iso-27002-2022-update

ISO27002:2013 against the new ISO27002:2022


ISO standards typically undergo a review cycle every five to seven years. The ISO 27002:2013 standard began this process in March 2018, and a draft was released in January 2021. The new ISO 27002:2022 was recently published on February 15th.


The 2022 version of the ISO 27002 Standard includes several improvements. Whether your organization is planning to implement the ISO 27001:2013 Information technology – Security techniques – Information security management systems – Requirements standard or you want to understand the impact of ISO 27002:2022 on your current certification to ISO 27001:2013, this article will provide guidance on the main changes and questions.


ISO 27002:2022 is a guidance document that assists organizations in identifying and implementing controls for information security risk treatment within an information security management system based on ISO 27001:2013. Its purpose is to provide reference and guidance for information security, cybersecurity, and privacy protection.


ISO 27001:2013 vs ISO 27002:(2013 & 2022)


ISO 27001:2013 provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within your business.

 

ISO 27002:2013 and its newest version (ISO 27002:2022) is an international standard used as a guide for selecting and implementing information security controls listed in Annex A of ISO 27001:2013.

 

Unlike ISO 27001:2013, your organisation cannot become certified to ISO 27002, as this is a guidance document, so it’s considered a supporting standard.


Note: These Standards are also referenced as ISO/IEC 27001:2013 and ISO/IEC 27002:(2013 & 2022), as a reference to the International Organization for Standardization/International Electrotechnical Commission.


What’s new in ISO 27002:2022?


The first noticeable change is that the term “code of practice” was dropped from the title of the ISO 27002:2022 Standard, which is now titled Information security, cybersecurity and privacy protection — Information security controls. This better reflects its purpose as a reference for determining and implementing information security controls.

 

Although some controls have been merged or removed, resulting in 21 fewer controls, the ISO 27002:2022 document is actually longer than its previous edition, as it goes into more detail and explores comparisons with the older version


Number of controls


There are now a total of 93 controls as opposed to the previous 114. They comprise:


11 new controls to conform the standard to the present information security and cyber security context:


5.7 Threat intelligence

5.23 Information security for use of cloud services

5.30 ICT readiness for business continuity

7.4 Physical security monitoring

8.9 Configuration management

8.10 Information deletion

8.11 Data masking

8.12 Data leakage prevention

8.16 Monitoring activities

8.23 Web filtering

8.28 Secure coding


24 controls merged from two, three, or more controls from the 2013 version, in an effort to avoid control redundancy.


58 controls from the 2013 Standard that were reviewed and amended to reflect the current state of information security.


A new “Purpose” element has been introduced to the layout of each control. This is to reinforce why the control should be implemented.


New categories organisation


The controls are now organised into 4 categories (from Clauses 5 to 8 of the standard), instead of the 14 domains from the 2013 version:


Organisational (Clause 5 of ISO 27002 ) – 37 controls

People (Clause 6 of ISO 27002) – 8 controls

Physical (Clause 7 of ISO 27002) – 14 controls

Technological (Clause 8 of ISO 27002) – 34 controls


As an initiative to make it easier to filter and organise controls that are relevant to the organisation, each control is now associated with attributes.

 

Attributes can be used to filter, sort or present controls in different views for different audiences. The attributes are divided into five categories, with corresponding attribute values (to enable search capability in tools such as spreadsheets or databases).

 

These attributes were selected because they are considered generic enough to be used by different industries and types of organisations. The business can choose to disregard one or more of the given attributes and also create their own for a customised view.

 


The updated ISO 27002:2022 Standard also contains:

 

Annex A – a table to demonstrate the use of attributes as a way of creating different views of the controls.


Annex B – a table providing backwards compatibility with the controls in ISO/IEC 27002:2013, showing how the controls in this new version relate to the previous version. It also indicates where the new controls were included.Expert Tip


Annex B is a good starting point when reviewing the standard to upgrade an existing Information Security Management System against the updated recommendations from ISO 27002:2022.


Will the changes to the ISO 27002 Standard affect my ISO 27001:2013 certification?


It is expected that an updated version of ISO 27001:2013 will be published in 2022. However, it is predicted to only include changes in Annex A (the part of the document that is referenced in ISO 27002:2022) while the main part of ISO 27001 (clauses 4 to 10) will remain the same.

 

Once the updated version of ISO 27001:2013 is published, a certified organisation must update its Statement of Applicability (SoA). The SoA is a document that shows how you have chosen to implement information security controls (referenced from Annex A) and shows the links between your information security risk assessment and treatment work. It includes justification for inclusion or exclusion of controls. Hence, if looking to update to ISO 27002:2022, organisations must review their existing controls listed in their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.

 

How long do I have to update to ISO:27002:2022?


Once a new standard is released, there is typically a three year transition period for certified organisations to update their management system. As ISO 27002:2022 is considered a supporting standard, this transition deadline will only be effective when the updated version of the ISO 27001:2013 Standard is published.

 

For now, there’s no need to rush a revision based on the ISO 27002:2022 update, but if you can work with the new controls sooner rather than later, you’ll reduce the compliance burden and enjoy the benefits of implementing controls that should make your Information Security Management System easier to manage. Furthermore, this is an excellent opportunity to update your organisation’s controls to reflect the current state and demands for business Information Security.




Rewritten by Lee Bragg on 16/07/2023