The New ISO 27002 Is Finally Here
The new revision of ISO 27002 was published on February 15th, 2022 and there are some major changes from the 2nd edition released in 2013 that you should be aware of. The main focus of this revision was to improve the guidance for implementation of ISO 27001 Annex A controls.
This won’t be the only ISO standard revised this year, as ISO is expected to release a new version of ISO 27001 soon.
* UPDATE (June 12, 2023): for a detailed breakdown of changes in Clauses 4 through 10 of ISO 27001 in the 2022 release, please see our earlier article entitled, "ISO 27001: 2022 - A Detailed Summary of Change from 2013 to 2022 Version?"
What Changed?
The number of controls has been reduced from 114 to 93, and they’re now organized in 4 categories. These categories are:
-
Organizational controls (Clause 5)
-
People controls (Clause 6)
-
Physical controls (Clause 7)
The new categorization will help organizations determine the applicability of the controls along with determining who or what department is responsible for the control.
The controls in ISO 27002 now also have attributes designated to each control. These new attributes are:
-
Control types: Preventive, Detective, and Corrective
-
Information security properties: Confidentiality, Integrity, and Availability
-
Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
-
Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
-
Security domains: Governance and ecosystem, Protection, Defense, and Resilience
This brings ISO 27002, and 27001: 2022, upon its release later this year, more in line with other cybersecurity frameworks like NIST.
The correlation of controls between the different frameworks can be a headache for organizations. The addition of attributes to the 27002 controls will make correlating the controls a bit easier.
New Controls
There are 12 new controls in the standard, a result of the ever changing InfoSec environment, technology, and practice. Many of these controls reflect the expected addition of personal information (PI) and personally identifiable information (PII) as an information asset under the new 27001 revision.
Controls that Have Been Deprecated
While some of the controls have been merged, 16 controls have been removed from the newest version of the standard. These are:
- 5.1.2 – Review of InfoSec policies
- 6.2.1 – Mobile device policy
- 8.1.2 – Owndership of assets
- 8.2.3 – Handling of assets
- 9.4.3 – Password management system
- 11.1.6 – Delivery and loading areas
- 11.2.5 – Removal of assets
- 11.2.8 – Unattended user equipment
- 12.4.2 – Protection of log information
- 12.6.2 – Restrictions on software installation
- 13.2.3 – Electronic messaging
- 14.1.2 – Securing application services on public networks
- 14.1.3 – Protecting application services transactions
- 14.2.9 – System acceptance testing
- 16.1.3 – Reporting InfoSec weaknesses
- 18.2.3 – Technical compliance review
The last control, Technical compliance review, has been split into two controls: 5.36 – Conformance with policies, rules, and standards for information security and 8.8 – Management of technical vulnerabilities.
What Does This Mean For ISO Security Practitioners?
The biggest impact is in your organization’s risk treatment and risk register. When the new ISO 27001 Annex A is released, it will be imperative that your organization review your risk treatment, review and realign the controls in you Statement of Applicability, and update or even create policies, processes, and procedures for the new controls.
Organizations already certified, will have to certify to the new ISO 27001 standard within 2 years of release. This gives organizations time to review, revise, and improve their Information Security Management Ssystem (ISMS) before having to seek recertification by 2024.
Questions For You!
What are your thoughts on this topic?
Is ISO going in the right direction by reducing the volume of controls?
What do you see as the next steps forward?
Do you have any unique insights on where ISO security is going that you'd like to share with other readers?
If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.