Use ISO’s 27002 for ISO 27001 Changes

The International Organization for Standardization (ISO) is an independent, non-governmental organization that provides standards to ensure the quality and safety of products and services. ISO standards have been adopted by organizations across the globe and are especially valuable for companies with an international presence.

In this blog post, we’ll describe the recent update to the ISO 27002 security standard and how you can use it to get a jump start on preparations for the significant update to the ISO 27001 standard that ISO plans to publish later this year.

What Is The ISO 27002 Standard?

To understand ISO 27002, we need to set some context by explaining its close relative, ISO 27001. ISO 27001 provides requirements for an Information Security Management System (ISMS) and includes best practices for helping organizations manage their information security. Becoming ISO 27001 certified is a great way for organizations to demonstrate to their customers and partners that they have achieved a high bar for security.

ISO 27002 is an advisory document rather than a formal specification such as ISO 27001. It provides guidance to help organizations implement an ISO 27001-compliant ISMS. Notably, there is no option to become certified for ISO 27002 as there is with ISO 27001.

Who Does ISO 27002 Apply To?

ISO 27002 applies to any organization seeking guidance to help them become certified for the ISO 27001 security standard.

What Are The Benefits Of ISO 27001 Certification?

There are many benefits of achieving ISO 27001 certification, including:

• Strengthens your security posture, which helps to guard against cyberattacks and ensure the privacy of your data.
• Demonstrates to your clients and partners that you take security seriously.
• Gives you a competitive edge for generating new business. ISO 27001 is often a requirement for organizations wishing to bid on contracts.
• Enables you to comply with data protection laws and regulations in many countries where ISO 27001 is accepted.
• Because ISO 27001 has been widely adopted across the globe, it provides a significant benefit for organizations with an international scope of operations.

What’s Changing With The ISO 27001 And 27002 Updates In 2022?

ISO published an update to ISO 27002 on February 15, 2022. The updated version is referred to as ISO 27002:2022 and replaces the previous version (ISO 27002:2013).

ISO 27001 will be updated later this year, but ISO has not yet announced a publication date.

Below is a description of the key changes included in ISO 27002:2022. Notably, these changes will be mirrored in the ISO 27001 update later this year.

• Consolidated Controls—Simplified implementation by consolidating the 114 controls in the previous version into 93 controls. Some controls were deleted due to duplication. Others were merged for better alignment. 11 new controls have been added.
• New Themes—Grouped controls under 4 sections or “themes,” down from 14 in the previous version. The new themes are:
  • Organizational (37 controls): catch-all group for controls that don’t fall into any of the three themes below.
  • People (8 controls): controls related to people. For example, behaviors, activities, roles and responsibilities, terms and conditions of employment.
  • Physical (14 controls): controls for securing tangible [information] assets.
  • Technological (34 controls): controls involving or related to technologies.
• New Controls—Introduced 11 new controls to keep the standard up to date with emerging security threats, trends, and technologies (e.g., increased security for remote working and improved threat intelligence). The new controls cover the following areas:
  • Threat intelligence
  • Identity management
  • Information security for use of cloud services
  • Information and communication technology (ICT) readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering secure coding

• Control Tags—Added 5 tags to identify attributes of each control. The new tags and potential values for each are listed below:
  • Control type: preventive, detective, corrective.
  • Information security properties: confidentiality, integrity, availability.
  • Cybersecurity concepts: identify, protect, detect, respond, recover.
  • Operational capabilities: governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance.
  • Security domains: governance and ecosystem, protection, defense, resilience.

With the 2022 updates, only the security controls listed in ISO 27001 Annex A and in ISO 27002 will change. The main part of ISO 27001—clauses 4 to 10—will not change. The topics covered in clauses 4 to 10 include:

• Scope
• Interested parties
• Context
• Information security policy
• Risk management
• Resources
• Training and awareness
• Communication
• Document control
• Monitoring and measurement
• Internal audit
• Management review
• Corrective actions

To recap, here’s a summary of the key differences between ISO 27002:2013 and ISO 27002:2022:

Summary of Differences Between ISO 27002:2013 and ISO 27002:2022

Attribute	ISO 27002:2013	ISO 27002:2022
Number of Controls	114	93
Number of Sections/Themes	14	4
New Controls	N/A	11 new controls to keep the standard up to date with emerging security threats, trends, and technologies (e.g., increased security for remote working and improved threat intelligence).
Control Tags	No concept of tags.	5 tags added to identify attributes of each control.

What’s The Timeline For Implementation Of the 2022 Updates To ISO 27001 and 27002?

Based on ISO’s record implementing changes to its standards, we expect there to be a transition period of 3 years from the date that the 2022 update to ISO 27001 is published. Organizations wishing to become certified for ISO 27001 will need to comply with the updated version once the transition period is over.

Organizations that have not yet certified for ISO 27001, or have certified and wish to get a jump start on certifying for the new version, can use the ISO 27002:2022 document to begin preparing their environment to be compliant with the 2022 ISO 27001 updates. 

Should We Wait Until ISO 27001 Update Is Published To Begin Preparing For Certification?

We recommend that you start preparing to certify with the updated 27001 standard now. This can give you a leg up on your competition while fortifying your defenses against emerging security threats, trends, and technologies. The good news is that the ISO 27002:2022 update gives you plenty of information to start your preparations.

What Should We Do To Begin Preparing For The 2022 ISO 27001 Update?

Here are steps we suggest you take to begin preparing your organization to become certified for the 2022 update to the ISO 27001 standard:

• Review the ISO 27002:2022 document in detail to understand the changes.
• Identify changes to your controls, policies, procedures, and systems that will be required to comply with the updated version of 27001.
• Prepare a plan for making the changes needed to align your organization with the update 27001 requirements. Identify resources needed to execute your plan.
• When the ISO 27001 update is published later this year, compare it to your plan to see if any adjustments are need.

Tevora Can Help

Whether you want to certify for the current version of ISO 27001, or get a head start on certifying for the upcoming version, we’ve got you covered. Our experienced team of ISO and security experts has worked with some of the world’s leading companies to help them implement ISO 27001, and we’d welcome the chance to do this for you.

Over the years, we’ve developed a proven, four-step approach that puts you on a fast track to compliance with ISO 27001 and other ISO standards. Here’s a summary of our approach:

Tevora’s Four-Step ISO Compliance Process

If you have questions about ISO 27001, ISO 27002, or would like help bringing your organization into compliance with ISO 27001, just give us a call at (833) 292-1609 or email us at sales@tevora.com.