*By Marcos Paulo de Freitas
ISO/IEC 27001 is an international standard that presents requirements for organizations to establish, implement and maintain the continuous improvement of their Information Security Management System (ISMS). First published in 2005, it was revised and updated in 2013.
ISO/IEC 27002 is used in conjunction with ISO/IEC 27001 and provides guidance to organizations on how to implement the security controls listed in Annex A of ISO/IEC 27001.
In February 2022 an update to ISO/IEC 27002 was published and Annex A of ISO/IEC 27001 is being updated to align with these changes. Naturally, these updates consider the ever-evolving threat landscape since the 2013 release, as well as relevant topics such as cloud computing, remote work, and data privacy.
ISO/IEC 27002 – Main changes compared to 2013:
The first change that is observed is a change in the title of ISO/IEC 27002, removing the term “Code of Practice”. This change demonstrates the intention to provide the 2022 version as a reference set of generic information security controls and guidance. The new title (Information security, cybersecurity and privacy protection — Information security controls) reflects a broader context where practices are considered to prevent, detect and respond to cyber-attacks, in addition to data protection and privacy.
Controls and Categories:
The new version of ISO/IEC 27002 brings a total of 93 controls instead of the 114 present in the 2013 version. It should be noted that in this update none of the controls present in the previous version were excluded. Numerically speaking, 58 controls have been updated, 24 controls represent a merging of existing controls, and 11 new controls have been added, as listed below:
- 5.7 Threat intelligence
- 5.23 Information Security for use in services cloud
- 5.30 Business continuity readiness technologies
- 8.9 Configuration Management
- 8.10 Deletion of Information
- 8.11 Data Masking
- 8.12 Prevention of data leakage
- 8.16 Monitoring Activities
- 8.23 WEB Filters
- 8.28 Secure Encoding
- 7.4 Monitoring physical security
Additionally, the controls are organized into four categories instead of the 14 present in the previous version. These categories are:
- Organizational (with 37 controls)
- Technological (with 34 controls)
- Physical (with 14 controls)
- People (with eight controls)
Another significant change in the new version is the introduction of five control attributes that can be used to classify or present controls in different ways. These five attributes are:
- Control type (eg preventive, detective and corrective)
- Information security properties (confidentiality, availability and integrity)
- Cybersecurity Concepts (following the NIST approach and roles of identifying, protecting, detecting, responding, and recovering)
- Operational Capabilities (eg governance, asset management, human resources security)
- Security Domains (eg Protection, Defense, Resilience)
The use of attributes is not mandatory, but their use will facilitate the process of categorizing an organization's controls, and they can also be used to help organizations apply the standard respecting their business context.
New version of ISO/IEC 27001:
As of the ISO/IEC 27002 update, a new version of Annex A of ISO/IEC 27001 is expected to be published later this year. In general, the changes were made mainly to simplify the process of implementing controls, it is important to note that the main clauses of ISO/IEC 27001 (i.e. clauses 4 to 10 which include scope, context, risk management, for example ) will not be changed, only the controls in Annex A will be updated.
It is important to note that until the new version of ISO/IEC 27001 is published it is recommended that the Statement of Applicability (SoA – Statement of Applicability) is still related to Annex A of ISO/IEC 27001:2013, although it is interesting to consider the updates made.
How to Prepare?
If your organization has already implemented the controls and/or has ISO/IEC 27001 certification, it is interesting to acquire the updated ISO/IEC 27002 standard, review the changes brought about by the new version, carry out a new risk analysis, highlight the main controls structures (and identify new ones) to mitigate these risks, update its statement of applicability, as well as its existing policies and procedures. Officially, a deadline for carrying out these activities has not yet been determined (deadline for adapting the already implemented ISMS), but it is likely that this will be two years from the date of official publication of ISO/IEC 27001.
An advantage of implementing the new controls is that, as they are identifiable by attribute, it is easier to integrate with security processes, facilitating the management of the Information Security Management System (ISMS).
If your organization has not yet implemented the controls and/or does not have the ISO/IEC 27001 certification, it is interesting to start the implementation process by defining the scope and persons responsible, structuring the Information Security Policy, performing an analysis of risks and use Annex A of ISO/IEC 27001:2013 as a reference for structuring mitigating controls.
Check the groupings of controls:
Download the exclusive infographic on the ISO/IEC 27001 and ISO/IEC 27002 Update:
How can we help?
SAFEWAY is a consulting firm in Information security recognized by its customers for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.