The updated Directive 27002: more grip on cyber security

ISO 27001 is a framework to concretely set up and secure the challenging topic of cyber security within the organization. With the ISO 27001 certification, organizations demonstrate to clients that they control their information security and have properly secured the (processing of) data of those clients. "Meeting this standard means that systems and work processes are demonstrably protected against data breaches and external threats," explains Kees van Plas of BDO. 'Such a framework is often seen as "just a compliance framework," while the updated guideline is much more risk-based, and therefore more mature.'  

Fewer control groups, but...

The ISO 27002 standard applies to any organization with an ISO27001 certificate (except in the healthcare sector, for which the NEN 7510 standard applies) and provides direction and guidance on the complex subject of cyber security. 'For this new standard, organizations really have to roll up their sleeves again,' says Gerben den Dunnen of Meridion, partner at BDO. 'What is striking is that the original control groups have been reduced from fourteen to four. Although the controls are now grouped more conveniently, in fewer main groups, there are many controls below them and the complexity seems to have increased. At the same time, a focus on vulnerability management can help in taking the right, relevant measures in a timely manner.'

Threat intelligence

One of the new topics* being introduced is threat intelligence, in the sense that organizations must have the intelligence in place to properly respond to threats. 'A lot goes into doing that properly,' says Den Dunnen. 'You have to identify them and know what the impact of such a threat might be. Maybe it's a threat to you, but the impact isn't too bad. That's why it's important for organizations, with all process owners and stakeholders, to scrutinize those vulnerabilities.'  

Vulnerability management

The concept of vulnerability has been made 'really explicit' for the first time in the updated standard, in the form of three pages of explanation about implementing that control. 'The concept of vulnerability is now part of twenty of those controls,' Kees Plas explains, 'whereas in the previous version it was only mentioned once separately. And now suddenly twenty times, which is quite a difference from before. The impact, of course, depends on the organization. After all, a threat does not necessarily mean a risk. It only becomes a risk when you are vulnerable to it. And that's where vulnerability management comes in.'

Key word is structure

Whatever the impact, every organization is required to declare for each of 93 (!) controls whether they apply to the organization, services and products, and what measures have been taken to make those declarations demonstrable. Den Dunnen: "The key word is structure. You need a structure to properly secure these controls in your organization. Otherwise you're going to overlook things, it's too much.' 

In doing so, Kees Plas emphasizes that the issue of vulnerabilities is not just technical. 'The challenge is that it is much broader than just IT. Vulnerability management is particularly dynamic and concerns the entire organization, from people to process. It is a way of working, and a culture issue, everyone contributes to it. Vulnerabilities can be at all levels within the organization, and new vulnerabilities are also constantly emerging. Den Dunnen: 'And the confluence of circumstances can then create a very serious situation. Those who comply with the new directive and embrace the changes create opportunities for themselves to better protect the organization against all the new threats.'

* Listing all the new topics in the new guideline:

• Threat intelligence

• Identity management

• Information security for use of cloud services

• ICT readiness for business continuity

• Physical security monitoring

• User endpoint devices

• Configuration management

• Information deletion

• Data masking

• Data leakage prevention

• Web filtering