ISO/IEC 27002 offers guidance on implementing an Information Security Management System (ISMSP). This international standard is very effective at helping organizations protect themselves against various information security risks through a series of security control categories.
However, with the standard addressing such diverse information security risks, cybersecurity teams often find implementation and maintaining alignment a significant challenge.
To streamline compliance, this post covers a comprehensive overview of the latest revision of the standard (ISO/IEC 27002:2022), summarizing critical changes in the new version of ISO 27002 and tips for compliance.
What is ISO/IEC 27002?
ISO/IEC 27002 is an international standard consisting of guidelines for improving information security management. It was published by the International Organization for Standardization and the International Electrotechnical Commission.
The Relationships Between ISO 27001 and ISO 27002
Think of ISO 27002 as a much-needed supportive document for ISO 27001, which fails to explain how its security controls should be implemented. Users are expected to refer to ISO 27002 for implementation guidance for the controls listed in ISO 27001 Annex A.
Because ISO 27002 is designed to support ISO 27001 implementation, security teams should first choose applicable ISO 27001 controls when establishing an ISMS and then refer to ISO 27002 for guidance on their implementation.
Ideally, first decide which ISO/IEC 27001 controls you will be implementing, and then refer to ISO 27002 to learn more about how these controls work.
How is Certification Impacted by ISO 27002?
If your organization is already ISO 27001 certified, the new standards of ISO/IEC 27002 will only be officially applicable at recertification. But you need to start preparing now. Compare your risk assessment processes against the revised changes in ISO 27002 to note any implementation discrepancies in a gap analysis.
After updating your risk assessment process to map to these new control standards, you must also update your Statement of Applicability, which should still reference ISO 27001 Annex A. Your updated security controls, however, should refer to ISO/IEC 27002:2022.
In October 2022, ISO 27001 was updated, making the latest version ISO 27001: 2022. ISO 27001: 2013 is still applicable in its current transition period, which is expected to be a 24-month duration.
Adjusting your ISO 27001 alignment to the new changes in ISO 27001: 2022, in addition to conforming to the changes in ISO 27002, will make the auditing and, therefore, recertification process a lot more streamlined.
What Has Changed in ISO 27002: 2022?
There are four categories of changes in the latest revision of ISO 27002 - ISO 27002: 2022.
1. Reduced Number of Domains and New Annexes
ISO 27002:2022 groups ninety-three controls into four domains, a significant reduction from the fourteen categories in the ISO/IEC 27002: 2013 version.
The four security control domains in ISO 27002: 2022 are:
- Organizational controls (Clause 5)
- People controls (Clause 6)
- Physical controls (Clause 7)
- Technological controls (Clause 8)
3. Fewer Security Controls
There are 93 security controls in ISO 27002: 2022, whereas ISO 27002: 2013 had 114.
While this smaller number might make ISO 27002:2022 seem much simpler to implement, this reduced number is primarily due to consolidation. Twenty-four of the controls in ISO 27002: 2013 have been consolidated in the revised version.
4. Eleven New Controls
ISO 27002: 2022 introduces eleven new controls, increasing the emphasis on security initiatives that were alluded to across multiple control families in the 2013 version.
The eleven new controls in ISO/IEC 27002: 2022 are:
- 5.7 Threat intelligence
- 5.23 Information security for the use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
A summary of changes between ISO 27002: 2013 and ISO 27002: 2022 is as follows::
- 11 new controls have been created
- 24 controls have been consolidated
- 58 controls have been updated
3. New Attribution Values
Five attribution values are introduced for the 93 controls in ISO 27002: 2022. Attribution values represent the properties associated with each control, making the purpose of each control clearer. They also simplify control filtering, streamlining integration with other security frameworks like NIST CSF.
Attribution Values can be used to create a customized security control strategy, allowing organizations to leverage the most applicable controls based on their unique ISMS requirements.
