ISO 27002: 2022 Update
What is ISO 27002?
The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls, taking into account the organisation’s information security risk environment and appetite.
ISO 27001 is an international management system standard which provides organisations with a best practice framework for managing information security and is a standard which organisations can certify to.
The Standard takes a risk-based approach to information security management and requires organisations to identify their information security risks and select appropriate controls to mitigate them. Those controls are outlined in Annex A of the Standard with ISO 27002 going one step further and providing guidance on their implementation.
Why was ISO 27002 updated in February 2022?
The purpose of controls in ISO 27002 and by association controls in Annex A of ISO 27001 is to mitigate against common information security risks.
Naturally, threats will change over time and the changes made in the ISO 27002:2022 Standard (published on 15 February 2022) reflect some of the threats that have occurred since the 2013 version was published, e.g. increasing range of cyber-related threats and move towards home and remote working.
It also provided the International Organization for Standardization with the opportunity to restructure and improve the format and user accessibility of the Standard.
There are several key changes that have been made to the new iteration of ISO 27002. You can find a breakdown of these below:
• The Title
Firstly, ‘Code of Practice’ has been dropped from the title of the updated ISO 27002 standard. This change is aimed at reflecting the intended use of the 2022 version as a reference set of generic information security controls and guidance.
Its full title is now ‘Information security, cybersecurity and privacy protection — Information security controls.’ which reflects a broader context and that preventing, detecting and responding to cyberattacks is now considered as well as protecting data.
The ISO 27002:2022 update consists of 93 controls rather than the previous 114.
With the 93 controls:
• 58 have been updated
• 24 controls represent merging of previous controls
• 11 new controls have been introduced
The controls are now grouped in 4 ‘themes’ rather than the previous 14 clauses, in order to group controls in common categories, these being:
• Organisational ( 37 controls)
• Technological (34 controls)
• Physical (14 controls)
• People (8 controls)
• Introduction of Attributes:
As well as the grouping controls into the 4 themes, another significant change is the introduction of 5 ‘attributes’ where you can assign hashtags to controls to enable you to filter, sort or present controls in different ways, i.e., by:
• Control type, (e.g., preventive, detective, corrective etc).
• Information security properties (relating to confidentiality, integrity, availability).
• Cybersecurity concepts (following NIST approach with identify, protect, detect, respond, recover).
• Operational capabilities (e.g., governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, security assurance).
• Security domains. (e.g., governance and ecosystem, protection, defence, resilience).
It is not mandatory to use attributes, however, it is argued their use will make an organisation’s controls categorisation process easier. Attributes can also help organisations and industry bodies apply the Standard in their own context.
What About ISO 27001?
Whilst the main management system clauses of ISO 27001 Standard will remain the same, Annex A of the Standard will be amended to include the new ISO 27002:2022 control set and the updated version is expected to be published in Q3 of 2022.
It is important to note that until the new version of ISO 27001 is rolled out, your Statement of Applicability (SoA) must still refer to Annex A of ISO 27001:2013, although it would be good practice to consider the latest and most up to date control set.
What are the next steps for organisations already certified to ISO 27001?
In terms of the next steps, the main activities to perform include the following:
• Purchasing the updated standard.
• Review the new ISO 27002 standard and its control changes.
• Conduct a risk assessment/analysis. URM can assist you with this process.
• To mitigate any identified risks, select controls that are the most applicable and update your ISMS policies, standards etc accordingly.
• Update your Statement of Applicability (SoA).
MORE ABOUT URM CONSULTING AND
HOW IT COULD SUPPORT YOUR
ISO 27001 JOURNEY
Since 2005, URM’s consultants have assisted nearly 300
organisations achieve and maintain certification to ISO 27001.
We will ensure you never become a ‘slave to the Standard’ and
your ISMS is something which can easily be maintained and improved.
More about ISO 27001 & 27002
Information Security Training
Our office is open 08:00 – 17:30 Monday to Friday.