Also see her excellent book on the topic.
Sep 10 2021
Digital Driver’s Licenses: Unintended Consequences
Maryland recently joined seven other U.S. states to permit users to carry “digital driver’s licenses.” Under the program—which initially will work with Apple devices like iPhones—users can download a digital credential—a digital driver’s license—to their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driver’s license is based on the International Standards Organization (ISO) standard which is described more fully here.
Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can “loan” my driver’s license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validation—that is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocols—police and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offline—things like a photo ID, a watermark, etc. You know, all the stuff we put on the “real ID” driver’s license.
Digital Driver’s Licenses: Unintended Consequences
Sep 07 2021
Securing your WordPress website against ransomware attacks
There are analysts around the globe who are continually being jolted awake in the middle of the night to respond to ransomware attacks. Because WordPress is the market share leader (39.5% of all websites are powered by WordPress; that number jumps to 64.1% for content management systems), my team of SOC analysts aren’t strangers to responding to WordPress security issues. The one lesson we’ve learned time and time again: Preventative security measures are the most effective steps you can take against ransomware attacks.
For businesses currently on the WordPress platform, we’ve put together five easy-to-follow tips:
Sep 03 2021
New BrakTooth flaws potentially impact millions of Bluetooth-enabled devices
Security flaws in commercial Bluetooth stacks dubbed BrakTooth can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.
The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.
As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.
“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “
The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).
The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities
Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)
Sep 01 2021
Feds Warn of Ransomware Attacks Ahead of Labor Day
Feds Warn of Ransomware Attacks Ahead of Labor Day
Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.
While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.
“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.
That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.
History of Holiday Attacks
The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks
Aug 31 2021
Windows 11 Security Scare—MS Nixes Fixes on Older PCs
Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.
This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? That’s a recipe for disaster.
Stand by for Redmond to walk this one back in an embarrassing climbdown. In today’s SB Blogwatch, we hope against hope.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.
MSFT MBEC+HVCI FAIL
What’s the craic? Sean Hollister reports—“Microsoft is threatening to withhold Windows 11 updates if your CPU is old”:
Why leave us in the dark?”
Windows 11 won’t technically leave millions of PCs behind … so long as you download and manually install an ISO file. … But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows Updates … potentially even security updates.
…
It’s quite possible this is just a cover-your-ass measure. … But it’s also possible Microsoft genuinely does mean to withhold patches. … Microsoft declined to clarify things further.
…
Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. … Feature updates are probably less of a big deal. [But] why leave us in the dark?
Aug 26 2021
What is ISMS
Implementing an ISMS
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
ISO 27001 Risk Assessment and Gap Assessment
Aug 26 2021
T-Mobile Hacker Who Stole Data on 50 Million Customers
Their Security Is Awful’
A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier’s latest breach
The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s TMUS -1.63% systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
Aug 25 2021
How to Reduce Risk with Runtime Application Self Protection
Instead of waning, cyber attacks continue to rise as the years pass. Several reasons contribute to this phenomenon, despite developing and deploying more robust network and data security platforms. First, the recent spate of disruptive cyberattacks hampering operations of organizations and government agencies proves that cybercriminals are becoming bolder in perpetuating their malicious activities.
These nefarious actors attack small, medium, and large corporations and organizations. Several attacks were publicized. Most of them are high-profile ransomware victims: Kaseya, JBS, SolarWinds, Colonial Pipeline, Acer, AXA, and CAN Financial. Many of them opted to pay the ransom demand not to disrupt operations that can affect thousands of businesses and consumers.
The nagging question is why cyberattacks are happening more often today. First, attackers are getting more sophisticated. Second, many are organized hacking groups, while some are already identified as government-backed hackers. The increase in cyberattacks can be attributed to several reasons, namely:
- The willingness of many victims to pay the ransom;
- Increased use of unregulated cryptocurrencies, which are harder to trace;
- Publication of cyberattacks enticed other hackers to try the activity themselves, taking the publication of the attacks as successes of cybercriminals– this turned into a get-rich-quick scheme;
- Increasing numbers of people going online, especially amid the pandemic.
