Here, we answer your frequently asked questions about the new iteration of ISO 27002:2022.
On the 15th of February 2022, ISO released a new iteration of ISO 27002 – a standard that belongs to the ISO 27000 family. ISO 27002 supports the better-known ISO 27001, which is the international standard for an information security management system (ISMS).
A revised version of ISO 27001 is expected to be published around the middle of 2022 in line with the updated ISO 27002.
Below, we will answer frequently asked questions relating to the new iteration of ISO 27002 and expected changes to ISO 27001.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the international standard for information security management that organisations certify against. ISO 27002 is a supporting standard that provides guidance on how information security controls can be implemented. This hasn’t changed with the update. It will still be the case that organisations certify to ISO 27001 and use 27002 as supporting guidance. It is only possible to certify to ISO standards that end in a “1”.
What is different in the new iteration of ISO 27002?
ISO 27002:2013 described 114 controls split among 14 control objectives. The updated 2022 standard now uses 93 controls, split more simply into 4 categories:
- Section 5. Organisational Controls (37 controls)
- Section 6. People Controls (8 controls)
- Section 7. Physical Controls (14 Controls)
- Section 8. Technological Controls (34 Controls)
While the overall number of controls has decreased, it is important to note that none of the ISO 27002:2013 controls has been excluded or removed. Instead, existing controls have been merged, renamed, or split into new controls:
- 57 ISO 27002:2013 controls have now been merged into 24 controls
- 23 controls have been renamed
- 1 control has been split into 2 sub-controls
- 11 new controls have been defined
Each control in the new version of ISO 27002 also has two new elements to its structure; an attribute table that presents a set of attributes associated with that control, and the purpose or rationale for applying the control.
The control attributes are intended to help ease the integration of 27002 controls with other similar security frameworks. Control attributes describe the control type, information security properties, cybersecurity concepts, operational capabilities and security domains associated with each control.
This structure is designed to make it easier for those choosing or analysing the control set to better understand how to select and justify the use of a control. The second new element shows the purpose of each control, intended to help organisations understand the rationale behind each control and its adequacy to treat specific risks.
Another new Annex has also been added to 27002:2022 – Annex B. Annex B maps the controls in the new 2022 version with the controls from the 2013 iteration. By reducing the number of sections, adding an annex for backward compatibility and including control and attribute matrixes, the standard hopes the applicability of controls will be easier to understand and implement.
What will stay the same?
It is important to note that the structure and initial clauses of the standard are not expected to change:
- Clauses 4 – 10 are expected to stay the same
- 35 controls are expected to stay the same
- 27001 will remain the main standard, with 27002 providing supporting implementation guidance
What are the new controls in ISO 27002?
While the controls in ISO 27002:2022 have generally been either modified or consolidated – there are some new additions that must be considered. Among these are controls covering the following:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Many ISO 27002:2022 controls are similar to the 2013 version. They have simply been renamed or consolidated, so they are more appropriate for and relevant to our modern world. Take, for example, the 2013 control ‘teleworking’. In the 2022 version, this has been named ‘remote working’.
How will the new ISO 27002:2022 affect ISO 27001?
The changes to the control set that have been published in ISO 27002:2022 will be reflected in Annex A of ISO 27001:2022 when it is published. This means that organisations who are implementing ISO 27001 or managing an existing ISMS will need to reflect the changes to the control set in their own management framework. Don’t worry – you won’t need to make any changes right away, as there will be a transition period from the date that 27001:2022 is published to implement the changes.
When should organisations transition to the new control set?
At present, only ISO 27002:2022 has been published, with ISO 27001:2022 expected later this year. Once the new standard is published, we expect there to be a transition period of around 2-years to allow the changes to be implemented. It is also likely that certification bodies will need some time to interpret and adopt the new standard and the changes to its control set, meaning that many certification bodies may not offer assessments against the updated standard for a period of 3-6 months after the standard is published.
While the release date of the new standard is not yet confirmed, we anticipate a timeline for the transition as displayed below:
Based on this understanding, we would suggest that new certifications targeted before March 31st 2023 should be against the current 114 controls (ISO 27001:2013).
If you are planning to certify after April 1st, 2023, use the new set of 93 controls (ISO 27001:2022).
Those with existing certification can prepare and align themselves to the new standard once released to ensure they are aligned to the new standard by March 31st, 2023.
What does this mean if my business is currently working towards ISO 27001?
Until the new ISO 27001 standard is released, and certification bodies begin to offer assessments against the new control set, ISO 27001 implementation will be conducted with the existing controls in mind. This means that, if you are currently working towards certification, you will not need to change your approach.
Additionally, the control changes are only moderate. When the new ISO 27001 standard is released, you will likely only need to make changes to documentation. We do not anticipate that many technical changes will be required.
Even if the revised ISO 27001 standard comes out partway through your implementation process, you may be able to adopt the new requirements and amend any documents and workshops that are already underway.
We anticipate these changes will mostly involve:
- Updating risk treatment processes, so they align with new controls.
- Updating the Statement of Applicability.
- Amending some sections of existing policies and procedures to reference new or changed controls
Moreover, until the new ISO 27001 standard is released, you will need to make sure your Statement of Applicability still refers to Annex A of ISO 27001:2013. Only when ISO 27001 is updated with reference to ISO 27002:2022 should the new controls be used.
Should we wait until the new ISO 27001 standard is released to certify?
There is no need to wait for the updated ISO 27001 standard to begin your ISO 27001 journey. As noted, if possible, you may be able to adapt your existing documentation in line with the amendments should the new version be published prior to completing certification.
If you’re thinking of gaining ISO 27001 accreditation, we’re here to help wherever you are on your decision path. We can help with an initial workshop, carry out a full gap analysis, support your ISO 27001 project or manage your ISMS for you.
If you’d like to understand more about our ISO consultancy service, we’d be delighted to hear from you.