ISO 27002 is getting updated, finally!

More than eight years since its last face-lift, ISO 27002 is under review with a new version expected to be released later this year.  The reason for the update is to streamline and re-organise the 114 controls to better support organizations recognising the changed risk landscape of the modern information security environment. And not before time!

What can we expect with new information security code of practice?

  • Fewer controls – down to 93 from 114 controls
  • Some controls will be removed, others will be consolidated and some new ones will be added. The new controls include threat intelligence, information security for the use of cloud services, physical security monitoring, data leakage prevention, and more.
  • Controls will be organised into 4 categories: organisational, people, physical and technological controls, rather than the existing 14 categories (information security policies, organisational of information security, human resource security etc).

Background to ISO 27002

ISO/IEC 27002 is a guidance document, or a code of practice, designed to be used as a reference for selecting controls, while implementing an Information Security Management System (ISMS) based on ISO/IEC 27001.   The controls included in clauses 5 – 18 of ISO 27002 map to those in ISO 27001 Annex A, with much more detailed implementation guidance for each control included in ISO 27002.

While an organization can only get a certification for ISO 27001, ISO 27002 is essential as it explains how the required controls are implemented. The 2013 version of ISO 27002 has been under review for some time and the latest draft has already gone through several rounds of discussions and changes.

The target release date for the final version is late 2021.

Changes to ISO 27002

In summary, the new ISO 27002 consolidates the security controls of the standard into four new categories (i.e. Organizational, People, Physical and Technological) and updates the controls (removing some, merging others and adding in new controls).

The total number of controls will be reduced from current count of 114 controls to 93 controls divided into 4 categories (as opposed to the 14 domains in the existing version). The 4 new categories, and the number of controls in each, are:

  • Organizational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)

The 16 controls to be removed – because they duplicate other controls or to enable better alignment in other areas – are:

  • Control 5.2.2: Review of the policies for information security
  • Control 6.2.1: Mobile device policy
  • Control 8.1.2: Ownership of assets
  • Control 8.2.3: Handling of assets
  • Control 9.4.3: Password management system
  • Control 11.1.6: Delivery and loading areas
  • Control 11.2.5: Removal of assets
  • Control 11.2.8: Unattended user equipment
  • Control 12.4.2: Protection of log information
  • Control 12.6.2: Restrictions on software installation
  • Control 13.2.3: Electronic messaging
  • Control 14.1.2: Securing application services on public networks
  • Control 14.1.3: Protecting application services transactions
  • Control 14.2.9: System acceptance testing
  • Control 16.1.3: Reporting information security weaknesses
  • Control 18.2.3: Technical compliance review

11 new controls are to be added to reflect the evolution in and updates to industry best practices over the eight years from release of the current version of ISO 27002.  The new controls to be introduced include:

  • Threat intelligence
  • Identity management
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Secure coding

Threat Intelligence is a new control of particular interest. To certify to ISO 27001, “information relating to information security threats should be collected and analyzed to produce threat intelligence.”

Some of the other changes to be implemented include:

  • The Inventory of Assets will have to be an “Inventory of information and other associated assets”.
  • The controls around the acceptable use of assets are changed as “Acceptable use of information and other associated assets”.
  • The policy on cryptographic controls and key management etc. modified as “Use of Cryptography controls”.
  • Event logging will be renamed as “Logging”.
  • The controls around maintaining Admin and operator logs will be integrated into “Monitoring activities”.
  • Information transfer policies and procedures and the control requiring an agreement on Information transfer will be integrated as one control under “Information transfer”.

What is the impact on current compliance with ISO 27002?

There is “No” impact at this point in time as ISO 27002 is code of practice. However, over time, changes will need to be implemented as organisations will need to prove they have considered all of the updated controls in the new version of ISO 27002 for implementation.

The target release date for the final version of ISO 27002:2021 is late 2021 and after that there will be a transition period from the current version to the new one.

Because ISO 27001 depends on ISO 27002, the upcoming changes to ISO 27002 will likely impact ISO 27001, and the certification will likely also be updated in the coming year (2022).

What should you do to prepare for the new ISO 27002?

Although there is a transition period, it is always worth being aware of the upcoming controls/changes.  They will be here in the next few months so it is time to start planning for how to update your ISMS based on the new practice.

Some steps to help plan what changes might be required:

  • The information security team should review the draft recommendations and the proposed 93 controls in the current draft of the new ISO 27002.
  • They should then perform a gap analysis between existing and new (draft) implementation guidelines, and wherever possible link to the existing documents and other  evidence of implementation, wherever possible.
  • Check the recommendations for new policies and procedures and start to plan how these might be implemented.
  • Think about raising awareness of the approaching changes among IT – Risk & Security management and with all relevant stakeholders (as required).  The changes are significant and it’s worth getting this into the planning cycle now.

How can Privacy 108 Help?

Our team of privacy and information security experts are available to assist you at any time with your privacy and security needs.

We are familiar with ISO 27001, 27002 and 27701 and other ISO standards and can support you in the design, implementation, maintenance and review of your Information security Management System.

Contact us to see how we might be able to help:

Compliance and risk. Sarah has extensive business experience in compliance, internal audit, and policy development.