Home/News & Resources/Blog/ISO 27002:2022 – Understanding the Key Changes and The Impact on Your Organisation
5 mins read

ISO 27002:2022 – Understanding the Key Changes and The Impact on Your Organisation

March 9, 2022
Topics: News & Resources Auditing & Certification Information Security

In February 2022, the new iteration of ISO 27002 was published. This page will explain the key changes and how they will affect organisations that are certified or planning to be certified to ISO 27001.

The manner in which we handle data and the pace required to access information has shifted dramatically in the last 9 years. Thus, a review of ISO 27001 was needed to reflect the current information security landscape, with the focus on the Annex A controls. The update is expected to be published later this year. To align with the updates, amendments to ISO 27002 was necessary to fulfil it’s role as a guide for the implementation of ISO 27001 Annex A controls.

What’s Changed?

The set of controls have been reviewed and updated to reflect the current information security landscape. Some controls have been merged, removed, or added. These controls have now also been regrouped into 4 main categories that include People, Organisational, Technological, and Physical.

Regrouping of Categories

The regrouping of 14 categories to 4 main categories or themes, making them easier to find. The 4 new categories include:

  • People (8 controls) – if they concern individual people, such as remote working, screening, confidentiality or non-disclosure agreements.
  • Organisational (37 controls) – if they concern the organisation, such as policies for information, return of assets, information security for use of cloud services.
  • Technological (34 controls) – if they concern technology, such as secure authentification, information deletion, data leakage prevention, or outsourced development.
  • Physical (14 controls) – if they concern physical objects, such as storage media, equipment maintenance, physical security monitoring, or securing offices, rooms and facilities.

Updates to Controls

All of ISO 27002 controls have been thoroughly reviewed and refined with up-to-date guidance. With this, the 114 controls have now been reduced to 93 controls – with 11 new controls, 24 merged controls, and the remaining 58 controls updated.

The 11 new controls are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Monitoring activities
  • Web filtering
  • Secure coding
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention

The updates provide organisations with controls that are easier to understand, relevant to the current information security landscape, and versatile to each organisation and industry body.

The Introduction of Attributes

Organisations can now use attributes to create different views, which make it easier to categorise controls as seen from a different perspective to the 4 themes. Attributes can be used to filter, sort or present controls in different views for different audiences. Note, the use of ‘attributes’ is not mandatory. In ISO/IEC 27002, Annex A explains how this can be achieved and provides examples. The examples include:

  • Control Types – preventative, detective, corrective
  • Information Security Properties – confidentiality, integrity, availability
  • Cybersecurity Concepts – identify, protect, detect, respond, recover
  • Operational Capabilities – governance, asset management, information protection, human resources security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management, information security assurance
  • Security Domains – governance and ecosystem, protection, defence, resilience

An organisation can also define its own ‘attributes’ with different values to address its specific needs.

 

Benefits of the Update

The new layout encourages organisations to review their information security management systems (ISMS) and have a rethink on necessary controls.

The updates also provide an opportunity for organisations to test their ISMS maturity. In other words, has the organisation’s necessary controls been keeping up with the current organisational landscape or are there large gaps?

Furthermore, the new structure of ISO 27002 makes it much easier to understand, and provides an improved balance of preventative, detective, and corrective controls.

 

How Does this Affect You?

For Organisations Implementing ISO 27001

Until the new version of ISO 27001 is published, organisations currently implementing or looking to certify to ISO 27001 can continue to refer to current controls in Annex A,  and refer to the new set of controls in ISO 27002.

Should Organisations Planning to Certify to ISO 27001 Wait Until the New Standard is Published?

In short, the answer is no. Waiting until the new standard is published will leave your organisation at greater risk. You will lose nothing by implementing an information management system that conforms to ISO 27001:2013 and use the existing Annex A control set. The updates to the standard will include the new structure and controls referenced in ISO 27002.

For Organisations Already Certified to ISO 27001

The International Organization for Standards (ISO) has indicated that the updates will predominately be on the controls in Annex A to reflect the updates in ISO 27002.

Typically, there is a 2-3 year transition period to enable organisations sufficient time to update their management system so they align with the changes. However, we do not recommend waiting until the last minute to meet your new obligations.

Organisations can prepare by assessing the new controls and start updating their Statement of Applicability (SoA). It is best to start preparing for the changes as soon as you can, during the transition period, so you can begin implementing the new controls, make any adjustments for better integration and reduce the compliance burden before your next audit.

Contact us for more information and help on preparing for the changes.
Contact Us

Latest Information Security News & Resources

Building Brand Resilience With Second Party Audits
News & Resources Auditing & Certification Crisis Management & Brand Resilience
Adopting a custom or second-party audit program can improve performance and compliance in the supply chain and retail outlets alike.
Read More
Climate Action Amendments to ISO Management System Standards
News & Resources Auditing & Certification Information Security
The 2024 Climate Action Amendments to ISO Management System Standards represent a significant effort by the International Organisation for Standardisation (ISO) to integrate climate considerations into a wide range of management standards. These amendments were introduced in support of the ISO London Declaration on Climate Change and aim to ensure that organisations incorporate climate change considerations into their management systems, enhancing their effectiveness in achieving intended outcomes.
Read More
Unleashing the power of technology for food safety management in Australia
News & Resources Auditing & Certification Information Security
In the ever-evolving landscape of food safety management, the integration of innovative technology emerges as a game-changer.  This article will explore the relationship relationship between technology and food safety, providing insight into how innovative solutions can empower a proactive approach to ensuring the highest standards in global food safety and act as a critical enabler for a safer and more transparent food supply chain.
Read More

Contact Us

Sales Enquiries

assurance@saiglobal.com

Not a sales enquiry? Click here to view our office locations and contact details.
Chat with us
We have noticed that your visiting our site from
Continue
Or select a different country