Controls:

  • Surveillance Systems: Installing surveillance cameras to monitor key areas of the organisation’s premises. This can help in detecting and responding to unauthorised access and other security incidents.
  • Access Control Systems: Implementing access control systems to restrict access to sensitive areas. This can involve using key cards, biometric authentication, and security gates.
  • Security Personnel: Employing security personnel to monitor the premises and respond to security incidents. This can involve conducting regular patrols, monitoring surveillance systems, and responding to alarms.

A.8.9 Configuration Management

Overview: This control ensures that the organisation’s ICT systems are configured securely and consistently. It involves maintaining an inventory of system configurations, implementing change management processes, and regularly reviewing configurations to ensure they meet security requirements.

Operational Controls:

  • Configuration Management Database (CMDB): Maintaining a CMDB to track the configuration of all ICT
    systems. This can help in identifying and managing configuration changes.
  • Change Management Processes: Implementing change management processes to ensure that all configuration changes are reviewed, approved, and documented. This can involve using change management tools and conducting regular change reviews.
  • Regular Configuration Audits: Conducting regular audits of system configurations to ensure they meet security requirements. This can involve using automated tools to scan for configuration issues and conducting manual reviews.

A.8.10 Information Deletion

Overview: This control focuses on securely deleting sensitive information that is no longer needed. It involves implementing processes and technologies to ensure that data is permanently erased and cannot be recovered.

Operational Controls:

  • Data Deletion Policies: Developing and implementing data deletion policies that outline the procedures for securely deleting sensitive information. This can involve specifying the types of data to be deleted, the methods to be used, and the retention periods.
  • Secure Deletion Tools: Using secure deletion tools to permanently erase data. This can involve using software tools that overwrite data multiple times to prevent recovery.
  • Regular Data Deletion Audits: Conducting regular audits to ensure that data deletion policies are being followed. This can involve reviewing deletion logs and conducting spot checks.

A.8.11 Data Masking

Overview: This control involves obscuring sensitive data to protect it from unauthorised access. It involves replacing sensitive information with fictitious data or masking it in a way that prevents identification.

Operational Controls:

  • Data Masking Tools: Implementing data masking tools to obscure sensitive information. This can involve using tools that replace sensitive data with fictitious data or mask it in a way that prevents identification.
  • Data Masking Policies: Developing and implementing data masking policies that outline the procedures for masking sensitive information. This can involve specifying the types of data to be masked, the methods to be used, and the retention periods.
  • Regular Data Masking Audits: Conducting regular audits to ensure that data masking policies are being followed. This can involve reviewing masking logs and conducting spot checks.

A.8.12 Data Leakage Prevention

Overview: This control focuses on preventing unauthorised access to sensitive data. It involves implementing measures to detect and prevent data leaks, such as encryption, access controls, and monitoring.

Operational Controls:

• Data Leakage Prevention (DLP) Solutions: Implementing DLP solutions to detect and prevent data leaks. This can involve using tools that monitor data flows, detect sensitive data, and block unauthorised transfers.
• Encryption: Implementing encryption to protect sensitive data. This can involve using encryption technologies such as SSL/TLS for data in transit and AES for data at rest.
• Access Controls: Implementing access controls to restrict access to sensitive data. This can involve using multi-factor authentication (MFA), role-based access control (RBAC), and identity and access management (IAM) solutions.

A.8.16 Monitoring Activities

Overview: This control involves monitoring the organisation’s ICT systems and activities to detect and respond to security incidents. It involves implementing technologies and processes to continuously monitor system activity, identify potential threats, and take appropriate action.

Operational Controls:

  • Security Information and Event Management (SIEM) Systems: Implementing SIEM systems to collect, analyse, and correlate security event data from various sources. This can help in detecting and responding to security incidents.
  • Intrusion Detection and Prevention Systems (IDPS): Implementing IDPS to detect and prevent unauthorised access to the organisation’s ICT systems. This can involve using network-based and host- based IDPS.
  • Regular Security Monitoring: Conducting regular security monitoring to detect potential threats. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.

A.8.23 Web Filtering

Overview: This control focuses on controlling access to websites and online content to protect against security threats. It involves implementing technologies to block access to malicious websites, filter inappropriate content, and monitor web activity.

Operational Controls:

  • Web Filtering Solutions: Implementing web filtering solutions to control access to websites and online content. This can involve using tools that block access to malicious websites, filter inappropriate content, and monitor web activity.
  • Web Filtering Policies: Developing and implementing web filtering policies that outline the procedures for controlling access to websites and online content. This can involve specifying the types of websites to be blocked, the methods to be used, and the retention periods.
  • Regular Web Filtering Audits: Conducting regular audits to ensure that web filtering policies are being followed. This can involve reviewing filtering logs and conducting spot checks.

A.8.28 Secure Coding

Overview: This control ensures that software development practices prioritise security. It involves implementing coding standards, conducting code reviews, and using secure coding techniques to prevent vulnerabilities.

Operational Controls:

  • Secure Coding Standards: Developing and implementing secure coding standards that outline the best practices for writing secure code. This can involve specifying the types of vulnerabilities to be avoided, the methods to be used, and the retention periods.
  • Code Reviews: Conducting regular code reviews to ensure that secure coding standards are being followed. This can involve using automated tools to scan for vulnerabilities and conducting manual reviews.
  • Secure Coding Training: Providing secure coding training to developers to ensure they have the necessary skills and knowledge to write secure code. This can involve conducting regular training sessions and providing access to online resources.