International Standard - ISO 27002:2022 Report
The International Standard - ISO 27002:2022 compliance report helps you assess your web app's security against the standard's information security guidelines.
About the ISO 27002:2022
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.
National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity.
ISO 27002 provides guidelines and general principles for starting, implementing, maintaining, and improving information security management in an organization. To achieve information security, you implement a set of controls, such as policies, processes, procedures, organizational structures, and software and hardware functions. You must establish, implement, monitor, review, and improve these controls to meet your organization's specific security and business objectives.
ISO 27002 is intended to serve as a single reference point for identifying a range of controls required for industry and commerce systems, for developing organizational security standards, and for implementing effective security management practices.
Covered information
ISO/IEC 27002:2022 is a "code of practice" that supports ISO/IEC 27001. It doesn't set requirements. Instead, it provides detailed guidance on how to implement security controls.
The controls are grouped into four broad themes:
- Organizational controls
- People controls
- Physical controls
- Technological controls
Covered entities
All companies and other entities are encouraged to adopt the standard and start the process of improving information security management within the organization.
ISO 27002:2022 report vulnerabilities
The following table lists the specific ISO 27002:2022 vulnerability groups that AppScan Enterprise evaluates. Vulnerabilities found in your application are mapped to these vulnerability groups.
| ID | Name |
|---|---|
| Control 5.14 | Rules, procedures or agreements shall be in place for the secure transfer of information within the organization and with any external party. |
| Control 5.15 | Rules to control physical and logical access to information and other associated assets shall be established and implemented on the basis of business and information security requirements. |
| Control 5.16 | A process shall be established and implemented to manage the full life cycle of identities of users and other entities. |
| Control 5.32 | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual and business requirements. |
| Control 5.33 | The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance is obtained. |
| Control 5.34 | The organization shall identify and meet requirements regarding the protection of personally identifiable information (PII) in accordance with applicable legislation and regulation and contractual obligations. |
| Control 8.2 | The allocation and use of privileged access rights shall be restricted and managed. |
| Control 8.3 | Access to information and other associated assets shall be restricted in accordance with the established topic-specific access control policy. |
| Control 8.4 | Read and write access to source code, development tools, and software libraries shall be appropriately restricted in order to prevent the introduction of unauthorized functionality, and to reduce the risk of errors and malicious code. |
| Control 8.5 | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the requirements of the information system. |
| Control 8.7 | Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
| Control 8.8 | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken. |
| Control 8.9 | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. |
| Control 8.12 | Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
| Control 8.20 | Restrictions on connection times shall be used to provide additional security for applications and systems. |
| Control 8.21 | Inactive sessions should shut down after a defined period of inactivity. |
| Control 8.24 | Rules for the effective use of cryptography shall be defined and implemented. |
| Control 8.26 | Security requirements of applications, including requirements derived from relevant information security standards and policies, shall be identified, specified and approved when developing and acquiring applications. |
| Control 8.32 | The full life cycle of identities shall be managed. |
| Control 8.33 | Allocation and management of authentication information shall be controlled by a formal management process. |
| Control 8.34 | Access rights to information and other associated assets shall be provisioned, reviewed and adjusted on a regular basis, according to relevant requirements. |