Key changes on ISO/IEC 27002 and how it affects your certification
Is ISO/IEC 27001 going for a revision too?
By Saju S Pillai
ISO/IEC 27002 Key changes
ISO/IEC 27002:2022 is divided into four chapters. This is one of the major change or approach compared to ISO/IEC 27002:2013, which has fourteen chapters.
The following are the four pillars or chapters in building an effective ISMS:
Organizational controls (chapter 5)
People controls (chapter 6)
Physical controls (chapter 7)
Technological controls (chapter 8)
It’s no more just IT Security controls, it’s IT security, Cyber security and Privacy controls – this also means that a detailed and organisation-wide implementation could help organization to have a better control over all possible security related issues. It’s all depends on how detail is your scoping, understanding the context, risk assessment etc.
What’s changed in this revision?
The security controls contained in Annex A have been updated. The total number of controls decreased from 114 to 93)
Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.
11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number.
The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).
How it will impact ISO/IEC 27001 or ISMS certification standard?
An amendment to ISO/IEC 27001, which is the main standard to which companies are certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022.
What’s the Adoption timeline for 27002 changes?
Despite the changes set out within the ISO/IEC 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO/IEC 27001 is officially updated and published. More details will be updated as soon as we have more info.
Control change summary of ISO/IEC 27002
35 controls remained the same with change in control number and realigned to the 4 sections;
11 new controls were added;
23 controls have been renamed to make them easier to understand
Even though the number of controls have been reduced (from 114 to 93 ); no controls are excluded;
57 controls have been merged into 24 controls;
Only one control was split; Control 18.2.3 Technical Compliance Review was split into: 5.3.6 – Compliance with policies, rules and standards for information security; and 8.8 – Management of technical vulnerabilities
How will this updates impact your current Certification?
ISO/IEC 27002 updates do not impact your current certification against ISO/IEC 27001. Only ISO/IEC 27001 updates (which will happen somewhere in Q4 of 2022 – expecting/hoping/anticipating) have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO/IEC 27001 certificate ample time to transition from one version to another.
Important note to all organisations getting ISMS certification:
Not all of the nearly 90+ example control measures detailed in ISO/IEC 27002 are relevant for every organisation, but when they are, they must be in place in order for your organisation to comply with ISO/IEC 27001.