Preparing for ISO 27002:2022 – What Do the Changes Mean for You?

What is ISO 27002:2022?

Before we get started, let’s take a minute to explain exactly what ISO 27002 is.

ISO/IEC 27002:2022 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The International Organization for Standardization (ISO) publishes thousands of standards, but their management system standards are arguably the most widely used. If you’re familiar with this field, you’ll know about the globally acclaimed ISO 9001 standard for quality management. In addition, you’re probably familiar with ISO 27001 for information security management.

If your knowledge of these standards comes from you having been certified or having attempted to certify with these standards, you likely understand too well what a labor-intensive process that can be. That is why, for some of their standards, ISO also publishes accompanying publications that serve as an aid for organizations that are in the process of achieving ISO compliance. The accompanying documentation provides further clarification on required controls and helps organizations establish a direction an organization will need to take in their journey toward certification. 

ISO 27002 is essentially just that: guidance. It is intended solely for use as a reference when choosing and implementing controls for information security risk in an ISO 27001 ISMS. It offers practical reasoning and support for those that are tasked with designing an ISMS to meet the requirements of the standard based on Annex A.  

ISO 27002 is closely aligned with ISO 27001. It is important to note, however, that ISO 27002 is not a certifiable standard by itself. This still holds true with the 2022 update. Organizations can only receive certification by complying with ISO 27001; ISO 27002 is used as supporting guidance. Generally, an easy way to note this differentiation is to remember the rule that it is only possible to certify to ISO standards that end in the number “1”. 

History of the 2022 Revision

ISO standards are generally reviewed on a cycle of five to seven years. The previous version of ISO 27002 was released in 2013. The review and revision process on that standard began in March 2018. Ever since then, we’ve been waiting.

The wait was over on  February 15, 2022. After nine years, the 2022 version of ISO/IEC 27002 became available on the ISO standards store. It took close to four years, but the ISO team of experts finally completed the revision of one of its most recognized standards.

The 2022 version is a refreshing revision of the standard with a revamped structure, some new controls, and contemporary wording. The ISO 27002:2022 was released in the first quarter of 2022 as a harbinger for the revision of ISO/IEC 27001 which was expected in the fourth quarter of 2022. The ISO 27001:2022 was indeed publicized in October 2022, and we have discussed that update in more detail in a separate blog.

Danny Manimbo, Schellman’s ISO practice co-director, had this to say about the significance of the ISO 27002 revision: “What ISO did well with this standard update is that the whole idea was to make the controls more modernized, simplified, and versatile, to promote ease of use and understanding and it also removed references to things like obsolete technologies. Taking into consideration these changes, we believe that, if your ISMS has been staying up-to-date and current with technology and regulatory trends, it will be well-positioned to absorb this standard update.”

Why is ISO 27002:2022 Important?

ISO 27001 lays out the groundwork to create an “Information Security Management System”, whereas ISO 27002 contains the details required for the full-scale implementation of a comprehensive IT security program. ISO 27002 is an indispensable component of ISO 27001, and it would be foolish for an organization to attempt to undertake ISO 27001 certification without referring to the ISO 27002 standard.

In addition, ISO 27002 is used extensively by corporations and companies across the globe that are not mandated by law to comply with federal regulations. ISO 27002 covers the scope of many common security requirements such as PCI DSS and HIPAA. 

ISO charges for its publications, but companies that are serious about building a thorough information security infrastructure are willing to pay to incorporate the expertise that ISO has to offer. Implementing the ISO 270022 standard and integrating such an in-depth approach to information security can also instill confidence in investors and relevant parties that a business’s information risks are sufficiently managed. 

What Has Changed in ISO/IEC 27002:2022?

• Name Change 

 The standard was renamed from ISO 27002:2013 to ISO 27002:2022

• Control Changes
  • The reduction of the number of information security controls in Annex A from 114 to 93. This includes 11 new controls, which we will discuss in more detail below.  Additionally, other rules were merged and reworded to avoid redundancy and increase relevance in today’s evolving digital landscape.
  • Introduction of control attributes
  • Purpose: a rationale for applying each control was added

27002:2022 Changes In More Detail:

What Are The 11 New Controls?

