For the first time in almost a decade, changes have been made to the ISO 27001 standard and the code of practices (ISO 27002). Details of the changes were first released on February 15, 2022, and came into effect this October.
ISO 27001 (or ISO/IEC 27001:2005 to be precise) is a specification for an information security management system (ISMS), which is a framework of policies, procedures, and controls to support an organization’s information risk management processes. All ISO 27001 accredited businesses, and those that plan to become ISO 27001 accredited, are required to comply with the updated standard. Businesses that fail to do so will lose their accreditation, but they are given time to make the necessary changes. Any business that fails to make the necessary changes will lose its accreditation after 3 years. It is strongly recommended not to wait and to make the changes as soon as possible, as implementing the controls will help your business better manage and mitigate risk.
ISO 27002, which used to be known as a code of practice, is no longer referred to as such and is more accurately referred to as a set of information security controls. There have been some amendments and reorganization of the security controls, which now list 93 controls as opposed to the 114 in the 2013 version. These controls have also been grouped into 4 themes (people, organizational, technological, and physical) rather than the 14 clauses in the previous version.
Importantly for accredited businesses, 11 new controls have been added to the ISO 27002 information security controls:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Some of these controls are very similar to previous controls; however, they have been categorized as new, so organizations should ensure that they are compliant with these controls, even if they seem similar. It should be noted that these controls are not mandatory, as it is possible to exclude a control provided no related risks have been identified and the organization is not required to implement the controls to meet its contractual, regulatory, or legal requirements.
The ISO 27001/27002 Web Filtering Control
The web filtering requirement requires accredited businesses to implement a web filtering solution that allows them to exercise control over the web content that can be accessed to protect against web-borne threats such as malware, ransomware, and phishing. Web filters typically block malicious IP addresses, such as those known to be used for phishing or malware distribution, through blacklists that are constantly updated based on the latest threat intelligence. They also allow businesses to carefully control the web content that can be accessed by users of their network to enforce their acceptable internet usage policies.
Web filtering is important as many threats are delivered via the Internet. Any employee with access to the Internet could easily navigate to a malicious site unless a web filter is in place to block that access, and phishing attempts delivered via email often have a web-based component. Should an attempt be made to visit a blocked site, the user is directed to a local block page that explains why the request has been denied.
WebTitan Cloud – Web Filtering Made Simple
As a provider of a DNS-based web filtering software-as-a-service (SaaS) solution – WebTitan Cloud – we would like to take this opportunity to introduce the solution and explain how it will help organizations comply with the web filtering controls of the revised standard.
WebTitan Cloud is a DNS-based web filtering solution that is delivered as a 100% cloud-based service. The solution uses the Domain Name System for web filtering, which makes it lightning fast with no latency. All web content is checked, with web filtering controls implemented in a fraction of a second, with no content downloaded unless the filtering checks are passed.
WebTitan Cloud is fed threat intelligence from more than 500 million endpoints worldwide, which automatically update the blacklists of known malicious content. Users can filter the Internet via 53 preset categories and 10 customizable categories to broadly block specific types of web content (anonymizers, pornography, gaming, gambling, dating, hacking, etc.). Content controls can also be applied based on the presence of user-defined keywords, with the content blocked if a certain threshold is reached. WebTitan can also be configured to block specific file types from the Internet such as executable files to further reduce risk, and the solution can detect and block malware communications via the DNS.
All controls can be accessed through an intuitive web-based interface, which also provides access to an extensive suite of reports that give administrators full visibility into the online activities of users, including real-time views down to the individual level. Controls can be implemented organization-wide, for locations, user groups, and individuals, with the solution integrating with directory services to make this as simple as possible.
One of the most important aspects of WebTitan Cloud that make it so popular is how easy the solution is to set up and use. Businesses can start blocking malicious content in a couple of minutes by pointing their DNS to WebTitan Cloud, and content control settings can usually be configured in about 20-30 minutes.
For more information on meeting your new web filtering obligations under ISO 27001/2 and details of WebTitan Cloud pricing, contact TitanHQ today. Also, feel free to sign up for a free trial of the solution to see for yourself how easy it is to start web filtering.