What is Control 5.6 Contact with Special Interest Groups?
Special Interest Groups Explained
In general, a special interest group may be defined as an association of persons or organisations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security.
Manufacturers, specialist forums, and professional groups are examples of such entities. The government is also an example of a special interest group.
Attributes Table
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. The attributes for control 5.6 are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #Governance | #Defence |
| #Corrective | #Integrity | #Respond | ||
| #Availability | #Recover |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is The Purpose of Control 5.6?
Most organisations today have some sort of relationship with special interest groups. They may be a customer group, supplier group, or a group that has some influence in the organisation. The purpose of control 5.6 is to ensure appropriate flow of information takes place with respect to information security among these special interest groups.
Control 5.6 covers the requirement, purpose and implementation guidelines on how to make contact with special interest groups to ensure that your organisation actively engages in regular contact and consultation with relevant stakeholders and interested parties, including consumers and their representatives, suppliers, partners and the government so as to improve their information security capabilities.
It is possible that these organisations will be able to identify security dangers that you may have ignored. As a partnership, both sides may benefit from each other’s knowledge in terms of new ideas and best practices, which is a win-win scenario.
In addition, these groups may be able to provide useful suggestions or recommendations regarding security practices, procedures, or technologies that can make your system more secure while still achieving your business objectives.
What Is Involved and How to Meet the Requirements
When it comes to meeting the requirements for Control 5.6 in ISO 27002:2022, it is important that organisations follow the implementation guidelines as defined by the standard.
According to control 5.6, membership of special interest groups or forums should be a means to:
- improve knowledge about best practices and stay up to date with relevant security information.
- ensure the understanding of the information security environment is current.
- receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities.
- gain access to specialist information security advice.
- share and exchange information about new technologies, products, services, threats or vulnerabilities.
- provide suitable liaison points when dealing with information security incidents.
The ISO/IEC 27000 set of standards requires that an information security management system (ISMS) be established and maintained. Control 5.6 is a crucial part of this process. Contact with Special Interest Groups is important as it can provide a way for you to receive feedback from peers regarding the effectiveness of your information security processes.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Differences Between ISO 27002:2013 and ISO 27002:2022
According to what has already been stated, control 5.6 in ISO 27002:2022, “Contact with Special Interest Groups,” is not a new control. This is essentially a modified version of control 6.1.4, which can be found in ISO 27002:2013.
While the fundamentals of the two controls are essentially the same, there are some minor modifications in the 2022 version of the control. In the case of ISO 27002:2022, the control’s purpose is stated in the standard. In the 2013 edition, this control purpose is missing.
Furthermore, while the implementation guidelines for both versions are the same, the phraseology used in each version differs.
All of these enhancements are intended to guarantee that the standard stays current and relevant in light of increasing security concerns and technological developments. Organizations will also benefit from this since it will make compliance with the standard easier.
Who Is In Charge Of This Process?
In a typical organisation, the head of information security (also known as Chief Information Security Officer – CISO) is in charge of all aspects of data privacy and security, including compliance.
This role can also be handled by the Information Security Manager (ISMS Manager). However, regardless of who handles this role, it cannot go forward without buy-in by senior management.
What Does This Mean for Organisations?
If your organisation has already implemented ISO 27002:2013, you will need to update your procedures to ensure compliance with the updated standard, which was launched in February 2022.
While there will be some changes in the 2022 version, the majority of organisations should be able to make the necessary modifications with little trouble. Furthermore, certified organisations will have a two-year transition phase during which they can renew their certification to ensure that it complies with the new version of the standard.
Having said that our ISO 27002:2022 guide can help you better understand how the new ISO 27002 will impact your data security operations and ISO 27001 certification.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.Online Helps
At ISMS.online, we’ve built a comprehensive and easy to use system that can help you to implement ISO 27002 controls and manage your entire ISMS.
ISMS.online makes implementing ISO 27002 easier by providing a set of tools to help you manage information security in your organisation. It will help you identify risks and develop controls to mitigate those risks, and then show you how to implement them within the organisation.
ISMS.online will also help you demonstrate compliance with the standard by providing a management dashboard, reports and audit logs.
Our cloud-based platform offers:
- An easy to use and customise documentation management system
- Access to a library of polished, pre-written documentation templates
- A simplified process for conducting internal audits
- An efficient method for communicating with management and stakeholders
- A workflow module to streamline the implementation process
ISMS.online has all of these features, and more.
Get in touch today to book a demo.