Table of Contents
- How to deal with cyber crimes
- Demand and market size of apps protection
- Benefiting from RASP
- The takeaway
Alice and Bob Learn Application Security
Aug 24 2021
Three reasons why ransomware recovery requires packet data
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery that’s often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
How far back should we restore from?
Ransomware Protection Playbook
Aug 20 2021
Apple’s iPhone Backdoor
More on Apple’s iPhone Backdoor
In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here.
Apple says that hash collisions in its CSAM detection system were expected, and not a concern. I’m not convinced that this secondary system was originally part of the design, since it wasn’t discussed in the original specification.
Good op-ed from a group of Princeton researchers who developed a similar system:
Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
Aug 19 2021
Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes
Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).
You’ll be pleased to know the researchers haven’t wasted their time dreaming up a fancy name or a logo. On the other hand, they’re far from hopeful that the problems can be fixed.
Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s SB Blogwatch, this is why we can’t have nice things.
Your humble blogwatcher curated these bloggy bits for your entertainment.
‘Infinite’ Amplification Ahoy
What’s the craic? Catalin Cimpanu reports—“Firewalls and middleboxes can be weaponized for gigantic DDoS attacks”:
Weaponizing this attack is relatively simple”
Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. … The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.
…
Reflective amplification … happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. … The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of … DDoS.
…
The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. … If the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect. … Weaponizing this attack is relatively simple.
Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures
Aug 18 2021
The 3 Rs of visibility for any cloud journey
While Security Orchestration Automation and Response (SOAR) solutions help automate and structure these activities, the activities themselves require telemetry data that provide the breadcrumbs to help scope, identify and potentially remedy the situation. This takes increasing significance in the cloud for a few reasons:
- The public cloud shared security model may lead to gaps in the telemetry (e.g., lack of telemetry from the underlying infrastructure that could help correlate breadcrumbs at the infrastructure level to the application level).
- Lack of consistency in telemetry information as applications increasingly segment into microservices, containers and Platform-as-a-Service, and as various modules come from different sources such as internal development, open source, commercial modules, and outsourced development.
- Misconfigurations and misunderstandings as control shifts between DevOps, CloudOps and SecOps.
- All the above coupled with a significant expansion of attack surface area with the decomposition of monolith applications into microservices.
When incidents occur, the ability to quickly size up the scope, impact and root cause of the incident is directly proportional to the availability of quality data, and its ability to be easily queried, analyzed, and dissected. As companies migrate to the cloud, logs have become the de-facto standard of gathering telemetry.
The challenges when relying almost exclusively on logs for telemetry
This book is designed for security and risk assessment professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers who are interested in learning practical approaches to cloud security. It covers practical strategies for assessing the security and privacy of your cloud infrastructure and applications and shows how to make your cloud infrastructure secure to combat threats, attacks, and prevent data breaches. The chapters are designed with a granular framework, starting with the security concepts, followed by hand-on assessment techniques based on real-world studies, and concluding with recommendations including best practices.
FEATURES:
- Includes practical strategies for assessing the security and privacy of your cloud infrastructure and applications
- Covers topics such as cloud architecture and security fundamentals, database and storage security, data privacy, security and risk assessments, controls related to continuous monitoring, and more
- Presents several case studies revealing how threat actors abuse and exploit cloud environments to spread malware
Aug 15 2021
List of mandatory documents required by ISO 45001
By Luke Irwin
ISO 45001 is the international standard that contains best practices for OH&S (occupational health and safety). Its goal is to reduce injuries and diseases in the workplace, including the promotion and protection of physical and mental health.
It’s an issue that’s more important than ever. In addition to the 2.78 million deaths and 374 million injuries each year from workplace incidents, countless others face mental health issues.
COVID-19 helped put some of those problems into relief, but it’s something organisations must continue to be vigilant about as the pandemic subsides.
