Rethinking Governance Through the Lens of Information Security Insights from ISO/IEC 27002:2022

The concept of Operational Capabilities contained in ISO/IEC 27002:2022 serves as guidance for organizations in building governance to enhance information security. This concept consists of several interrelated aspects that form a framework for optimal information security.

Today, organizations face significant challenges in maintaining information security, including data leakage, cyberattacks, and non-compliance. Threats to information security do not only come from outside the organization, such as malware or phishing attacks, but also from within, such as human error or lack of awareness about the importance of data security. Therefore, information security governance becomes the main foundation for organizations to ensure the protection of their information assets.

ISO/IEC 27002:2022 provides guidance for organizations in building effective information security governance. One of the main approaches is the concept of Operational Capabilities, referring to an organization’s ability to manage and control information security effectively. This concept can be a valuable guide in complementing adequate, effective, and sustainable information security governance. In its implementation, Operational Capabilities encompasses various important aspects that organizations must consider to ensure information security.

Governance

Governance includes policies, duties and responsibilities, as well as continuous risk management. Organizations must have clear information security policies, covering objectives, scope, and accountability of all parties in safeguarding data. In addition, it is important to establish the right roles and responsibilities and ensure proper segregation of duties to reduce the risk of conflicts of interest.

Governance also includes incident management planning, which involves procedures for detecting, responding to, and recovering from security incidents. Engagement with authorities and relevant stakeholders is also an important part of governance to maintain organizational readiness in facing security threats.

Asset Management

Information asset management is crucial to ensure that all information and devices used within the organization are properly recorded and protected according to their level of importance. Asset inventory is the first step, where organizations identify all information assets, including data, hardware, and software.

After inventory, organizations must ensure that these assets are well protected. For example, orderly asset retrieval after employee termination should be conducted to avoid data leakage. In addition, protection of sensitive information, such as personal data or trade secrets, should be prioritized.

Organizations also need procedures for safe disposal of assets, such as physical document destruction or permanent data erasure from electronic devices.

Information Protection

Information protection includes information classification, data transfer provisions, and protection against theft or leakage. One of the biggest challenges is ensuring that personal and confidential information does not fall into the wrong hands. Therefore, implementing encryption technology, data masking, and non-repudiation provisions is necessary.

Additionally, organizations should have clear procedures for handling data leakage incidents, allowing them to quickly take steps to minimize impact, such as blocking unauthorized access, restoring lost data, and reporting the incident to authorities.

Human Resource Security

Human resource security in an organization relates to screening employees before recruitment, awareness of information security, and good employment relationship management. Every employee should receive training on information security so they understand their responsibilities in protecting company data.

After an employee leaves, their access to company systems must be immediately revoked to prevent security risks. For instance, if an employee with access to sensitive data resigns, the organization must ensure that all accounts and privileges are deactivated.

Physical Security

Physical security focuses on protecting assets and facilities from physical threats that could endanger organizational information. This includes securing offices, CCTV monitoring, and strict physical access procedures. Only authorized individuals should be able to access critical facilities such as server rooms or archives.

In addition, organizations should implement clean desk policies where employees are required to clear their desks of sensitive documents or devices before leaving the office, reducing the risk of data theft.

System and Network Security

System and network security aims to protect the organization’s IT infrastructure from cyberattacks. This includes implementing firewalls, network segmentation, and malware protection. With increasing threats, organizations should continuously update security systems and apply real-time network monitoring to detect suspicious anomalies.

Moreover, organizations must ensure that all devices connected to the network, such as computers and IoT devices, are protected by up-to-date security software to prevent exploitation of vulnerabilities.

Application Security

Application security covers the software development lifecycle, from design to implementation and maintenance. Secure coding practices, security testing before deployment, and separation of development and production environments are essential aspects of application security.

Organizations should avoid using software from untrusted sources, as this increases exploitation risks. It is also important to ensure that all applications used are regularly updated to mitigate vulnerabilities.

Secure Configuration

Secure configuration ensures that systems and applications used by the organization are set up according to best security practices, including management of software/hardware configurations, restriction of privileged accounts, and implementation of the least privilege principle.

Systems must be regularly updated so that security patches are applied promptly after release to close known vulnerabilities.

Identity and Access Management

Identity and access management ensures that only authorized individuals can access certain information. Implementation of multi-factor authentication, strict access rights management, and periodic access reviews are necessary to reduce unauthorized access risks.

With evolving threats, organizations should continually update access policies, such as requiring employees to change passwords regularly and follow strong password standards.

Threat and Vulnerability Management

Threat and vulnerability management covers proactive threat monitoring and technical vulnerability management within organizational systems. Organizations need regular penetration testing and security audits to identify and close security gaps before malicious exploitation occurs.

Continuity

Information security during operational disruption is essential to ensure business continuity. Organizations must have disaster recovery plans, including regular data backups, fast system recovery, and redundancy strategies to ensure services remain operational even in security incidents.

Supplier Relationship Security

Security of supplier relationships involves assessing vendors and service providers with access to organizational systems or data. Organizations must ensure that suppliers also implement high security standards to prevent data leakage or misuse.

Legal and Compliance

Compliance with applicable laws and regulations is a key aspect of information security. Organizations must understand legal requirements related to personal data protection, intellectual property rights, and industry regulations. Compliance helps to reduce legal risks that may arise from security breaches.

Information Security Event Management

Security event management ensures that every security incident can be handled quickly and effectively. This includes reporting incidents, investigations, and recovery steps. Organizations should also maintain good record-keeping to support incident analysis and future improvements.

Information Security Assurance

Finally, regular monitoring and evaluation of security policies and systems should be implemented. With independent reviews and routine audits, organizations can ensure the relevance and effectiveness of security measures against evolving threats.

Integrated Control Ecosystem for Comprehensive Protection

Each aspect of Operational Capabilities forms an integrated control ecosystem that supports comprehensive protection of information assets. By integrating this approach into daily business processes, organizations can not only enhance resilience against cyber threats and internal risks, but also meet compliance obligations.

Implementation that is consistent and sustainable will strengthen stakeholder trust and ensure long-term operational continuity.

Referensi:

[1] ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection - Information security controls.

This article was published in our quarterly newsletter Valoka Volume 5, 2025.