Every five years, the International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) review standards to confirm they are up to date. In February 2022, they reviewed and revised ISO/IEC 27002:2013 and released its successor in ISO/IEC 27002:2022.
ISO/IEC 27002 is a lesser-known component of ISO/IEC 27001. 27002 includes generic information security controls as well as implementation guidance for organizations looking to implement the 27001 Information Security Management Systems (ISMS) standard. As such, understanding some of the changes to 27002 gives us a window into some of the coming changes for 27001 expected to be published in October 2022.
To prepare organizations for compliance, this article will provide a brief overview of the two standards and highlight what’s changed in ISO 27002:2022, as well as implications for existing or planned compliance efforts.
What Is the Difference Between ISO 27001 and ISO 27002?
To start, let’s make sure we’re clear about the relationship between 27001 and 27002. 27001 is the most widely recognized standard within the ISO 27000 information technology standard. Further, 27001 is a certification standard, which means organizations can become certified when they undergo an ISO compliance audit performed by auditors. Alternatively, an organization can choose to comply with ISO 27001 to recognize the operational benefits of the included best practices, but not receive certification.
On the other hand, ISO 27002 is a reference standard, which means that complying with ISO 27002 cannot result in certification. However, it will provide information and additional context that will make certification with ISO 27001 much easier.
A common point of confusion is with 27001’s Annex A. While Annex A does include controls necessary for compliance, only 27002 includes the additional context and implementation guidance to help make organizations more successful in their efforts.
What Are the Changes to ISO/IEC 27002:2022 vs ISO/IEC 27002:2013?
At a high level the main changes between the two standards are as follows:
1. The titles changed incorporated a new focus inclusive of cybersecurity and privacy:
- “ISO/IEC 27002:2013: Information technology — Security techniques — Code of practice for information security controls”
- “ISO/IEC 27002:2022: Information security, cybersecurity, and privacy protection — Information security controls”
2. The 14 clauses in which the 114 controls were previously organized have been simplified to 4 main theme areas, which are Organizational, People, Physical, and Technological.
3. The 2013 version had 114 controls, while in 2022 there are now 93. While you may expect that many controls were removed, there were also 11 new controls added. The remaining delta is accounted for through control consolidations or clarifications to eliminate duplication and add clarity wherever possible. The 11 new controls are as follows:
- Physical security monitoring
- Threat intelligence
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Information security for use of cloud services
- Web filtering
- Secure coding
- ICT readiness for business continuity
As you can see, this is where some of the updated focus on cyber and privacy come through.
Implications for Existing or Planned ISO 27001 Certification Efforts
While the revisions to ISO 27002:2022 are not monumental, they do trigger some areas organizations can have in mind to accomplish a bit of future-proofing as they look for the upcoming ISO/IEC 27001:2022 update and their ongoing certification.
- Risk Assessment: Revisit your risk register/assessment process to ensure it is inclusive of the new areas of focus
- Statement of Applicability: This will need to be updated to account for the control additions, consolidations, and clarifications.
- Framework Mappings: If your organization is maintaining a common set of controls across many frameworks/standards you will need to be prepared to update those mappings
As ISO/IEC 27001 standards evolve, your organization should pay close attention to the changes and take the time to understand their implications. Whether you plan to recertify soon, are in the midst of becoming certified, or are already certified under ISO 27001:2013, your organization will need to focus on the upcoming changes to ISO 27001 scheduled for later this year. Securing executive support for the compliance effort, implementing compliance management software, performing a risk assessment, and remediating any controls gaps you uncover are steps your organization can take today to begin your certification or compliance journey.