What is new ISO/IEC 27002:2022? An Update

A revised version of ISO/IEC 27002:2022 has been released to assist organisations in the development of information security control to help protect them and their information assets by placing greater emphasis on information security, cyber security, and privacy protection.

Whether you are looking to develop and implement an information security management system or are seeking to certification. There is something for everyone.

This article looks at the recent publication of the revised ISO/IEC 27002, now, the 2022 edition, which can help in the development of an Information Security Management System and for the protection of information.

Whilst this website, normally, covers environmental and sustainability topics, information security is a sustainability issue. Without information security, our businesses, our countries and, indeed, the whole structure of society could falter. You only have to open the newspaper or watch the News on TV, to see regular security breaches in our banks, internet providers and attacks from hostile countries on the information infrastructure of their targeted countries.

I will look at why the revised standard has been published, highlights of the revision, a “By the Numbers” breakdown, more detail about the Terms and Definition, abbreviations and categorization of controls and the use of the new attributes, What it means for ISO/IEC 27001:2013 and, indeed, any organisation with current ISO/IEC 27001:2013 certification.

Why have a revised ISO/IEC 27002:2022?
The world of information security has moved on, in the nine years, since ISO/IEC 27702:2013 was published. There is greater organisation and societal awareness of information security.

A number of information security standards have been published over the past nine years, such as:

All these developments lead to a need to update the ISO/IEC 27002 standard to provide contemporary focus on the information security controls that can make a difference in any organisation, irrespective of this site, nature or complexity.

It should be remembered that organisations cannot be certified to ISO/IEC 27002 but its contents can help to inform the development of an ISO/IEC 27001 Information Security Management System, which can be certified.

Highlights of the Revision
This third edition cancels and replaces the second edition (ISO/IEC 27002:2013), which has been technically revised. It also incorporates the Technical Corrigenda ISO/IEC 27002:2013/Cor. 1:2014 and ISO/IEC 27002:2013/Cor. 2:2015.

The title of ISO/IEC 27002 has been revised, in two specific ways:

The coverage of the International Standard has been aligned away from Information Technology and Security techniques to better describe the functionality of the revised Standard as it addresses three key concerns: Information security, cybersecurity and privacy protection. Issues that organisations and individuals are really concerned about from all the scare, but real, stories in the media.

Additionally, the phrase “Code of Practice” has been omitted to reflect better its purpose of the Standard being a reference set of information security controls

At the same time, the structure of the document has been changed, presenting the controls using a simple taxonomy and associated attributes, which we will come onto a little later.

And a re-think of the structure and controls has led to some controls being merged, some deleted, and several new controls have been introduced. A handy Annex B has been added to the revised standard to provide a correspondence table between the control in 27002:2013 and the revised 27002:2022.

If you are getting value out of this episode, please click on the “like” button and if you want to see more videos, please subscribe to this YouTube Channel.

By the Numbers

If you like to see the changes expressed in terms of numbers, the development of revised 2022 version took one year longer than its predecessor.

The new version has seventy-two more pages

The 2013 version relied on the Terms and Definitions with ISO/IEC 27000, while the new standard incorporates its own terms and definition, thirty-eight to be precise

A new facet of the 2022 standard is the 45 abbreviations, such as ACL for access control list & IoT for Internet of Things, which was not present in the earlier, withdrawn 2013 version.

Instead of the 14 clauses in the 2013 version, we, now, have 4, which is populated by 93 controls down from the familiar, 114. That’s a reduction of 21 control with 11 new controls added.

The cost of the new standard appears comparable with the older version, if not a little less expensive despite the great number of pages and addition content.

Terms and Definitions
Thirty-eight Terms are defined ranging from commonly used terms, such as personally identifiable information (PII), process, such as Chain of Custody, & technology, such as endpoint devices.

In many cases, these terms and their definitions are referenced to other ISO Standards to ensure compatibility between information security standards.

There are 45 abbreviations including widely used terms, such as BYOD – bring your own device, WiFi – wireless fidelity& IP – internet protocol to more, specific technology abbreviations, such as RBAC – role-based access control, BIA – business impact analysis & UEBA – user and entity behaviour analytics.

