After a wait of over nine years, the revised ISO/IEC 27002:2022 standard has finally been published. Of course, companies have a transition period to bring their ISMS up to date, but all the same, you should already be dealing with the revised standard, because it’s not just the title that has changed. You can find out in this article what else has, and why it is worthwhile to tackle the issue right now.
When it comes to introducing an ISMS in a company, ISO/IEC 27002 is the second most important standard after ISO/IEC 27001 (the updated version is still pending).
The ISO/IEC standard is now called “Information Security, Cybersecurity and Privacy Protection – Information Security Controls”. This makes it clear that information security is considered in a much broader context. The contents take into account additional cyber elements (cybersecurity). At the same time, data protection has been given greater prominence (privacy protection). ISO/IEC 27002:2022 contains implementation recommendations for controls (= for information, not as a standard). This means that the standard is not part of the auditing procedure in a certificate audit. Nevertheless, it has a substantial bearing.
The 27002 controls show the scope and structure of the control set (currently called Annex A) of the future 27001 standard. The implementation recommendations are an ideal guideline for all those who want to implement ISMS in accordance with 27001. At the same time, they are used by auditors as “guidance” in a certificate audit in order to assess whether the controls implemented in the company are appropriate. It can be assumed that the structure of the 27002 controls reflects the control set of the future ISO/IEC 27001 standard. This of course has an impact on the content and structure of standards based on it, such as ISO/IEC 27019 for energy suppliers, ISO 27799 for hospitals, ISO 27017 for cloud services, ISO 27018 for protection of personally identifiable information (PII) and ISO 27701 for the management of privacy information, etc.
Certainly the most striking thing is that the standard has been given a new structure. While the previous version contained 14 chapters, there are now just four, entitled:
Organisational Controls (37)
People Controls (8)
Physical Controls (14)
Technological Controls (34)
The number of measures included is shown in brackets. Compared to the 2013 version, there are “only” 93 controls. Even though the number has been reduced (114 in the 2013 version), this should not be taken as an indication that the range of subjects has been reduced – quite the opposite in fact: 11 new measures have been added; only three measures have been deleted (11.2.5 Removal of Assets, 8.2.3 Handling of Assets, 16.1.3 Reporting of information security weaknesses). Various controls were consolidated in 19; 61 controls remain unchanged. Additionally, numerous controls have been consolidated, for example in access rights management.
On the other hand, new focal points were put in place, which above all put a greater focus on preventing, detecting and responding to cyber-attacks as well as protecting data – as is already known from the NIST Cybersecurity Framework. This generally means that the effort required to implement them will increase for companies. At the same time, it also becomes more difficult to rule out corresponding measures if they are not applicable in your own company.
Controls in the new version of ISO/IEC 27002:2022 have two new elements in their structure:
These added elements make it easier to find information to better understand how to sort and justify a control. In addition, one level of the subtitle has been removed in the new ISO 27002.
All controls now have attributes associated with the control:
Control type: Preventive, Detective, and Corrective
Information security properties: Confidentiality, Integrity, and Availability
Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
Security domains: Governance and ecosystem, Protection, Defense, and Resilience
These are used to create views of the entire control set. Each attribute can then be assigned several hashtags (#), which make it possible to semantically summarise controls. This is recognition that reducing the main sections down to just four makes it more difficult to find individual topics such as incident management, but with tags like #asset_management (formerly A.8) and #supplier_relationships_security (formerly A.15), it is possible to form thematically related sub-sets. This makes the changeover to the new version much easier. At the same time, the new structure takes into account the fact that often controls are relevant in different areas and they were previously "artificially" squeezed into a framework of main sections and subsections.
The ISO/IEC 27002:2022 currently lists 11 new controls. At the same time, these are also indicators for the new key thematic areas. For you, this means:
Threat intelligence: You need to actively deal with understanding attackers and their methods in the context of your IT landscape.
Information security for use of cloud services: Cloud initiatives must be considered comprehensively, from introduction through operation to exit strategy.
ICT Readiness for Business Continuity: The IT landscape requirements must be derived from the business process perspective.
Physical security monitoring: Avoiding unauthorised physical access is gaining greater emphasis, and is prevented by means of alarm and monitoring systems.
Configuration management: Secure configuration of IT systems and hardening are becoming more and more important.
Information deletion: Secure deletion and, in particular, compliance with external requirements, such as data protection deletion concepts, need to be implemented.
Data masking: Various masking techniques such as anonymization and pseudonymization are used to strengthen data protection.
Data leakage prevention: DLP is the subject of renewed attention and is intended to help prevent the unauthorised leakage of data.
Monitoring activities: Network and application behaviour should be monitored in order to detect anomalies.
Web filtering: Access to external websites that may contain malicious codes is prevented by using web filtering methods.
Secure coding: The closing points of the new controls in ISO/IEC 27002:2022 are secure programming, the use of tools, monitoring of libraries and repositories used, commenting and tracking changes and avoiding insecure programming methods
ISO/IEC 27002:2022 has literally been given a completely facelift. The previous measures have been grouped into four categories and, where appropriate, they have been combined with a total of 11 out of 93 measures being added. In particular, there is now a greater focus on preventing, detecting and responding to cyber attacks, as well as protecting data. This means that the 2021 edition is more comprehensive. It takes new trends and changes in the hazard situation into consideration. However, it is not enough just to implement the new measures because new or extended requirements have also been added to the existing measures.
The standard is not yet in its final version, but everyone operating ISMS in accordance with ISO/IEC 27001 should already be dealing with this standard and taking steps now. Once the revised structure becomes effective (ISO/IEC 27001), there will probably be a one-year transition period during which the old structure can still be used for certification. Existing certifications will probably only have to switch to the new structure after three years have passed. In any case, all companies should be aligning themselves with the new control objectives and implementing them.
You should follow the steps below:
Do you have any questions? Our experts will be happy to help!
(Last update: March 2022)