With the rise in cybercrime across the world, information security remains a global concern. Many organizations rely on the ISO/IEC 27001 & ISO/IEC 27002 for help in enhancing their security posture. The ISO/IEC 27001 helps organizations to establish a framework to guide them in managing information security.
On the other hand, the ISO/IEC 27002 provides implementation guidance for the defined information security controls that have been specified in ISO/IEC 27001.
The ISO/IEC 27002 has recently been updated and published, with the latest changes expected to be included on Annex A in the ISO/IEC 27001:2013 version.
The Main Changes in ISO/IEC 27002:2022
Number of Controls
In the latest version of ISO/IEC 27002 standard, the usual 114 information security control have been reduced to 93 controls encompassing 4 key sections:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
Newly Introduced controls
The following 11 controls were newly introduced in ISO/IEC 27002:2022 as outlined below:
- 7 Threat intelligence
- 23 Information security for use of cloud services
- 30 ICT readiness for business continuity
- 4 Physical security monitoring
- 9 Configuration management
- 10 Information deletion
- 11 Data masking
- 12 Data leakage prevention
- 16 Monitoring activities
- 23 Web filtering
- 28 Secure coding
Restructure of sections
The previous version of ISO/IEC 27002:2022 had 14 sections. With the revision, this has now been replaced with 4 sections and 2 annexes.
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
With this new structure, it is expected that the process of allocation of responsibilities and the applicability of controls will be easier.
Merged Controls
Despite the number of controls being reduced, no controls were excluded in the latest version of the standard; however, they were merged.
Two examples of merged clauses are shown below:
Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.
How is ISO/IEC 27002:2022 impacting ISO/IEC 27001?
There will be an amendment to ISO/IEC 27001:2013 (referred to as ISO/IEC 27001:2013+A1:2022). As such, the latest changes in ISO/IEC 27002:2022 will be reflected in Annex A of ISO/IEC 27001 with a normative version of the 93 new controls.
What is the main difference between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 provides requirements for organizations that are seeking to establish, implement, maintain, and continually improve an information security management system. As such, organizations can get certified against it.
ISO/IEC 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO/IEC 27001. It is used as a reference and guidance on the best practices of information security management helping organizations in selecting, implementing, and managing controls.
In this regard, the main difference is that organizations might get a certification against ISO/IEC 27001 while they cannot get a certification against ISO/IEC 27002. It serves as supporting material in implementing the requirements and controls of ISO/IEC 27001.
What are the main changes in ISO/IEC 27001?
The main ISO/IEC 27001 parts which are clauses 4 to 10 will not be changed.
In this regard, some of the main changes in ISO/IEC 27001 will include:
- The number of Annex A controls which will be shortened from 114 to 93
- Annex A will be replaced with a normative version of the 93 new controls from ISO/IEC 27002:2022
- Clause 6.1.3c, where the term “Comprehensive list of control objectives and controls” will be toned down to the more appropriate “possible information security controls”
When should we start implementing the newest changes?
The new amendment of ISO/IEC 27001 that is expected to be published this year will include only changes in Annex A while clauses 4 to 10 will remain the same. Thus, a good suggestion would be to update the current documentation with the newly updated controls, including here the current risk assessment. As so, you can update or even develop new policies and procedures according to the new controls. Furthermore, you could update your security metrics in order to reflect your risk assessment, as well as the changes of Annex A. Once the updated Annex A of ISO/IEC 27001 is published, you will need to update the Statement of Applicability so it can be aligned with the new list of security controls.
In this regard, Augean Stables will update the training courses again and also offer other resources which will make the transitioning period easier.
About the Authors
Omon Ilaboya is a GRC Consultant at Augean Stables Solutions. If you have any questions, please do not hesitate to contact him: omon.ilaboya@augeanstablessolutions.com.
One Reply to “Latest Changes on ISO/IEC 27002:2022”
Mark 06 Sep 2022
Thanks for your blog, nice to read. Do not stop.