Update to ISO 27002

Finally, ISO 27002 has been updated!

The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated almost a decade ago.

Until now.

A new iteration of ISO 27002 was published on February 15, 2022, and a revised version of ISO 27001 is expected to be released later this year.

Here, we’ll explain what we know about the changes to ISO 27002, the proposed changes to ISO 27001, and how these changes affect organisations that are certified to ISO 27001.

What has changed?

Firstly, the phrase ‘code of practice’ has been omitted from the title of the updated ISO 27002 standard. The new title “ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls” better reflects the purpose of the standard, which is designed to be used as a guidance document when selecting information security controls while implementing an Information Security Management System (ISMS) based on ISO/IEC 27001.

The revised version provides a streamlined approach when selecting information security controls to address the modern risks presented in today’s information security environment.

This update focuses on not just information security but also the more technical aspects of cyber security, cloud services, web filtering and threat intelligence, as well as the human elements that come with privacy protection which has increased in popularity as data protection legislation has started to be updated across the globe.

Revised Controls

The updated standard provides a clearer structure of the controls that can be applied throughout an organisation as well as the designation of responsibilities.

The controls have been reorganised, some controls have been added, others merged for ease of understanding.

The total number of controls has been reduced. The new ISO 27002:2022 lists 93 controls rather than ISO 27002:2013’s previous count of 114 controls.

The 93 controls have been divided into four new categories, as opposed to the previous versions 14 clauses. The 4 categories, and the number of controls in each, are:

• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 Controls)

11 new controls have been introduced:

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

24 controls have been merged

58 controls were updated in the new version

35 controls remained the same, only changing their control number.

ISO 27002 Annex A attributes

The new ISO 27002 Annex A demonstrates the use of five attributes as a way of creating different views of the controls, and we believe, making them easier to categorise:

• Control types: Preventive, Detective and Corrective
• Information security properties: Confidentiality, Integrity and Availability
• Cybersecurity concepts: Identify, Protect, Detect, Respond and Recover
• Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security etc.
• Security domains: Governance and ecosystem, Protection, Defence and Resilience

Our organisation has already implemented an ISO 27001 ISMS, what should we do now?

Whilst we understand that ISO 27001:2013 is currently under review and is expected to be released later this year, we are yet to receive confirmation of when the updated version will be published.

Until the revised version has been released, ISO 27001:2013 remains the current version of the ISMS standard.

What this means for you:

• Annex A of the ISO 27001:2013 standard, which references the 114 controls remains unchanged.
• Until the new version of ISO 27001 is published, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013
• The controls in ISO 27002:2022 will be an alternative control set. These controls will need to be cross-refenced with Annex A of the ISO 27001:2013 standard. However, we believe this shouldn’t be viewed as a compliance burden, as ISO 27002:2022 includes an annex that compares its controls against the 2013 iteration, making the task of comparing the set of controls relatively straightforward.
• There is usually a two-year transition period to allow ISO 27001 certified businesses time to revise their ISMS to adapt to a new version of a standard, meaning there will be plenty of time to implement the changes without affecting your certificate.

As with any audit, preparation is key. We wouldn’t advise to leave it till the last minute to meet your new obligations, so when renewing your certification during the transition period, it is recommended to work in accordance with the new set of controls.

This is where the advantage of identifying and categorising the controls in-line with the new ISO 27002 Annex A attributes will help make it easier to focus your selections, making your ISMS easier to implement and manage.

How can Privacy 108 Help?

Please contact us to request a full list of controls in the new ISO 27002.

Our team of privacy and information security experts are available to assist you at any time with your privacy and security needs.

We are familiar with ISO 27001, 27002 and 27701 and other ISO standards and can support you in the design, implementation, maintenance and review of your Information Security Management System.

Contact us to see how we might be able to help: