ISO27002:2022 – what’s new?
| Joost Krapels |
ISO27001:2013, a certification standard for Information Security Management systems, uses an extensive list of example control measures that organisations have to comply with, or explain the control is not applicable (comply or explain). This list of 114 controls is elaborated on in ISO27002, showing how to implement them in practice. After eight years, ISO27002 is about to be updated. In this article we give a short overview of the changes.
First and foremost, take note that the newest version of ISO27002 has not yet been adopted by the International Organization for Standardization (ISO). It is possible, though unlikely, that controls might change. The process is now in the approval stage, and you can follow it on the ISO website.
ISO27002 is not a standard you can certify against, but ISO27001 is. ISO27002 elaborates on the example control measures mentioned in the appendix of ISO27001. Since there is no ISO27001:2022 yet, organisations already certified for, in the process of implementing, or planning to get certified for ISO27001 in the next year should stick to the appendix of ISO27001:2013. Only when ISO27001 is updated and references ISO27002:2022, should you start using the new list of controls.
Changes in structure
The example controls in ISO27002:2013 were categorized in fourteen chapters: chapters 5-18. The new ISO27002 slims this down to only four chapters: five through eight. Just like the 2013 version, not all chapters are created equal:
- Ch5, Organizational controls, contains 37 controls
- Ch6, People controls, contains 8 controls
- Ch7, Physical controls, contains 14 controls
- Ch8, Technological controls, contains 34 controls
This brings the total to 93 controls; roughly a 20% reduction.
An interesting addition is the introduction of attributes, indicated by an hashtag (#). These attributes can be used to group together similar controls, but can also provide guidance where to place responsibility for those controls in your organization. ISO created five categories of attributes:
- Control type: When does the control have an effect?
- InfoSec properties: Which part(s) of the CIA triangle will be protected?
- Cybersecurity concepts: What type of (ISO 27101) action is taken?
- Operational capabilities: Which security specialization(s) does the control belong to?
- Security domains: Which information security work field is concerned?
Every single control is tagged with one or more of the following attributes per category:
Attributes are, therefore, not the same as descriptive subchapters in ISO27001:2013. They can, however, serve a similar purpose.
In total, ISO27002:2022 contains eleven new controls:
To us, threat intelligence and data masking stand out the most. The other topics are quite closely related to already existing ones, but collecting and analyzing information about the security threat landscape and the privacy by design principle of data masking are interesting new additions.
56 controls from 2013 have been merged into 24 controls:
Many chapters that were already quite similar have been consolidated. For example, the ISO27002:2013 controls of Policy on the use of cryptographic controls (10.1.1) and Key management (10.1.2) are now simply Use of cryptography. Some compounds are chapter transcending, however, such as Change management from the chapter Operations security (12) with three system, application, and software change controls from System acquisition, development and maintenance (14).
Only one control from the 2013 version has been deleted, Removal of assets. Since its sister control, Security of equipment and assets off-premises (11.2.6) already covers the protection of assets outside organisational boundaries, we think this change makes sense.
We wrote four articles on ISO27002:2013, giving a short summary of all the controls. Soon, we will create an updated article series on ISO27002:2022. You can find the current four articles here:
- Pt1 on chapters five to eight
- Pt2 on chapters nine to eleven
- Pt3 on chapters twelve to fourteen
- Pt4 on chapters fifteen to eighteen
Image credit: source image by @sincerelymedia via Unsplash, edited by ICT Institute
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. During his Master study he evaluated several compliance tools for GDPR compliance and interviewed business owners about the impact of the GDPR. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.