In the wake of the current pandemic and other geopolitical developments, regardless of the size of the organisation, it has become crucial that organisations must safeguard themselves against activities which can adversely impact security such as ransomware, misconfiguration of an asset, etc.
To safeguard from such activities, organisations adopt standards and framework which can help them build a robust and secure business, one such widely recognised standard is the ISO 27000 series and more specifically ISO 27001 which organisation can certify against and 27002, guidance on how to implement ISMS (Information Security Management System).
Up until February of 2022, organisations and auditors were following the guidance from ISO 27002 which was released back in 2013 initially and revised twice in 2014 and 2015, which are now withdrawn with the establishment of the new ISO 27002:2022 edition.
Let’s take a look at what has changed in the new version of ISO 27002
|Name||Information Technology, Security Techniques, Code of Practice for Information Security Controls||Information Security, Cybersecurity and Privacy Protection – Information Security Controls|
|Controls – Total||114||93 (11 New)|
|Categories/Clauses||14||4 (Organisational, People, Physical, Technical)|
Themes and Attributes
Other notable changes –
- 56 controls from the ISO 27002:2013 were merged into 24 controls in the new edition
- There is also a minor change in the Introduction section, formerly known as “Selecting Controls” has now been separated into 2 sections; “Controls” which defines what are controls and “Determining Controls” which is essentially the same as “Selecting Controls” of ISO 27002:2013.
- Each control now has 2 additional sections, an “Attributes table” and a “Purpose” section. The attribute table is specific to each control comprising of all 5 attribute categories.
- Apart from the new inclusions and merging of controls, the new edition has dedicated attributes for each control.
|Control Type||Preventive, Detective, Corrective|
|Information Security Property||Confidentiality, Integrity, Availability|
|Cybersecurity concepts||Identify, Protect, Detect, Respond, Recover|
|Operational Capabilities||Governance, Asset Management, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, Information Security Assurance|
|Security Domain and Scope||Governance and Eco System, Protection, Defense, Resilience|
With organisations adopting new technologies at a higher rate such as cloud services, an update to the 2013 standard was long awaited, yet ISO 27001 and 27002 did not adapt to such changes for the last few years. The new edition however includes many such areas covered and updated to suit the current needs in cybersecurity.
What does implementing 27002:2022 mean to organisations
Organisations were quick to realise that there was a need for getting certified against controls that can validate their security posture which is aligned with the current threat landscape. As consultants, we at AR Innovate have many clients ranging from different sizes and business models, for a long time we were not able to audit or give guidance in alignment with ISO 27002 but had to rely on other standards for clients who have an architecture which is completely serverless on cloud service security, but the narrative has changed from the new edition. We are now able consult and audit them specifically for their business model, slowly integrating this to their existing ISO 27001 certification process as well.
For organisations already certified against ISO 27001:2013, things to consider,
- Identify which old controls have been merged into which new controls and implement the new controls as guided (According to your Statement of Applicability) to further enhance their security posture.
- Recognise ID changes in Clauses – as opposed to 2 additional level in ISO 27002:2013, there is only one additional level for each clause.
E.g., ISO 27001:2013 – A5 -> 5.1 -> 5.1.1, 5.1.2
ISO 27002:2022 – A5 -> 5.1, 5.2, 5.3
- Since the hard work is already done, you can start implementing the new controls within the next year or two, making your organisation ready to get certified against the new ISO 27001:2022.
For organisations implementing ISO 27001:2022 in future, there are multiple benefits,
- Business requirements to comply with other standards, e.g., NIST CSF, in the initial stages of implementing ISMS itself you have the opportunity to align your security posture categorically.
- For example, when you implement ISMS according to ISO 27002:2022, you can easily map your controls to NIST CSF taking into consideration Cybersecurity concepts attribute and satisfy both the requirements.
- Since ISO 27002:2022 covers major domains in cybersecurity it is safe to say that, if you are compliant with ISO 27001, you have built the foundation to comply with other industry specific compliance requirements as well.
- With the introduction of attributes, organisations can now customise their approach from the beginning itself, reducing the overhead after implementation.
- For example, you can categorise controls based on Control type or information Security Policy and assign duties accordingly and focus on areas which matters the most in critical times. After an incident you can quickly sort and analyse the detective, and corrective controls to see their effectiveness and update.