The 2022 revision of ISO27002: ready for renewal?
ISO 27002 is a further elaboration of the ISO 27001 Annex A to support organizations during the implementation of an Information Security Management System (ISMS). The 27002 standard consists of a set of security measures to reduce information security risks.
It’s been eight years since the last official revision of the ISO/IEC 27002 standard (in 2013). Although ISO 27001:2013 was confirmed in 2019 (meaning there were no changes in the information security management system standard), ISO 27002 was definitely in need of improvement to further fulfill its role as a guideline for the implementation of the ISO 27001 Annex A security controls.
The new 2022 revision of ISO 27002 was published on February 15. In this blog, we want to describe the most important changes compared to the ISO 27002:2013 version. It’s not only about the different controls, but about the organization and usage as well.
What’s the impact of this revision on the general structure of the standard?
The first thing we notice is the new structure of the ISO 27002:2022. The original 14 main sections were reworked, regrouped and reduced to 4 new main sections with 2 new attachments:
- Organizational security controls (clause 5, 37 security controls)
- Human security controls (clause 6, 8 security controls)
- Physical security controls (clause 7, 14 security controls)
- Technological security controls (clause 8, 34 security controls)
- Attachment A: the usage of attributes
- Attachment B: similarity to ISO/IEC 27002:2013
This new structure makes it easier to understand the applicability of the security controls at a high level, as well as the allocation of responsibilities.
Another important change: the number of security controls
This new version has reduced the number of security controls from 114 to 93. The technological advances and a better understanding of how to implement security controls seem to be the causes of this reduced number.
Looking at these 93 security controls, there are:
- 11 newly added controls
- 24 merges controls
- 23 renamed controls
- 1 completely removed control
The remaining 34 controls have not changed, apart from their identification number.
Future proof by adding attributes: #hashtag #all #the #way
In our opinion, this change brings the most value to this new version, because it offers a standardized way to sort and filter security controls by different views. These #hashtags help to meet the needs of different groups.
The attribute options for each security control are the following:
- Type of control: preventive, detective, and corrective.
- Information security features: confidentiality, integrity, and availability.
- NIST information security functions: identify, protect, detect, respond, and recover.
- Operational possibilities: governance, asset management, information protection, personnel security, physical security, system and network security, application security, safe configuration, identity and access management, vulnerability management, continuity, supplier relationship security, legal and compliance, security information and event management, and information security assurance.
- Security domains: governance and ecosystem, protection, defense, and resistance.
These features simplify the integration of ISO 27002:2022 security controls with other comparable information security standards, such as the NIST Risk Management Framework.
Finally, what does this mean for your information security management system (ISMS)?
In case you already implemented your ISMS according to ISO 27001 you don’t have to worry just yet. Whatever changes this new ISO 27002 revision brings, there’s a 2-year transition period for certified companies, and that period only starts when ISO 27001 is officially updated to be in line with these new controls.
As soon as these new controls become a part of ISO 27001 Annex A you will have to proceed with the following activities:
- Evaluate your risk management approach and make sure it’s in line with the new structure and classification of the security controls.
- Update the controls in the ‘Statement of Applicability’.
- Update your policies and procedures, and if necessary, write new documents related to the new controls.
Since the changes to the standard include 11 new controls, the evaluation of the risk management approach and the documentation will be your biggest tasks. It probably won’t require a major technological or process change.
How can spotit help?
Implementing changes to the ISMS, especially with this magnitude and a new standard, can be demanding. Do you need support during this trajectory? Spotit can offer advice, training, and project and program management, and audit preparation via professional guidance by our own team of ISO27K experts.