Categorization of the Controls
To look at the new information security controls in a little more detail, the new categorization of controls given in Clauses 5 to 8 are referred to as themes. These controls are categorized as:

Being categorized as organizational, if they don’t fit into one of the other three control, which are

people, if they concern individual people;, such as their roles and responsibilities and employment terms and conditions

physical, if they concern physical objects; with a focus on physical information assets

technological, if they concern technology; such as the application of various technologies used within an organization

For reference out of the 93 controls, there are 37 Organizational controls, 34 Technological controls, 14 Physical controls and 8 People controls.

Focus on attributes
All 93 controls are tagged with each of the five attributes, which can be used as a way of creating different views or perspectives on the controls.

Attributes can be a Control Type; whether preventative, detective and corrective,

Information Security Properties; based on the well-used properties of availability, confidentiality and integrity,

Cybersecurity Concepts from NIST Standards; identify, protect, detect, respond and recover.

Operational capabilities, which cover a wide range of perspectives on the security categorisation for the control, such as #Governance, #Asset_management, #Information_protection through to  #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Information_security_assurance)

And, finally, Security domains (#Governance_and_Ecosystem, #Protection, #Defence, #Resilience).

The informative Annex A describes how these attributes may be used with examples of their use for Controls, such as Policies for information security where we can see more clearly the use of each of the five attributes and the values used, such as #Preventative for the Control Type, the Information security attribute and its values of #Confidentiality #Integrity #Availability and so on.

Finally, the Bibliography provides reference to 51 additional ISO International Standards that may be useful for you or your organisation, the Information Security Forum Standard of Good Practice for Information Security, the ITIL® Foundation at edition 4, the National Institute of Standards and Technology Risk Management Framework for Information Systems and Organizations & Digital Identity Guidelines as well as documents from the Open Web Application Security Project (OWASP) and Oasis.

So, What is next…

What it means for ISO/IEC 27001?
Like the proverbial London Bus, once you see one, another comes along.

In this case, ISO/IEC 27001 and ISO/IEC 27002 were developed along the same pathway. It is just that 27002 came out first.

We can expect the new and revised ISO/IEC 27001 to be released later in March 2022.

It will become ISO/IEC 27001:2022 and will incorporate the previous corrigenda as well as use the common control structure from 27002, that we have seen in this episode.

What does it mean for my ISO/IEC 27001:2013 certification?

It is understood that the International Accreditation Forum (IAF) have a ballot out with its members for a two-year transition period.

Based on previous IAF transition periods, ISO/IEC 27001:2013 certificates would remain valid for a two-year period from the publication date of the revised 2022 version.

During the two-years, there would be a limited period for new 27001:2013 certifications and a emphasis on transition audits to allow organisations to move over smoothly to the 2022 version.

The final details of the IAF Transition towards ISO/IEC 27001:2022 will become known in the next two months and I will update on that information as soon as it is available.

In the meantime, you may want to review your existing 27002:2013 based controls and undertake a gap analysis using Annex B to the revised 2022 standard and start revision of your own Information Security Management System ahead of the deadline for transition.

So, to summarise:

I have covered a lot of ground in this article on the revision of ISO/IEC 27002 to the 2022 version, I hope that it will be helpful to start your journey towards enhancing your information security or for securing 27701 certification.

You can purchase a copy of ISO/IEC 27002:2022 from your National Standardisation Body with a selection of the main Standards Bodies given in the table below:

Standards BodyWebsite
Standards Canadahttps://global.ihs.com/
Standards Australiahttps://www.techstreet.com/

If If this article has helped to advance your understanding of the revision of ISO/IEC 27002 to the 2022 edition and the key learning points for applying its controls to your organisation or, as a consultant or auditor, to your clients, leave a comment in the box below, if this video has help you.

If you enjoyed this article, you should subscribe to our YouTube Channel – EMSmastery, where you can watch our videos, such as our video accompanying this article on What is NEW ISO IEC 27002 2013? An Update with all the changes that you need to know and subscribe in our YouTube channel for new videos released each week.

#ISO27002, #ISMS, #EMSmastery

Share this article on Social Media:

Leave a Reply