ISO 27002:2022 Update

ISO 27002 serves the purpose of furnishing organizations with guidance pertaining to the selection, implementation, and management of information security controls. This guidance takes into consideration the unique information security risk environment and tolerance of the respective organization.

Delving into the relationship connecting ISO 27001 certification and ISO 27002, ISO 27001 functions as an internationally recognized management system standard. It offers organizations a comprehensive framework of best practices for effectively managing information security. This standard also serves as a basis for organizations to seek certification. It adopts a risk-centric approach to the management of information security, obliging organizations to identify their information security risks and opt for suitable controls to alleviate them. The specific controls are delineated in Annex A of the ISO 27001 Standard, while ISO 27002 takes an additional stride by providing detailed guidance on their implementation.

The update of ISO 27002 in February 2022 was prompted by the essential purpose of the controls present in both ISO 27002 and Annex A of ISO 27001: to counteract prevalent information security risks. Inevitably, the landscape of threats evolves over time. The revisions introduced in the ISO 27002:2022 Standard, released on February 15, 2022, are a reflection of emerging threats since the publication of the 2013 version. Notable examples include the expanding array of cyber-related threats and the trend towards remote and home-based work setups. This update also furnished the International Organization for Standardization (ISO) with an opportunity to restructure and enhance the format and accessibility of the Standard.

Moving on to the noteworthy alterations from the 2013 edition of the Standard, a variety of key changes have been integrated into the new iteration of ISO 27002. Below, you can find a breakdown of these significant modifications prepared by senior ISO 27001 consultants:

THE TITLE

Firstly, ‘Code of Practice’ has been dropped from the title of the updated ISO 27002 Standard. This change is aimed at reflecting the intended use of the 2022 version as a reference set of generic information security controls and guidance.

Its full title is now ‘Information security, cybersecurity and privacy protection — Information security controls’ which reflects a broader context and that preventing, detecting and responding to cyberattacks is now considered, as well as protecting data.

CONTROLS:

The ISO 27002:2022 update consists of 93 controls rather than the previous 114.

With the 93 controls:

• 58 have been updated

• 24 controls represent merging of 57 of the previous controls

• 11 new controls have been introduced

THEMES:

The controls are now grouped into 4 ‘themes’, rather than the previous 14 clauses, in order to group controls in common categories, these being:

• Organisational (37 controls)

• People (8 controls)

• Physical (14 controls)

• Technological (34 controls).

INTRODUCTION OF ATTRIBUTES:

As well as the grouping controls into the 4 themes, another significant change is the introduction of 5 ‘attributes’, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways, i.e., by:

• Control type, (e.g., preventive, detective, corrective etc).

• Information security properties (relating to confidentiality, integrity, availability).

• Cybersecurity concepts (following National Institute for Standards and Technology (NIST) approach with identify, protect, detect, respond, recover).

• Operational capabilities (e.g., governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, security assurance).

• Security domains. (e.g., governance and ecosystem, protection, defence, resilience).

It is not mandatory to use attributes, however, it is argued their use will make an organisation’s controls categorisation process easier. Attributes can also help organisations and industry bodies apply the Standard in their own context.

When was the ISO 27002:2022 Standard Released?

The new ISO 27002 edition was released on 15 February 2022.

‍

What About ISO 27001?

While the fundamental clauses of the ISO 27001 Standard pertaining to the main management system will remain consistent, there are impending modifications for Annex A of the Standard. This alteration involves the incorporation of the recently introduced ISO 27002:2022 control set. The revised edition is anticipated to be released in the fourth quarter of 2022.

It is crucial to acknowledge that until the updated iteration of ISO 27001 is introduced, your existing Statement of Applicability (SoA) should continue referencing Annex A of ISO 27001:2013. However, it is advisable to contemplate adopting the most current and up-to-date control set.

For organizations that are already certified under ISO 27001, the forthcoming steps encompass several key actions:

1. Acquire the updated version of the Standard.

2. Examine the alterations in the new ISO 27002 Standard along with its modified controls.

3. Undertake a comprehensive risk assessment and analysis, with the potential support of URM.

4. Select the most pertinent controls to address identified risks and accordingly revise your Information Security Management System (ISMS) policies, standards, and related documents.

5. Revise and update your Statement of Applicability (SoA) to reflect the changes.