In this blog, we look at the mandatory documentation and records you must complete to comply with ISO 45001 – as well as non-mandatory documents that can support your compliance activities.
Mandatory documentation
- Clause 4.3 Scope of the OH&S management system
- Clause 5.2 OH&S policy
- Clause 5.3 Responsibilities and authorities within OH&SMS
- Clause 6.1.1 OH&S process for addressing risks and opportunities
- Clause 6.1.2.2Methodology and criteria for assessment of OH&S risks
- Clause 6.2.2 OH&S objectives and plans for achieving them
- Clause 8.2 Emergency preparedness and response process
Mandatory records
- Clause 6.1.1 OH&S risks and opportunities and actions for addressing them
- Clause 6.1.3 Legal and other requirements
- Clause 7.2 Evidence of competence
- Clause 7.4.1 Evidence of communications
- Clause 8.2 Plans for responding to potential emergency situations
- Clause 9.1.1 Results on monitoring, measurements, analysis and performance evaluation
- Clause 9.1.1 Maintenance, calibration or verification of monitoring equipment
- Clause 9.1.2 Compliance evaluation results
- Clause 9.2.2 Internal audit program
- Clause 9.2.2 Internal audit report
- Clause 9.3 Results of management review
- Clause 10.2 Nature of incidents or nonconformities and any subsequent action taken
- Clause 10.2 Results of any action and corrective action, including their effectiveness
- Clause 10.3 Evidence of the results of continual improvement
Non-mandatory documents
In addition to mandatory documentation, there are many other parts of ISO 45001 that organisations may find relevant. This includes:
- Clause 4.1 Procedure for determining context of the organization and interested parties
- Clause 5.4 Procedure for consultation and participation of workers
- Clause 6.1.2.1 Procedure for hazard identification and assessment
- Clause 6.1.3 Procedure for identification of legal requirements
- Clause 7.4.1 Procedure for communication
- Clause 7.5 Procedure for document and record control
- Clause 8.1 Procedure for operational planning and control
- Clause 8.1.3 Procedure for change management
- Clause 9.1.1 Procedure for monitoring, measuring and analysis
- Clause 9.1.2 Procedure for compliance evaluation
- Clause 9.2 Procedure for internal audit
- Clause 9.3 Procedure for management review
- Clause 10.1 Procedure for incident investigation
- Clause 10.1 Procedure for management of nonconformities and corrective actions
- Clause 10.3 Procedure for continual improvement
Establishing an OH&S management system
Those looking for more advice tackling occupational health and safety may be interested in Establishing an occupational health & safety management system based on ISO 45001.
This book, written by consultant and trainer Naeem Sadiq, explains how organisations can use ISO 45001’s requirements to create a safer work environment.
You’ll find out the purpose and requirements of each clause in ISO 45001, learn how to build an OH&S management system in a step-by-step approach and receive real-world examples of health and safety issues along with the ideal way to handle that situation.
Aug 12 2021
Cobalt Strike Vulnerability Affects Botnet Servers
The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send.
How to Identify Cobalt Strike on Your Network
Aug 09 2021
Defeating Microsoft’s Trusted Platform Module
Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine.
They were not only able to get into the BitLocker-encrypted computer, but then use the computer to get into the corporate network.
Trusted Platform Modules: Why, when and how to use them
Aug 07 2021
The RedMonk Programming Language Rankings
This iteration of the RedMonk Programming Languages is brought to you by Microsoft. Developers build the future. Microsoft supports you in any language and Java is no exception; we love it. We offer the best Java dev tools, infrastructure, and modern framework support. Modernize your Java development with Microsoft.
While we generally try to have our rankings in July immediately after they are run, we generally operate these on a better late than never basis. On the assumption, then, that August is better than never, below are your RedMonk Q3 language rankings.
As always, these are a continuation of the work originally performed by Drew Conway and John Myles White late in 2010. While the specific means of collection has changed, the basic process remains the same: we extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends.
