Key Changes In ISO/IEC 27002:2022

WHAT IS ISO/IEC 27002?

ISO/IEC 27002 is a guidance document for selecting controls while implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It can also be a guidebook for organizations implementing commonly accepted information security controls.

ISO/IEC 27002:2013 had been under review since 2018 by ISO/IEC JTC 1/SC 27 and a new edition was officially published on February 15, 2022.

While part of the controls remains unchanged, there are significant changes in control layout and other controls. Since Annex A of ISO/IEC 27001:2013 is designed to align with ISO/IEC 27002, ISO/IEC 27001 is being revised and the amendment version is estimated to be published in Q2 2022.

This brief article highlights the key changes in the 2022 edition; however, our more detailed white paper link follows.

KEY CHANGES

Number of controls – 93

There are 93 controls in the 2022 edition versus 114 in the 2013 edition.

Control categories – 4

Controls are regrouped into 4 categories, instead of 14 themes and 35 categories in the 2013 edition.

They are:

• Organizational controls
• People controls
• Physical controls
• Technological controls

The four-categories layout emphasizes that protecting information and data is more than merely through technological means. To achieve information security outcomes, technological controls are just the remedies to prevent or mitigate information security risks.

More importantly, the top management of organizations must set out the information security management framework and direction, as well as identify and communicate the importance and impacts of different information to the business and organization. This new control layout can also facilitate management to assign responsibilities within the organization for information security enhancement.

New controls – 11

Eleven new controls are introduced to address the evolvement in technologies and industrial practices.

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

Merged controls – 24

Twenty-four controls in the 2022 edition are the result of merging some from the 2013 version. This results in fewer controls and, thus, creates a leaner standard.

The full list of merged controls is in ISO/IEC 27002:2022 Annex B.

ATTRIBUTES

Apart from the new controls, the 2022 edition introduces “attributes” for each control. Each control is associated with five attributes with corresponding values.

ISO/IEC 27002:2022 Annex A demonstrates the use of the attributes as a way of creating different views of the controls.

Nevertheless, using the attributes is not mandatory. Organizations can choose to disregard one or more of them, or select other attributes, e.g. the maturity model.

FROM “OBJECTIVE TO “PURPOSE”

As mentioned, there are 14 themes and 35 categories in the 2013 edition. Under this edition, a control objective is defined under each security category to state what is to be achieved. One or more controls are contained and can be applied to achieve the intended control objective.

In the 2022 edition, “objective” is replaced with “purpose”. Besides, each control has a purpose defined to illustrate why the control should be implemented.

OTHER CHANGES

The title

The 2022 edition’s title has been modified to Information Security, Cybersecurity and Privacy Protection – Information Security Controls. The term Code of Practice has been removed to reflect that the document is a reference to generic information security controls.

ISO/IEC 27000 is no longer the normative reference in the 2022 edition. Instead, the terms and definitions defined in ISO/IEC 27002:2022 Clause 3 apply. Users of the 2022 edition are recommended to refer to the terms and definitions to properly understand the controls and guidance in the document.

SUMMATION

While the explanation and justification of the changes are not released outside of JTC 1/SC 27, it is apparent that they are to reflect technological advancements and evolving industrial practices.

As mentioned, the ISO/IEC 27001:2013 amendment version is on the way. Annex A will be replaced by the controls in ISO/IEC 27002:2022.

HOW WE CAN HELP

We will stay on top of the changes and keep clients and the certification community abreast of the transition plan to the new edition as soon as they come out.

We appreciate that this is a lot to take in. Why not read our new white paper on the subject at your leisure?