With the vast changes in technology adopted by organisations in recent years, the shift in working environments, new regulations, and the continuous evolution of cyber threats, ISO/IEC 27002 has undergone a review to enhance best practices when it comes to information security management.
What is ISO/IEC 27002?
ISO/IEC 27002 works in conjunction with the widely used and recognised ISO/IEC 27001:2013 standard. It provides guidance on how to apply the controls listed in Annex A of ISO/IEC 27001:2013.
How has ISO/IEC 27002:2022 changed from its 2013 counterpart?
After nearly a decade, the International Organisation of Standardisation (ISO) has made a number of changes to make ISO 27002 more versatile and easier for today’s modern organisations to apply. Its simplified approach is evident with the reduction of controls from 114 to 93. This does not mean that the standard has lost controls, but to reduce repetition and align it with modern practices, 56 controls have now been consolidated into 24 new ones, making it much more streamlined. A great example of this would be control 7.10 Storage media being the consolidation of 3 controls; 8.3.1 Management of removable media, 8.3.2 Disposal of media, and 8.3.3 Physical media transfer.
To ensure that the standard has maintains a risk-based approach in today’s modern world, 11 new controls have also been added including 8.23 Data leakage prevention (Technological) and 7.4 ICT readiness for business continuity (Organisational).
Attributes are a new feature also and they have been introduced to help businesses filter, sort and present the controls to different audiences and for various purposes. These are not a compulsory feature within the standard, but more designed to help put organisational context when applying the standard. To attributes also assist organisations to align with other standards, in particular NIST Risk Management Framework.
The attributes are broken down as follows:
What else is new with ISO 27002:2022?
To improve understanding and implementation, ISO 27002 also has updated terms and definitions, and two informative annexes to assist with the new controls and attributes. Subheadings have also been introduced.
What does this mean for my organisation?
For organisations with ISO 27001:2013 accreditation, it is wise to start to familiarise yourselves with ISO 27002:2022. Whilst this won’t be implemented for a couple of years, ISO 27001 will be updated to align with the new controls, and so starting to adopt these sooner into your organisation will make for an easier ride later down the line.
About the Author
Stephanie began her career in cyber security at the Cyber Resilience Centre for the North West, working with law enforcement to support small business owners to improve their security posture. She joined NCC Group as a Campaign Manager working on Global campaigns and using her experience to support the Mid-Market team in the UK. Now a member of the Global Standards and Support team, she is responsible for internal auditing and maintaining NCC Group's certifications.
Not yet ISO/IEC 27001 compliant?
As global leaders in information security, we've supported thousands of organisations to comply with ISO/IEC 27001. Reach out to our accreditation experts to learn more about this standard and how NCC Group can support certification.