ISO/IEC 27002:2002: What should we know about the recent changes to the ISO standard?
When we talk about cybersecurity, it is common to hear that you will never be 100% secure, due to various situations that have their degree of complexity, starting from users, hardware, software, and the balance that must exist between the usability of these systems and the security they need. And it is important to emphasize this fact, that we cannot say that a system is completely secure, however, we can make this system safe against known vulnerabilities. Part of the responsibilities in the world of compliance is to analyze the havoc that cybercrime causes on a daily basis, to an endless number of industries, from small to multinationals and in all areas, whether public or private sector, and also be aware of the vulnerabilities that exist and that could be affecting your organization and be able to prevent future damage. Knowing about the standards that are available to make this possible is indispensable to be able to act in time.
Within these standards, we find ISO/IEC 27001 and ISO/IEC 27002, which have as their main goal to improve the information security of an organization. ISO/IEC 27001 has an approach that aids towards the management of an information security system, while ISO/IEC 27002 will provide the guidance to follow this aforementioned standard, in such a way that it is implemented in a proper and effective way.
Recently, on February 15, 2022, an updated version of the ISO/IEC 27002 standard has been published, which will also have an effect on ISO/IEC 27001. Now, certain questions arise about these changes, and in particular, one that encompasses most of these for all organizations that are already certified, that are in, or that are being sought: what is the impact of these changes? In order to understand this update, it is necessary to know what the standard in question already includes.
What does ISO/IEC 27002 refer to?
This is defined to be used as a basis when implementing the controls described in the ISO 27001 standard, which describes the ideal processes to follow when dealing with risk and when applying these processes, to an information security management system (ISMS). It includes the best practices and requirements based on Annex A of the ISO 27001 standard that will aid during its implementation, as well as its maintenance and improvement. These risks and vulnerabilities open up as seen during the previously conducted risk assessment.
What can be expected from the ISO/IEC 27002 update?
The new version of the standard has been updated, mainly in order to simplify the implementation process, broadly speaking the changes are reflected in Annex A (clauses 4 to 10 remain unchanged): the number of sections has decreased from 14 to 4 sections; the number of controls has also been updated from 114 to 93, in addition, new controls have been added and with all this the changes that are required (numbering, fusion, and separation, structure and attributes).
Thus, implicated changes to the Information Security Management System that will be applied gradually over 2/3 years, duration of the transition period for companies that are already certified, happening as soon as the ISO 27001 standard is updated, this so that in a way that the changes match.
Breakdown of applied changes
ISO 27002:2022 now includes 93 controls distributed in 4 sections, additionally an Annex A and an Annex B (previously 14 sections with 114 controls, however, no control has been excluded):
- Controls over the organization (clause 5)
- Controls over users (clause 6)
- Physical checks (clause 7)
- Technological controls (clause 8)
- Annex A – use of attributes
- Annex B – relationship with ISO 27001Added 11 controls:
- Threat Intelligence (5.7)
- Information security for the use of cloud services (5.23)
- Preparing ICT for Business Continuity (5.30)
- Physical security monitoring (7.4)
- Configuration Management (8.9)
- Deletion of information (8. 10)
- Data masking (8. 11)
- Data leak prevention (8. 12)
- Follow-up activities (8. 16)
- Web filtering (8. 23)
- Secure encryption (8. 28)
23 controls have been renamed for better understanding.35 controls remain unchanged in their structure, other than in the enumeration and assignment within the 4 sections mentioned above. In turn, 57 controls have been merged into 24 controls. Only 1 control was divided: § Technical Compliance Review (18.2.3) was divided into:- Compliance with information security policies, norms, and standards (5.3.6).- Management of technical vulnerabilities (8.8). Something to highlight about the update in question is the use of attributes, which will be useful to filter and group the controls, included in Annex A:
- Type of control
- Information security properties
- Cybersecurity concepts
- Operational capabilities
The following diagram presents a summary of the outstanding updates that were made to the ISO 27002:2022 standard:
It is important to emphasize who will be affected by these changes and the cause of this; this will apply to those companies that are certified, those that are being certified, and/or those that are looking for certification again. The cause of this is simple, since, if the controls have been modified, a review of the procedures that involve them are necessary: risk assessment, the Declaration of Applicability, review of policies. This is to decide which ones will apply to the particular organization.
In addition, the implementation of this standard will help to create a better awareness of the security of information with the understanding of it, in turn supplying greater control over the Information Security System (ISMS) and everything it involves (policies, asset registration, procedures, risk management, compliance).
However, this process consists of a transition period that will take a couple of years in what conforms to the ISO 27001 standard. So, if a company seeks to start the certification process, it can do so without any problem, since the added changes although they are remarkable, do not present a drastic change to the standard, more than a mere simplification of the above, and this could be done using the existing controls, however, it will be helpful to review the added controls and how these could be implemented in the future.
References
International Organization for Standardization. (2022). ISO/IEC 27002:2022: Information security, cybersecurity and privacy protection — Information security controls. Obtained from ISO.org: https://www.iso.org/standard/75652.html
Iseni, A., & Vesa, H. (2022). How Will ISO/IEC 27002:2022 Impact ISO/IEC 27001. Obtained from: https://pecb.com/article/how-will-isoiec-270022022-impact-isoiec-27001
ISMS. Online. (2022). ISO 27002 Ultimate Guide. Obtained from: https://www.isms.online/iso-27002/
Mackie, R. (2022). SO/IEC 27002:2022: A High-Level Breakdown of the Update. Obtained from: https://www.schellman.com/blog/iso/iec-270022022-breakdown
Sekuro. (2022). everything to know about the ISO 27002: 2022 updates. Obtained from: https://sekuro.io/blog/iso-27002-2022-updates/
The 27000.org. (2022). Introduction to ISO 27002 (ISO27002). Obtained from: https://www.27000.org/index.htm