ISO 27002:2022
May 21st, 2024 - Written By CyberLabs
Background
- The ISO 27001 is the international standard for Information Security management from the International Organization for Standardization. It is a management process to evaluate, implement and maintain an ISMS.
- By aligning your data security with ISO standards, your organization stands out as operating according to international best practices. Investors, stakeholders as well as new and existing clientele can rest assured your organization’s data is secure using ISO standards
- ISO 27001 is a comprehensive set of controls comprised of best practices in information security
- It’s not a technical standard & is not driven by any product or technology. It is adopted widely all over the world, covering governments, banking, telecom, manufacturing industries.
What’s New?
- In 2022 February, ISO published ISO 27002:2022 Information Security, Cybersecurity and Privacy Protection Information Security Controls. This will serve as the new guideline for implementation of controls outlined in ISO 27001:2022
- This is a revised version from ISO 27002:2013 with controls emphasize cloud security, privacy and work from home controls.
- ISO 27001 provides only a list of security controls but does not explain how they can be implemented; ISO 27002 lists those very same controls and provides guidance on how they could be implemented. However, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
- ISO 27001:2022 was published on October 2022 and organizations are given 3 years’ time to transition to ISO 27001:2022 after it is published.
Changes in ISO 27001: 2022
- Renamed to ISO 27001:2022 Information security, cybersecurity and privacy protection Information security controls from Information technology — Security techniques — Code of practice for information security controls
- Main part of ISO 27001, i.e., clauses 4 to 10, are not changing.
- Only the security controls listed in ISO 27001 will be updated.
- The number of controls has decreased from 114 to 93. Controls are placed in 4 sections instead of the previous 14.
- Each of the 93 controls in ISO 27002:2022 has been associated with 5 Attributes in Annexure A
- There are 11 new controls, while none of the controls were deleted, many controls were merged.
- The control sets are now organized into four (4) categories or themes as opposed to fourteen (14) control domains.
- There are two Annexures in the standard,
-
- Annexure A – To map the attributes
- Annexure B – A Map between ISO 27002:2013 and ISO 27002:2013
ISO 27002:2013 and ISO 27002: 2022 A Comparison
ISO 27002:2013 we had 114 controls, divided over 14 chapters. But in ISO 27002:2022 it contains 93 controls, divided into 4 chapters:
- Organizational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
20% Reduction of Controls compared to 2013 version
A.5 Information security policies (2 controls) A.6 Organization of information security (7 controls) A.7 Human resource security (6 controls) A.8 Asset management (10 controls) A.9 Access control (14 controls) A.10 Cryptography (2 controls) A.11 Physical and environmental security (15 controls) A.12 Operations security (14 controls) A.13 Communications security (7 controls) A.14 System acquisition, development, and maintenance (13 controls) A.15 Supplier relationships (5 controls) A.16 Information security incident management (7 controls) A.17 Information security aspects of business continuity management (4 controls) A.18. Compliance (8 controls)
|
5. Organizational (37 controls) 6. People (8 controls) 7. Physical (14 controls) 8. Technological (34 controls)
|
The 93 controls in ISO 27002:2022 is composed of:
- 38 Controls similar to 2013 version
- 24 merged controls (57 controls from 2013 version have been merged into 24 controls)
- 20 controls renamed
- 11 new controls
11 New Controls
5.7 – Threat intelligence
5.23 – Information security for use of cloud services
5.30 – ICT readiness for business continuity
7.4 – Physical security monitoring
8.9 – Configuration management
8.10 – Information deletion
8.11 – Data masking
8.12 – Data leakage prevention
8.16 – Monitoring activities
8.23 – Web Filtering
8.28 – Secure Coding
Attributes
One of an addition to the standard is the introduction of attributes. All the 93 controls are associated with these attributes.
- Control Types – what kind of type is the control?
#Preventive, #Detective, #Corrective
2.Information security properties – Which property from CIA will be protected?
#Confidentiality, #Integrity, #Availability
3. Cyber security concepts – What is the action taken by the control?
#Identify, #Protect, #Detect, #Respond, #Recover
4. Security Domains – What area is concerned?
#Governance and ecosystem, #Protection, #Defense, #Resilience
5.Operational Capabilities – Which specialization is the control associated with?
#Governance, #Asset Management, #Information Protection, #Human Resource Security, #Physical Security, #System and network security, #Application security, #Secure Configuration, #Identity and access management, #Threat and vulnerability management, #Continuity, #Supplier relationship security, #Legal and compliance, #Information security event management, #Security assurance
Moving Forward
- Organizations will have 3 years’ time to transition to ISO 27001:2022 after it is published. Which means organizations need to be transitioned to the new version by 31 October 2025.
- In the meantime, organizations interested or affected can continue to dissect the details within ISO 27002:2022 so that their understanding is as thorough as possible for when their latest certification phase begins under these new requirements.
-
- To update your risk assessment process with new controls
- To update your risk treatment process with new controls
- To update your Statement of Applicability
- To adapt certain sections in your existing policies and procedures.