By Ron Brill, President and Chairman of the Board, Anglepoint; ITAM Forum Board of Trustees Vice Chair; ISO ITAM Standards Committee Chair
The 3rd edition of ISO/IEC 27002:2022 (Information Security Controls) was published earlier this year. This standard provides a reference set of generic information security controls, including implementation guidance.
It is designed to be used by organizations within the context of an information security management system (ISMS) based on ISO/IEC 27001; for implementing information security controls based on internationally recognized best practices; or for developing organization-specific information security management guidelines.
ISO/IEC 27002:2022 contains 93 controls across 4 areas:
- 37 Organizational controls (section 5)
- 8 People controls (section 6)
- 14 Physical controls (section 7)
- 34 Technological controls (section 8)
3 of the 37 Organizational controls include, for the first time in ISO/IEC 27002, specific reference to the ISO/IEC 19770 series for IT Asset Management:
- 9 Inventory of information and other associated assets – a reference to ISO/IEC 19770-1
- 21 Managing information security in the ICT (Information and Communication Technology) chain – a reference to ISO/IEC 19770-2
- 32 Intellectual property rights – a reference to the ISO/IEC 19770 series
ITAM’s broader support for InfoSec
While ISO/IEC 27002:2022 specifically mentions ITAM in connection with the above three controls only, ITAM can and should provide much broader support for information security. This includes:
- Acquisition and deployment controls meant to prevent unauthorized software from being deployed and to minimize the number of software products and versions throughout the organization
- Lifecycle management controls meant to proactively identify and address software products that are reaching their end-of-life and will no longer receive security updates
- Support for daily security operations such as patch management and incident response, and many other examples
The old ITAM saying – that all ITAM professionals know – is now more true than ever before: You cannot manage what you don’t know you have.
Providing some context
My fellow ITAM Forum Trustee Rachel Ryan, First Vice-President – Global Head of IT Asset Management at Danske Bank, recently said:
“ITAM is there to help. At Danske Bank, we proactively work to put all the processes, approvals and governance in place to provide application owners, who hold responsibilities for a particular application, with the best possible information. And, we work with them, so they have the best possible chance. What’s installed? How many licenses are being used? Are there any risks? Are there any vulnerabilities around end-of-life? That’s what our ITAM team is there to do. We unearth, track and share this information. And, shame on us if we don’t.”
My fellow ITAM Forum Trustee Elise Cocks, IT Asset and License Management – Director at Freddie Mac, wrote in her recent ITAM Insights article, IT Asset Management’s important role in any Ransomware response plan:
“IT Asset Management should play an important role in any company’s incident response and Ransomware response plan. ITAM practitioners have the data at their fingertips to know which users have which assets. They can quickly help incident response efforts to identify the scope of a potential attack. They also have access to which users have which software or files installed, who has access to download licenses and software packages and can coordinate blocking access to infected files.”
A positive next step
The 3rd edition of ISO/IEC 27002 is a step in the right direction to help ensure ITAM plays the role that it can and should play in support of information security, as reflected in Gartner’s prediction that “50% of ITAM initiatives will be primarily driven by information security needs and concerns”.