A lot can change in a decade, and this is especially true when it comes to technological advancements in the digital and cyber sphere. However, with new technology comes new avenues for cyber attackers to infiltrate your systems, extract your data, and spread malicious code across your network. The sophistication and quantity of cyber-attacks in 2022 is a concern for many organisations across the globe, and the International Organization for Standardization (ISO) has addressed these concerns by introducing a new iteration of the ISO 27002 standard.
Last updated in 2013, the newest version of ISO 27002 was published in February 2022 (with a revised version of ISO 27001 expected to be released in October of this year). The primary purpose of ISO 27002:2013 was to provide a set of supporting controls for ISO 27001 certification that would protect the information and assets of an organisation.
While ISO 27002:2013 was primarily focussed on information security, the evolving cyber security threat landscape compelled the need for ISO 27002:2022 to broaden the scope of controls in a way that also encompass cyber security, information privacy, and vulnerability management.
ISO 27002 is not a certification in and of itself – instead, consider it as guidance for achieving ISO 27001 certification. It supports organisations in meeting the requirements of ISO 127001 Annex A and should be used as a reference for determining and implementing the controls that achieve the best information security practices for your organisation.
We can expect a revised version of ISO 27001 that reflects these changes by October 2022.
What are the changes?
The name:
The name of the standard has been amended to the following:
PREVIOUS (ISO 27002:2013): “Information technology – Security techniques – Code of practice for information security controls”
CURRENT (ISO 27002:2022): “Information security, Cybersecurity and privacy protection – Information security controls”
The control structure
The number of controls in ISO 27002:2022 has decreased from the 114 controls in the 2013 edition to 93 controls in the 2022 version. These controls are now grouped into 4 different ‘themes’ rather than the previous 14 clauses. These 4 themes are sequentially supported by a collection of searchable attributes that can be assigned to each of the controls.
The new themes aim to help group the controls according to whom is responsible for them.
The 4 themes:
- Organisational controls (37 controls): Pertaining to policies and procedures
- People controls (8 controls): Pertaining to the staff and employees within your organisation
- Physical controls (14 controls): Pertaining to the safe management of your organisation’s facilities/offices/storage/equipment
- Technological controls (34 controls): Pertaining to the security of your IT infrastructure
Attributes:
The use of attributes is not mandatory, however attributes can be used to filter, sort or present controls in different views for different audiences, making it easier to categorise and keep track of the controls.
Here are some examples of how attributes can help organise different aspects of your controls. For instance, control types can be attributed as preventative, detective, or corrective. Or they could be attributed to different cyber security concepts, such as identification, protection, detection, response, or recovery.
Essentially, attributes allow you to quickly align your controls with common industry languages and standards and distinguish them from other standards.
The controls
A concerted effort was made to avoid control redundancy, thus you’ll find that the revised ISO 27002 standard has 21 fewer controls than its predecessor. Some controls from the 2013 edition were removed, 24 controls were merged, and 11 new controls were introduced to reflect the current information security, physical security, and cyber security landscape.
The new controls are:
- Threat intelligence: understand adversaries and the methods of attack that are relevant to your organisation’s IT infrastructure, networks and systems.
- Information security for the use of cloud services: security strategies for cloud initiatives (from introduction of new cloud solutions to ongoing operations and exit strategies) must be assessed and considered comprehensively
- ICT readiness for business continuity: Your business processes and ability to recover operational capabilities should dictate the requirements for your IT infrastructure and landscape
- Physical security monitoring: the use of alarms and monitoring systems to prevent unauthorised physical access
- Configuration management: the hardening and security configuration of IT systems and networks
- Information deletion: compliance with data deletion policies and procedures
- Data masking: techniques such as anonymisation and pseudonymisation to mask data and reinforce data protection
- Data leakage prevention: compliance with best practices to prevent data being leaked
- Monitoring activities: network and application security monitoring to detect anomalies
- Web filtering: to prevent users from viewing URLs containing malicious code
- Secure coding: use tools, comments, track changes and avoid insecure programming methods to secure coding
FAQs
Should you wait for ISO 27001:2022 before commencing certification?
Whether you should wait for the ISO 27001:2022 update or commence certification now depends on how urgently you need accreditation, and the current cyber risks or compliance requirements your business is facing. If you require certification urgently, then we would recommend commencing ISO 27001 implementation as soon as possible. The way you build and operate your ISMS will remain the same even after the update, so once the revision has been released you can simply map the new controls to the old Annex A controls. If getting certified is not a matter of urgency, then you’re more than welcome to wait until October for the release however we would suggest that you preemptively begin complying to the controls that address gaps and risks in your business and information security.
What if you’ve already begun the ISO 27001 process?
If you have already begun, or are nearing the end of, your certification process your Statement of Applicability (SoA) must continue to refer to the ISO 27002:2013 annex controls up until the point that ISO 27001:2022 is released. The nature of the changes are moderate which means that the effort to align with the new standard should be minimal.
What changes should you expect to make once ISO 27001:2022 is published?
When ISO 27001:2022 is published you can expect to make the following changes:
- Adjusting information security procedures and policies
- Aligning risk management processes with the new controls
- Updating your Statement of Applicability
How quickly will you need to transition once ISO 27001:2022 is published?
Traditionally, organisations have been given a two-year transition period to revise and align with a new version of a standard, so you should have plenty of time make the necessary changes to your ISMS.
