What ISO27002 has in store for 2022

In current times, security measures have become increasingly important for the continuity of our businesses, to guarantee the safety for our clients and to confirm our company’s reputation.

While thinking of security, our minds will often jump to the ISO/IEC 27001:2013 and ISO/IEC 27002:2013 standards. Especially in Europe & Asia, these have been the leading standards for security since, well… 2013. As of 2022, things will change as ISO has recently published an update of its ISO/IEC 27002:2022 and is planning on releasing an update of  ISO/IEC 27001:2022 during this year. However, little to no updates to the ISO/IEC 27001:2022 are expected, beyond the amending its Annex A to the new control structure of ISO/IEC 27002:2022.

No ISO stands on its own. This mean that by extension, the new standards will be affecting various other standards including ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701. So, make sure to keep an eye on the new ISO/IEC 27001/27002 releases if you are certified for either of those as well.

“The new ISO this, the new ISO that”: By now you are probably wondering what they actually added, changed and removed. We’ve got you covered.

Let’s begin with the new title that the document will have, being “Information Security, cybersecurity and privacy protection – Information Security Control”, instead of the previous iterations where it was called “Code of practice for information security controls”. The change in the title seems to acknowledge that there is a difference between information security and cybersecurity, adding the need to include data privacy to the topics covered in the standard.

As part of the content, the main changes introduced in ISO/IEC 27002:2022 revolve around the structure of the available controls, meaning the way these are organized within the standard itself. The re-organization of the controls aims to update the current standard to reflect the current cyber threat landscape: they have increased the level of efficiency of the standard by merging certain high-level controls into a single control or introducing more specific controls.

In particular, the controls have been re-grouped into four main categories, instead of the fourteen found in the 2013 version. These categories are as follows:

  • 5. Organizational controls (37 controls)
  • 6. Organization of Information Security (8 controls)
  • 7. Physical Controls (14 controls)
  • 8. Technological controls (34 controls)

On top of that they have trimmed down the number of controls from a total of one hundred and fourteen in the previous version to ninety-three currently. This is not the end of the improvements on efficiency. Both in terms of reading and analysing the standard, the introduction of complementary tagging will certainly help you out during the implementation and preparation leading up to your certification. We know of the following families of tags that are being introduced:

As mentioned above, ISO has done a fair bit of trimming in the controls, this was not limited to the removal of controls or combining multiple controls into one. In ISO/IEC 27002, twelve new controls were introduced. All these controls reflect the intention of ISO to have this latest version cover some of the most important trends regarding new technologies that have a strong relation with security, as reflected in the new title as well. Examples are: Threat Intelligence, Cloud Services and Data Privacy, of which the latter two are also being covered by separate ISO Standards, respectively ISO/IEC 27017 and ISO/IEC 27701.

We wonder, why does including these controls in ISO/IEC 27002:2022 help shape some of the new trends of cybersecurity? One explanation we can attribute this to is the ever-growing threat landscape. The increase of vulnerabilities, like the Log4J we have seen in the past few months, increases the need to update ISO/IEC 27002. A second explanation lies in the demand for increased interoperability between ISO standards by unifying the controls and adding the aforementioned tagging system.

Proof of this interoperability can be also found if we take a look at the operation capabilities such as Asset Management (Classification of Information and Asset Handling). These were already implicitly covering data privacy and threat intel in the 2013 version, which in the new release are more prevalent among the controls. As with Asset Management, Access Control (Logging & Monitoring thereof and Access Management) will also be integrated by the introduction of the new cloud related controls.

The interoperability is not limited to ISO either. Many of the operational capabilities that are covered by the controls as part of ISO/IEC 27001 will also be covered by controls that are part of other certifications, like PCI-DSS, NIST, QTSP (ETSI), SWIFT and ISAE3402. This is not to say that you should not aim for an ISO certification, if your company already has one or more of those other certifications we just mentioned. Certifying to ISO/IEC 27001 should go rather smoothly if you already have a framework in place from a different certification and there is no harm in improving your company’s security.

The ISO controls can offer an entirely new approach to mitigate certain risks that you would not have thought of otherwise. If you have the resources to expand your list of certifications with ISO/IEC 27001:2022, we can only recommend doing so and adding an extra layer of defence to your security framework.

We can already see some of you worry: “We’ve only recently got certified to ISO/IEC 27001?” or “We are in the middle of the audit, but it won’t be over by the time the new ISO/IEC 27001 releases, is all that effort wasted?”. We can assure you that there is no reason to panic. Only when the ISO/IEC 27001:2022 is released, will the ISO Accreditation Bodies be able to start certifying against it, as part of the standard 3-year audit cycle defined by ISO. However, companies will be granted a period to fully comprehend and adapt to the new standard before undergoing the audit for recertification, and ISO surveillance / (re)certification audits are not expected to use the new ISO/IEC 27001:2022 version for at least 1 year after its public release. Whether you start on your endeavour to become ISO/IEC 27001 certified or whether you want to commence with the transposing of your current ISO/IEC 27001:2013 certification to the new 2022 flavour, know that NVISO is there to help you! NVISO has developed a proven service to become ISO certified for the new adopters, as well as an “ISO quick scan” for the companies already holding the 2013 certification, where we assist and kickstart your transition to the ISO/IEC 27001:2022 certification.

Leave a Reply