Page 84 - Cyber Defense eMagazine June 2024
P. 84

introducing additional controls, introducing new policies and procedures to document how you fulfill those
            controls, and having enough time to evidence that you have met the controls.

            October 2025 will be around the corner before you know it, and while avoiding the regulatory risks of non-
            compliance is a strong motivator to make these changes now, going beyond basic compliance will be
            key to building resilience against emerging threats and preventing attacks before they happen.



            The biggest changes in ISO 27001:2022

            There  are  several  changes  in  the  2022  update  of  the  ISO  27001  standard.  This  includes  some
            reformatting  of  controls  that  were  already  required  in  the  2013  version,  but  there  are  also  some
            completely new thematic areas that organizations will now need to demonstrate their compliance against.


            These additional requirements include (but are not limited to) data leak prevention, web filtering, business
            continuity of ICT systems, physical security monitoring, management of configuration changes, secure
            coding, and threat intelligence.

            The threat intelligence requirement, which I’ll focus on here (Annex A, Control 5.7), may be a completely
            new  area  for  some  organizations  that  don’t  already  have  processes  in  place  to  collect  and  analyze
            information about threats, so is worth paying specific attention to.



            What is meant by threat intelligence in the ISO 27001:2022 standard?

            The ISO 27001:2022 standard has very particular wording around the threat intelligence requirements:
            organizations have to be able to demonstrate a process for “collecting” and “analyzing” threat intelligence.

            This means that the organization must understand:

               •  Which threat actors could target their organization.
               •  The threat models they need to apply to their systems.
               •  The vulnerabilities that exist in their systems.
               •  The exploits that exist and could be used against those vulnerabilities.

            Organizations need to demonstrate that they collect information associated with each of these points and
            that the organization is able to analyze that intelligence, building it into threat assessments.



            How can you gather threat intelligence?

            Gathering robust and accurate threat intelligence will always require some form of software, and the
            software  an  organization  will  need  to  gather  the  necessary  information  about  threats  falls  into  two
            categories:







            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          84
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   79   80   81   82   83   84   85   86   87   88   89