Control 5.6 in the newly revised ISO 27002:2022 or control 6.1.4 in ISO 27002:2013 recommends that organisations should establish and maintain contact with special interest groups or other specialist security forums and professional associations.
In general, a special interest group may be defined as an association of persons or organisations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security.
Manufacturers, specialist forums, and professional groups are examples of such entities. The government is also an example of a special interest group.
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. The attributes for control 5.6 are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive #Corrective | #Confidentiality #Integrity #Availability | #Protect #Respond #Recover | #Governance | #Defence |
Most organisations today have some sort of relationship with special interest groups. They may be a customer group, supplier group, or a group that has some influence in the organisation. The purpose of control 5.6 is to ensure appropriate flow of information takes place with respect to information security among these special interest groups.
Control 5.6 covers the requirement, purpose and implementation guidelines on how to make contact with special interest groups to ensure that your organisation actively engages in regular contact and consultation with relevant stakeholders and interested parties, including consumers and their representatives, suppliers, partners and the government so as to improve their information security capabilities.
It is possible that these organisations will be able to identify security dangers that you may have ignored. As a partnership, both sides may benefit from each other’s knowledge in terms of new ideas and best practices, which is a win-win scenario.
In addition, these groups may be able to provide useful suggestions or recommendations regarding security practices, procedures, or technologies that can make your system more secure while still achieving your business objectives.
When it comes to meeting the requirements for Control 5.6 in ISO 27002:2022, it is important that organisations follow the implementation guidelines as defined by the standard.
According to control 5.6, membership of special interest groups or forums should be a means to:
The ISO/IEC 27000 set of standards requires that an information security management system (ISMS) be established and maintained. Control 5.6 is a crucial part of this process. Contact with Special Interest Groups is important as it can provide a way for you to receive feedback from peers regarding the effectiveness of your information security processes.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Take 30 minutes to see how ISMS.online saves you hours (and hours!)
Book a meetingAccording to what has already been stated, control 5.6 in ISO 27002:2022, “Contact with Special Interest Groups,” is not a new control. This is essentially a modified version of control 6.1.4, which can be found in ISO 27002:2013.
While the fundamentals of the two controls are essentially the same, there are some minor modifications in the 2022 version of the control. In the case of ISO 27002:2022, the control’s purpose is stated in the standard. In the 2013 edition, this control purpose is missing.
Furthermore, while the implementation guidelines for both versions are the same, the phraseology used in each version differs.
All of these enhancements are intended to guarantee that the standard stays current and relevant in light of increasing security concerns and technological developments. Organizations will also benefit from this since it will make compliance with the standard easier.
In a typical organisation, the head of information security (also known as Chief Information Security Officer – CISO) is in charge of all aspects of data privacy and security, including compliance.
This role can also be handled by the Information Security Manager (ISMS Manager). However, regardless of who handles this role, it cannot go forward without buy-in by senior management.
ISMS.online is a
one-stop solution that radically speeded up our implementation.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
If your organisation has already implemented ISO 27002:2013, you will need to update your procedures to ensure compliance with the updated standard, which was launched in February 2022.
While there will be some changes in the 2022 version, the majority of organisations should be able to make the necessary modifications with little trouble. Furthermore, certified organisations will have a two-year transition phase during which they can renew their certification to ensure that it complies with the new version of the standard.
Having said that our ISO 27002:2022 guide can help you better understand how the new ISO 27002 will impact your data security operations and ISO 27001 certification.
At ISMS.online, we’ve built a comprehensive and easy to use system that can help you to implement ISO 27002 controls and manage your entire ISMS.
ISMS.online makes implementing ISO 27002 easier by providing a set of tools to help you manage information security in your organisation. It will help you identify risks and develop controls to mitigate those risks, and then show you how to implement them within the organisation.
ISMS.online will also help you demonstrate compliance with the standard by providing a management dashboard, reports and audit logs.
Our cloud-based platform offers:
ISMS.online has all of these features, and more.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