Our Current Process
The data source used for the GitHub portion of the analysis is the GitHub Archive. We query languages by pull request in a manner similar to the one GitHub used to assemble the State of the Octoverse. Our query is designed to be as comparable as possible to the previous process.
- Language is based on the base repository language. While this continues to have the caveats outlined below, it does have the benefit of cohesion with our previous methodology.
- We exclude forked repos.
- We use the aggregated history to determine ranking (though based on the table structure changes this can no longer be accomplished via a single query.)
For Stack Overflow, we simply collect the required metrics using their useful data explorer tool.
With that description out of the way, please keep in mind the other usual caveats.
Aug 06 2021
Conti ransomware affiliate goes rogue, leaks “gang data”
If you like a touch of irony in your cybersecurity news, then this has been the week for it.
Yesterday, we wrote about an exploitable security hole…
…inside a hacking tool that helps you exploit security holes.
Today, we’re writing about a ransomware-related data breach that leaked organisational information…
…from inside a ransomware group.
And if that’s not enough to bring a wry smile to your lips, then there’s more.
Today’s data breach includes a bunch of hacking tools that ransomware crooks love to use…
…including a buggy and exploitable pirated version of the very attack tool that we wrote about yesterday!
More on: Conti ransomware affiliate goes rogue, leaks “gang data”
FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks
Aug 05 2021
U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats
Creation of the Joint Cyber Defense Collaborative follows high-profile cyberattacks on critical U.S. infrastructure
The U.S. government is enlisting the help of tech companies, including Amazon.com Inc., Microsoft Corp. and Google, to bolster the country’s critical infrastructure defenses against cyber threats after a string of high-profile attacks.
The Department of Homeland Security, on Thursday, is formally unveiling the initiative called the Joint Cyber Defense Collaborative. The effort will initially focus on combating ransomware and cyberattacks on cloud-computing providers, said Jen Easterly, director of the DHS’s Cybersecurity and Infrastructure Security Agency. Ultimately, she said, it aims to improve defense planning and information sharing between government and the private sector.
“This will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime,” she said in an interview. Ms. Easterly was sworn in as CISA’s director last month. She was previously a counterterrorism official in the Obama White House, and the commander of the Army’s first cyber operations unit at the National Security Agency, America’s cyberspy agency.
‘This will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime.’— Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency
U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats
Department of Homeland Security and Information Sharing: Is It Working?
![Department of Homeland Security and Information Sharing: Is It Working? by [United State Army War College, U.S Army U.S Army]](https://m.media-amazon.com/images/I/417d4jwJrTS.jpg)
Aug 03 2021
ISO 27001 vs. ISO 27002: What’s the difference?
Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).
However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.
What is ISO 27001?
ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.
To meet these requirements, organisations must:
- Assemble a project team and initiate the project;
- Conduct a gap analysis;
- Scope the ISMS;
- Initiate high-level policy development;
- Perform a risk assessment;
- Select and apply controls;
- Develop risk documentation;
- Conduct staff awareness training;
- Assess, review and conduct an internal audit; and
- Opt for a certification audit.
What is ISO 27002?
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
The differences between ISO 27001 and ISO 27002
There are three main differences between ISO 27001 and ISO 27001:
- Detail
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
- Certification
You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
- Applicability
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
When you should use each standard
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.
Learn the basics of information security
You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
You’ll learn from expert information security consultants, as they explain:
- ISO 27001 management system documentation;.
- How to plan, scope and communicate throughout your ISO 27001 project; and
- The key steps involved in an ISO 27001 risk assessment.
Source: ISO 27001 vs. ISO 27002
Previous blog posts on ISO27k
Pentests are required for ISO 27001 or SOC2 audits
With ISO27001 how you should choose the controls needed to manage the risks
The importance of the Statement of Applicability in ISO 27001 – with template
Steps to implement ISMS (ISO 27001)
How FAIR & ISO 27001 Work Together
ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses
« Previous Page — Next Page »