The five new attributes in ISO 27002: 2022 are:
- Control types: #Preventive, #Detective and #Corrective
- Information Security Properties: #Confidentiality, #Integrity and #Availability
- Cybersecurity concepts: #Identify, #Protect, #Detect, #Recover.
- Operational capabilities: #Governance, #Asset_management, #Information_protection, etc.
- Security domains: #Governance_and_Ecosystem, #Protection, #Defense, #Resilience.
ISO 27002: 2022 Best Practices
These best practices will help you gain the greatest information security management benefits from ISO 27002: 2022
1. Understand the impact on other Cybersecurity Framework
ISO 27002: 2022 doesn’t introduce new foreign security controls not found in existing security frameworks. Some of these controls are likely already being implemented to some degree in your current information security control strategy.
Your current cybersecurity framework will benefit from aligning with ISO 27002:2022 controls as it could simplify compliance with other relevant frameworks and regulations.
To maximize implementation efficiency, your ISO 27002 alignment strategy must be tailored to your initial compliance baseline. This can be achieved with the following structured implementation approach.
- Gap Analysis - Perform an internal audit to identify gaps between your current control strategy and the ISO 27002: 2022 code of practice. This includes identifying discrepancies in information security standards, data protection standards, information security practices, and general security measures.
- Identify the most relevant security controls - Prioritize alignment with the most appropriate controls and security techniques for risk treatment efforts.
- Design an implementation timeline - Estimate the time and associated costs of implementing all relevant security controls.
- Implement - Begin implementing ISO 27002 controls in the context of your organization’s security requirements.
2. Start Preparing for ISO 27001 Recertification
The revised edition of ISO 27002 will become applicable when your ISO 27001 certification is due for renewal. Regardless of where you currently sit in this three-year renewal cycle, you should begin integrating ISO 27002:2022 controls standards into your information technology, data security, and operations security programs.
The benefit of mapping to ISO 27002: 2022 earlier is that your organization will align with its information system security and risk management programs against industry best practices, a move that will consolidate stakeholder concerns about growing malware risks.
Learn how to communicate third-party risks to the board >
Aligning to the superior control standards in ISO 27002: 2022 will benefit your security posture, positively impacting our network security infrastructures and the integrity of all information assets.
3. Take Note of the Three Most Impacult New Controls
Of the eleven new controls introduced in ISO 27002: 2022, three are particularly impactful and, therefore, require greater attention:
- Information Security for Use of Cloud Services
- Secure Coding
- Threat Intelligence
Information Security for Use of Cloud Services
This control family offers guidance for securing the complete lifecycle of third-party cloud services, from onboarding to risk management and offboarding.
This control could benefit from a Third-Party Risk Management program, which manages security vulnerabilities of supplier relationships throughout the entire relationship duration.
Third-Party Risk Management (TPRM) is a considerable investment if this program is implemented internally. To leverage its third-party breach safeguarding benefits without the burden of a sizable investment, a cost-effective approach is to partner with a TPRM-managed service provider like UpGuard.
Watch this video for an overview of UpGuard’s TPRM service.
This security control enhances strategies for detecting security threats impacting information security. Threat intelligence should integrate with mitigation initiatives so it helps to establish an information security incident management program to streamline escalation protocols - which will also support business continuity management.
This control offers secure coding guidelines for software development companies. Secure coding is a critical sector of cybersecurity that’s often overlooked. This is unfortunate since beginning proper cybersecurity hygiene at the coding level could prevent the success of common attack methods, like SQL injections and Cross-Site Scripting (XSS).
4. Improve Access Control
Enhanced access control will support privacy protection and positively impact multiple cybersecurity initiatives, including:
- Physical security
- Environmental security
- Communication security
- Human resource security
ISO 27001 Compliance Tracking with UpGuard
UpGuard’s compliance reporting feature makes tracking alignment with ISO 27001 and the NIST CSF easy. UpGuard also maps its security assessments to popular regulations, including PCI DSS and the GDPR, helping organizations establish a comprehensive risk management program for internal and third-party risks.
Watch this video for an overview of UpGuard’s compliance reporting feature.