Does the new review of ISO 27002:2022 affect your organization?
The international standard ISO/IEC 27002 deals with information security. It was originally published in 2005 and revised in 2013. We can find best practices linked to information security management. Fist, the number of controls was set at 114 which is a heavy report that can sometimes be difficult to use and bring alive.
The review of this standard on February 15th, 2022, aims to refresh and modernize it by lowering the number of controls to 93 while reorganizing its sections in order to get closer to the NIST framework widely used in cyber risk management.
Reorganization of the ISO 27002 sections
When ISO 27002 was updated in 2013, the security controls were grouped into 14 chapters covering information security policies, human resources security, asset management, … and the information security incident and business continuity management.
There are now 4 sections and two annexes:
- Organizational controls
- People controls
- Physical controls
- Technological controls
- Annex A – Using attributes and implementation of ISO 27001 controls
- Annex B – Correspondence with ISO/IEC 27002:2013
This new structure makes the applicability of the controls easier to understand, especially with the use of attributes. In the new version of ISO 27002, the controls have two new elements in their structure: the attribute table and the purpose. They greatly facilitate information research, sorting and justification of the use of a field.
A better understanding of security practices
As explained earlier in the introduction, the number of security controls has been reduced from 114 to 93. The remaining controls are much more detailed than the previous ones. It allows a better understanding of their goals Now, there are 58 safety controls that have not changed or have changed only slightly, 57 controls that have been merged and 11 newly created controls.
These 11 new controls are entitled:
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
These changes maintain the existing focus on the information security aspects of the company’s processes and activities, reducing the effort of implementing and maintaining the information security management system.
A standardized way of sorting and filtering controls
Furthermore, the attribute table, which is one of the most significant changes in this standard, makes it possible to group together security measures and no longer duplicate information from one control to another. There is an intention to open up the standard to other available frameworks such as NIST through the use of #tags:
- Control types: #Preventive, #Detective, #Corrective
- Cybersecurity concepts: #Identify, #Protect, #Detect, #Respond, #Recover
- Information security properties: #Confidentiality, #Integrity, #Availability
- Operational capabilities: #Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, #System_and_network_security, #Application_security,#Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance,#Information_security_event_management, #Information_security_assurance
- Security domains: #Governance_and_Ecosystem, #Protection, #Defence, #Resilience
Changes ahead for your Information Security Management System
If you are already ISO 27001 certified, we advise you to adopt a proactive approach by starting to update your information security management system (ISMS). Indeed, there will be a 2-year transition period that will allow you to align with these new controls. This will start after the official update of ISO 27001.
In order to get compliant, you will also need to adjust your risks and their treatment to ensure that they are aligned with this new control structure and numbering. It will be recommended to review the Statement of Applicability. Finally, policies and procedures will need to be updated to include the new security controls. This change in the standard will also involve more documentation work.
Note this standard is related to your risk assessment methodology. Therefore, you will still be able to select only the appropriated elements for your organization from a number of updated good practices, as well as a new set of attributes to use to make control selection easier and more efficient.
Find ISO/IEC 27002:2022 standard on the official website ISO.org.
Learn more about the smartcockpit governance solution
Smartcockpit solution offers a pre-formatted ISO 27001 cockpit that will help you set up your governance. Our solution facilitates reporting and allows you to automatically generate your documentation. It represents a considerable time saving for our customers.
To help you understand the issues related to digital governance and cyber risk management, you can download our white paper designed in collaboration with Abilene Advisors.