ISO27002:2022 introduces drastic changes to the ISMS framework structure. These will have an impact on future ISO 27001 certifications or recertifications. There are certain steps you can take to overcome the new challenges created by the updated ISO 27002 standard.
A new version of the ISO 27002 standard was released on February 15th, 2022, replacing the text released in 2013. Despite several structural modifications, the purpose of the document remains the same and provides a set of generic reference security controls to use within the context of an Information Security Management System (ISMS) based on ISO/IEC 27001.
The ISO/IEC 27001 has not been updated yet, although we expect the ISO/IEC DIS 27001 to replace the 2013 version on the official ISO website. The new text is still under development in the official ISO “Enquiry” phase.
This article looks at the details of the ISO 27002 changes and the impact on the security organization, as well as your ISMS and ISO27001 certification.
Key changes: A new structure and updated security controls
From fourteen to four domains
The most noticeable change is the new structure of the document. Previously, the suggested controls were grouped into fourteen domains, as opposed to 4 themes now:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
Furthermore, there are 2 annexes:
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
Fewer security controls due to consolidation
Another noteworthy change is the reduction of the number of security controls from 114 to 93. This is primarily the result of their consolidation. Out of those 93, there 58 updated controls, 24 merged ones and 11 new ones.
Overview of the eleven new controls
The following security topics were previously described across multiple controls. In the latest version, these topics received their own control with detailed purpose and guidance:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
The three most impactful controls are the following:
- Secure Coding: A constantly increasing number of companies develop software. Poorly written code can result in critical vulnerabilities (e.g. absence of input validation can lead to XSS attacks, SQL injections, etc.). Technical control “8.28 Secure coding” provides secure coding principles that you should apply to software development.
- Threat Intelligence: One of the key aspects of securing your organization is identifying possible threats. You can calculate the risk related to each identified threat and implement mitigating measures. Organizational control “5.7 Threat intelligence” refers to collecting and analyzing information related to information security threats. It considers strategic, tactical and operational threat intelligence.
- Information security for use of cloud services: Companies are moving to cloud environments at a rapid pace. Organizations often assume that most information security risk lies with the cloud service provider. However, this is usually not the case. Organizational control “5.23 Information security for use of cloud services” provides guidance for acquiring, using, managing and exiting from third-party cloud services. It states that you must clearly define the responsibilities of the cloud service provider and the organization.
Introduction of attribute values for each control
The last major change is the introduction of five attributes along with their respective values.
- Control types: #Preventive, #Detective and #Corrective
- Information Security Properties: #Confidentiality, #Integrity and #Availability
- Cybersecurity concepts: #Identify, #Protect, #Detect, etc.
- Operational capabilities: #Governance, #Asset_management, #Information_protection, etc.
- Security domains: #Governance_and_Ecosystem, #Protection, #Defense, etc.
Annex A – “Using attributes” links one or more values from every attribute to the 93 security controls, which allows for easy grouping and sorting. For example, when an organization wants to strengthen their preventative controls, they can filter on the “#Preventive” value within the “Control types” attribute to obtain a list of reference preventative controls.