In February 2022, the new iteration of ISO 27002 was published. This page will explain the key changes and how they will affect organisations that are certified or planning to be certified to ISO 27001.
The manner in which we handle data and the pace required to access information has shifted dramatically in the last 9 years. Thus, a review of ISO 27001 was needed to reflect the current information security landscape, with the focus on the Annex A controls. The update is expected to be published later this year. To align with the updates, amendments to ISO 27002 was necessary to fulfil it’s role as a guide for the implementation of ISO 27001 Annex A controls.
What’s Changed?
The set of controls have been reviewed and updated to reflect the current information security landscape. Some controls have been merged, removed, or added. These controls have now also been regrouped into 4 main categories that include People, Organisational, Technological, and Physical.
Regrouping of Categories
The regrouping of 14 categories to 4 main categories or themes, making them easier to find. The 4 new categories include:
- People (8 controls) – if they concern individual people, such as remote working, screening, confidentiality or non-disclosure agreements.
- Organisational (37 controls) – if they concern the organisation, such as policies for information, return of assets, information security for use of cloud services.
- Technological (34 controls) – if they concern technology, such as secure authentification, information deletion, data leakage prevention, or outsourced development.
- Physical (14 controls) – if they concern physical objects, such as storage media, equipment maintenance, physical security monitoring, or securing offices, rooms and facilities.
Updates to Controls
All of ISO 27002 controls have been thoroughly reviewed and refined with up-to-date guidance. With this, the 114 controls have now been reduced to 93 controls – with 11 new controls, 24 merged controls, and the remaining 58 controls updated.
The 11 new controls are:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Monitoring activities
- Web filtering
- Secure coding
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
The updates provide organisations with controls that are easier to understand, relevant to the current information security landscape, and versatile to each organisation and industry body.
The Introduction of Attributes
Organisations can now use attributes to create different views, which make it easier to categorise controls as seen from a different perspective to the 4 themes. Attributes can be used to filter, sort or present controls in different views for different audiences. Note, the use of ‘attributes’ is not mandatory. In ISO/IEC 27002, Annex A explains how this can be achieved and provides examples. The examples include:
- Control Types – preventative, detective, corrective
- Information Security Properties – confidentiality, integrity, availability
- Cybersecurity Concepts – identify, protect, detect, respond, recover
- Operational Capabilities – governance, asset management, information protection, human resources security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management, information security assurance
- Security Domains – governance and ecosystem, protection, defence, resilience
An organisation can also define its own ‘attributes’ with different values to address its specific needs.
Benefits of the Update
The new layout encourages organisations to review their information security management systems (ISMS) and have a rethink on necessary controls.
The updates also provide an opportunity for organisations to test their ISMS maturity. In other words, has the organisation’s necessary controls been keeping up with the current organisational landscape or are there large gaps?
Furthermore, the new structure of ISO 27002 makes it much easier to understand, and provides an improved balance of preventative, detective, and corrective controls.
How Does this Affect You?
For Organisations Implementing ISO 27001
Until the new version of ISO 27001 is published, organisations currently implementing or looking to certify to ISO 27001 can continue to refer to current controls in Annex A, and refer to the new set of controls in ISO 27002.
Should Organisations Planning to Certify to ISO 27001 Wait Until the New Standard is Published?
In short, the answer is no. Waiting until the new standard is published will leave your organisation at greater risk. You will lose nothing by implementing an information management system that conforms to ISO 27001:2013 and use the existing Annex A control set. The updates to the standard will include the new structure and controls referenced in ISO 27002.
For Organisations Already Certified to ISO 27001
The International Organization for Standards (ISO) has indicated that the updates will predominately be on the controls in Annex A to reflect the updates in ISO 27002.
Typically, there is a 2-3 year transition period to enable organisations sufficient time to update their management system so they align with the changes. However, we do not recommend waiting until the last minute to meet your new obligations.
Organisations can prepare by assessing the new controls and start updating their Statement of Applicability (SoA). It is best to start preparing for the changes as soon as you can, during the transition period, so you can begin implementing the new controls, make any adjustments for better integration and reduce the compliance burden before your next audit.