1. Threat intelligence

Analyzing current threats and cyber trends enables organizations to stay current in today’s dynamic threat environment.

2. Information security for the use of cloud services

With business reliance on cloud-based computing comes new attack vectors and expanding attack surfaces. Companies must consider appropriate protection measures for cloud services and incorporate them into their contracts with cloud vendors.

3. ICT readiness for business continuity

ICT readiness is an essential component for many organizations in the implementation of business continuity management and information security management. As part of the implementation and operation of an ISMS specified in the new ISO 27001/7002, it is critical to develop and implement a readiness and disaster recovery plan for ICT services to help ensure business continuity.

4. Physical security monitoring

Technical controls and monitoring systems have proven effective in deterring potential intruders from accessing and stealing sensitive data or, in case of a breach, detecting their intrusion immediately. 

5. Configuration management

Attackers can use poorly configured systems to gain access to sensitive resources. While previously subjected to the topic of change management, configuration management is now focused on as a security measure of its own.

6. Information deletion

Since the GDPR was introduced, organizations were required to have appropriate processes in place to delete personal data upon request and ensure that data is retained for no longer than necessary. Now, ISO 27002 requires this as well.

7. Data masking

Data masking aims to protect sensitive or personal data through masking, pseudonymization, or anonymization. This is the case where data is obscured, requiring a third-party process to view the data, thereby protecting against unwanted access and data loss.  

8. Data leakage prevention

Security measures must be taken to minimize or eliminate unauthorized access and extraction of sensitive data. Likely channels for data leakage should be monitored and actively prevented.

9. Monitoring activities

Continuous monitoring of system anomalies and behavioral analysis in ongoing IT operations is a must in proactive cyber defense.

10. Web filtering

In our globally connected world, advanced URL filtering can be used to automatically detect and filter potentially malicious domains. 

11. Secure coding 

Vulnerabilities in in-house developed code or open source components are a dangerous point of attack, allowing cybercriminals to easily gain access to critical data and systems. Up-to-date software development guidelines, automated test procedures, release procedures for code changes, and knowledge management for developers, but also well-thought-out patch and update strategies significantly increase the level of protection.

What Are The Section Changes?

ISO restructured the control sections from 14 total sections down to 4 sections and 2 annexes. Following is a list of those 4 new categories and 2 annexes.

1. Organizational Controls (37) 
2. People Controls (8) 
3. Physical Controls (14)
4. Technological Controls (34)

These 4 sections and the security controls that they comprise add up to a total of 93 controls. The new structure makes it easier to interpret the applicability of the controls as well as the delegate responsibilities.

Annexes

1. Annex A, which includes guidance for the application of attributes, and
2. Annex B, which corresponds with ISO/IEC 27002:2013.

Attributes

Another innovation was introduced in ISO 27002:2022 to help security managers navigate the broad mix of controls. In Annex A, five attributes with associated attribute values are designated for each control.

The attributes are:

• Control type
• Information security properties
• Cybersecurity concepts
• Operational capabilities
• Security domains

When Do the Changes Take Place?

ISO 27002 was updated on February 15, 2022 (ISO 27002:2022). In October 20222, Annex A of ISO 27001:2022 was published and revised to reflect the changes in Annex A. With the publication of ISO 27001 in October, companies that have been previously certified with ISO 27001 can begin implementing the changes. There is a 2 year transition period for certified companies to align with these new controls.

During the transition period, certified companies and new companies seeking certification will need to:

1. Review risk treatment and make sure it is aligned with the new structure and numbering of controls.
2. Align the list of controls in the Statement of Applicability.
3. Update your policies and procedures, and potentially write new documents related to the new controls.

How Can Centraleyes Help You With ISO Certification?

With the revamped controls list, you will have plenty of up-to-date guidance to follow. More so, you will be able to use the new set of attributes to make control selection more efficient. The good news is that the revisions remain within a similar framework: The restructuring of the controls catalog only makes the standard more navigatable, understandable, and relevant.

To automate your compliance with the new ISO 27002 security controls, Centraleyes can accelerate your transition from the old set of controls to the newly updated versions on our cutting-edge risk and compliance management platform.  

Set up a demo today.