Keeping information safe is a vital job for organizations in every industry. Th....
How Will ISO/IEC 27002:2022 Impact ISO/IEC 27001
According to Cybercrime Magazine, it is expected that global cybercrime costs will grow 15% per year, reaching $10.5 trillion by 2025. Hence, information security remains one of the most challenging aspects for organizations worldwide.
ISO/IEC 27001 and ISO/IEC 27002 are primary ISO standards that aim to enhance the security of an organization’s information. ISO/IEC 27001 provides a framework to assist organizations in managing information security, while ISO/IEC 27002 provides implementation guidance for information security controls specified in ISO/IEC 27001.
The updated version of ISO/IEC 27002 has been published and the latest changes will also be reflected on Annex A in the ISO/IEC 27001:2013 version.
The following are the most common questions and answers that might help you clear the ambiguity with regards to the latest changes.
What are the main changes in ISO/IEC 27002:2022?
Number of controls
The revised version of ISO/IEC 27002 published in 2022 decreases the number of information security controls from 114 controls to 93 controls, covered in four sections:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
New controls
The ISO/IEC 27002:2022 introduced 11 new controls, as stated in the following:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Restructure of sections
The updated version of ISO/IEC 27002:2022 now has four sections and two annexes, instead of 14 sections, as in the previous version;
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
It is considered that based on the newest structure, the process of designation of responsibilities and the applicability of controls will be easier.
Merged Controls
Despite the number of controls being reduced, no controls were excluded in the latest version of the standard; however, they were merged.
Two examples of merged clauses are shown below:
Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.
How is ISO/IEC 27002:2022 impacting ISO/IEC 27001?
There will be an amendment to ISO/IEC 27001:2013 (referred to as ISO/IEC 27001:2013+A1:2022). As such, the latest changes in ISO/IEC 27002:2022 will be reflected in Annex A of ISO/IEC 27001 with a normative version of the 93 new controls.
What is the main difference between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 provides requirements for organizations that are seeking to establish, implement, maintain, and continually improve an information security management system. As such, organizations can get certified against it.
ISO/IEC 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO/IEC 27001. It is used as a reference and guidance on the best practices of information security management helping organizations in selecting, implementing, and managing controls.
In this regard, the main difference is that organizations might get a certification against ISO/IEC 27001 while they cannot get a certification against ISO/IEC 27002. It serves as supporting material in implementing the requirements and controls of ISO/IEC 27001.
What are the main changes in ISO/IEC 27001?
The main ISO/IEC 27001 parts which are clauses 4 to 10 will not be changed.
In this regard, some of the main changes in ISO/IEC 27001 will include:
- The number of Annex A controls which will be shortened from 114 to 93
- Annex A will be replaced with a normative version of the 93 new controls from ISO/IEC 27002:2022
- Clause 6.1.3c, where the term “Comprehensive list of control objectives and controls” will be toned down to the more appropriate “possible information security controls”
When should we start implementing the newest changes?
The new amendment of ISO/IEC 27001 that is expected to be published this year will include only changes in Annex A while clauses 4 to 10 will remain the same. Thus, a good suggestion would be to update the current documentation with the newly updated controls, including here the current risk assessment. PECB will add the new controls of ISO/IEC 27002:2022 and link them to the existing controls. As so, you can update or even develop new policies and procedures according to the new controls. Furthermore, you could update your security metrics in order to reflect your risk assessment, as well as the changes of Annex A. Once the updated Annex A of ISO/IEC 27001 is published, you will need to update the Statement of Applicability so it can be aligned with the new list of security controls.
In this regard, PECB will update the training courses again and also offer other resources which will make the transitioning period easier.
Will the changes affect my ISO/IEC 27001 certificate(s)?
Taking into consideration that the main part of ISO/IEC 27001, which are clauses from 4 to 10, have not been changed, your personal ISO/IEC 27001 certificate(s) will continue to remain valid, and you will not need to attend any additional training. If your certificate requires maintenance, then you should maintain it by submitting CPD and AMF. Anyhow, in case you would like to attend the updated training course with the changes in Annex A, you can do that, but your certificate will not be affected.
When will PECB offer the updated ISO/IEC 27001 and ISO/IEC 27002 training courses?
The updated ISO/IEC 27001 LI and ISO/IEC 27001 LA training courses (based on the new version of ISO 27002:2022) will be available during March 2022. Hence, the updated ISO/IEC 27002 training courses will be available by April 2022.
Thus, after the official publishing of the ISO/IEC 27001 amendments which are expected to be released during May or June 2022, PECB will update the training courses as well.
About the Authors
Albana Iseni is a Senior Product Marketing Manager for ISR at PECB. She is in charge of conducting market research while developing and providing information related to ISO standards. If you have any questions, please do not hesitate to contact her: marketing.ism@pecb.com.
Vesa Hyseni is a Senior Product Marketing Manager for GRC at PECB. She is in charge of conducting market research while developing and providing information related to ISO standards. If you have any questions, please do not hesitate to contact her: marketing.grc@pecb.com.