Revision of ISO/IEC 27002 - What to expect?
ISO/IEC 27002 Information security, cybersecurity and privacy protection — Overview of new controls
By Saju S Pillai
ISO 27002 is going through the process of change – the old 2013 revision with 113 security controls is being transformed into a more modern standard with 93 controls and better structure and is currently in the form of Final Draft International Standard (FDIS).
This FDIS was published by the International Organization for Standardization (ISO) in November 2021, while the final version of ISO 27002 is expected to be released in the first half of 2022 and will be the same as the FDIS ISO 27002 presented in this blog (or with only slight changes). Because ISO 27002 is a supporting standard for ISO 27001 implementation, it is expected that Annex A of ISO 27001 will be aligned with ISO 27002 during 2022.
Rather than the 14 sections of the previous version, ISO 27002 now has only four sections and two annexes:
Organizational controls (clause 5): This section contains all controls related to various organizational issues, comprising 37 controls.
People controls (clause 6): This section focuses on controls related to human resources security, comprising 8 controls.
Physical controls (clause 7): This section focuses on controls related to the physical environment, comprising 14 controls.
Technological controls (clause 8): This section focuses on controls related to technological solutions, comprising 34 controls.
Annex A – Using attributes: This annex provides a matrix of all the new controls, and it compares their attributes and provides suggestions on how the controls might be used according to their attributes.
Annex B – Correspondence with ISO/IEC 27002:2013: This annex provides a mapping between controls from this version and the controls from the previous 2013 edition.
The reduced number of sections, and the addition of an annex with guidance on how to use the controls, makes it easier to understand the applicability of controls and designation of responsibilities. This new version has reduced the number of controls from 114 to 93. Technological advancements, and an improvement in the understanding of how to apply security practices, are the reasons for the change in the number of controls.
11 New Controls
23 Renamed Controls
A total of 23 controls have had their names changed for the sake of easier understanding; however, their essence remained the same as in the old standard:
Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.
A total of 57 controls have been merged into 24 new controls:
Controls with no changes
There are 35 controls remained the same, only changing their control number:
If you already have your Information Security Management System implemented according to ISO 27001, you don’t have to worry too much for now – no matter which changes the new ISO 27002 revision will bring, the changes in controls will be mandatory only after ISO 27001 is updated to align to these changes.
This document is an opinion article based on the publicly available information provided here. It is noted the document is under preparation for final publication and is subject to changes.