The cloud, remote working, AI – how does ISO 27002 address threats that didn’t exist just a few years ago?

The environment in which companies store and process information has changed more in the last few years than it did over the previous two decades. Data that once resided on a server in an office building’s basement is now scattered across the cloud, employees’ laptops working from home, SaaS applications and AI tools that teams use on a daily basis — often without the IT department’s knowledge. The 2022 update to the ISO 27002 standard addresses this reality. And it does so in a way that is practically useful for every business — not just for corporations with extensive security departments.

The cloud — convenience that requires new rules

The migration to the cloud has accelerated and there is no turning back. Google Workspace, Microsoft 365, SaaS-based ERP systems, data storage on AWS or Azure — these are everyday realities for businesses of all sizes. The problem is that the security model based on physical control of infrastructure ceased to function the moment data left the company’s own servers.

ISO 27002:2022 introduces dedicated safeguards in this area that were simply not covered by the previous version of the standard. These include, amongst other things, defining and enforcing policies for the use of cloud services, managing data stored with external providers, controlling who can transfer data between the on-premises environment and the cloud and under what conditions, and verifying the level of security offered by cloud providers.

For a company that uses several or a dozen or so cloud services — which is the norm today, not the exception — ISO 27002 provides a framework for managing this environment proactively, rather than reactively.

Remote working — the boundary between the office and home has disappeared

The pandemic forced remote working, but the hybrid working model is here to stay. Employees connecting to the company network via their home Wi-Fi, using personal devices to access work email, and receiving work messages on their phones — these are not exceptions, they are the norm. And each of these scenarios is a potential attack vector that traditional network perimeters do not protect against.

ISO 27002:2022 covers remote working as a separate area requiring dedicated security measures. This covers rules for using personal devices for work purposes, requirements for secure remote connections, clean desk and screen policies applicable outside the office, as well as managing the risks associated with an employee working in an environment that the company does not physically control.

These are not abstract requirements. They are a response to specific incidents that have happened to real companies — data leaks via unsecured connections, attacks on the accounts of remote workers, and the loss of devices containing company data.

Artificial intelligence — a new tool, new risks

AI has entered everyday work faster than any previous technological tool. Employees use language models to write content, analyse data, create code and summarise documents. They often do so without the company’s formal consent and without realising that the data they paste into an external AI tool may be processed and stored by the service provider.

ISO 27002 does not explicitly address AI — the standard is only partially ahead of this trend — but it provides tools to manage this risk through existing safeguards: policies on the acceptable use of external tools, data classification specifying what may and may not leave the organisation, supplier management, and verification of the terms under which external services process data. Companies that have these elements in place are able to establish a sensible policy for the use of AI before an uncontrolled data leak occurs via a tool that employees are using in good faith.

Why does the 2022 update have practical significance?

The previous version of ISO 27002 dated from 2013 — an era before the rise of the cloud, before widespread remote working, and before AI. The 2022 update is not a cosmetic change. It is a standard rewritten with a view to how companies actually operate today — with distributed infrastructure, mobile workers and an ecosystem of external digital services.

For companies that have implemented the previous version of the standard, the update is an opportunity to review their security measures in light of threats that have since become a reality. For companies just starting out, the new version is tailored to the environment in which they actually operate — rather than the environment of a decade ago.