- 2022-04-06
Introduction
Every day, cybercriminals are finding new and more advanced ways to get access to electronic data stored on a computer or a network. The COVID-19 pandemic, hybrid-working, technology updates, and other changes in business operation, have made it easier for cybercriminals to tackle the vulnerabilities of systems and attack them. Thus, to help organizations keep their information security management systems up-to-date and continue their operations without disrupting their normal business flow, ISO/IEC 27002 standard has been revised.
The recently updated ISO/IEC 27002:2022 Standard is used as a reference set of generic information security controls, including implementation guidance. It is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC 27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.
The revision of this standard aims to provide organizations with modernized and simplified methods to manage and select the security controls that fit best with the organization’s scope, while also taking current information security concerns into account.
Introduction
Every day, cybercriminals are finding new and more advanced ways to get access to electronic data stored on a computer or a network. The COVID-19 pandemic, hybrid-working, technology updates, and other changes in business operation, have made it easier for cybercriminals to tackle the vulnerabilities of systems and attack them. Thus, to help organizations keep their information security management systems up-to-date and continue their operations without disrupting their normal business flow, ISO/IEC 27002 standard has been revised.
The recently updated ISO/IEC 27002:2022 Standard is used as a reference set of generic information security controls, including implementation guidance. It is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC 27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.
The revision of this standard aims to provide organizations with modernized and simplified methods to manage and select the security controls that fit best with the organization’s scope, while also taking current information security concerns into account.
Differences between the 2013 version and the new 2022
The differences between the older version and the recently published one start with the name of the standard and continue with the number of controls, themes, and the introduction of attributes.
The older version, ISO/IEC 27002:2013 Information technology—Security techniques—Code of practice for information security controls, was introduced as a code of practice, while the recently published one is presented as a reference set of generic information security controls and guidance. The new name, ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls, reflects the broad intention of detecting, preventing, and responding to cyberattacks and protecting data in general.
The 2013 version consisted of 114 controls, while the 2022 version has a total of 93 controls. Some controls have been updated or merged but none of the controls have been deleted, and 11 new controls have been added in accordance with the current cybersecurity and information security settings. See the list of modified and new controls.
To better allocate responsibilities inside the organization for information security improvement and simplify the implementation, the number of control groups has been reduced from 14 to 4 themes:
• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 controls)
In addition, the introduction of attributes to the new ISO/IEC 27002:2022 standard is considered a highly important feature. The 5 attributes make this standard more convenient to use by organizations. They are linked to specific controls to assist enterprises in better understanding, classifying, and implementing controls as required by their industry.
5 Attributes:
• Control type: preventive, detective, and/or corrective.
• InfoSec properties: confidentiality, integrity, and/or availability.
• Cybersecurity concepts: identify, protect, detect, respond, and/or recover.
• Operational capabilities: governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management, and information security assurance.
• Security domains: governance and ecosystem, protection, defense, and resilience.
• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 controls)
In addition, the introduction of attributes to the new ISO/IEC 27002:2022 standard is considered a highly important feature. The 5 attributes make this standard more convenient to use by organizations. They are linked to specific controls to assist enterprises in better understanding, classifying, and implementing controls as required by their industry.
5 Attributes:
• Control type: preventive, detective, and/or corrective.
• InfoSec properties: confidentiality, integrity, and/or availability.
• Cybersecurity concepts: identify, protect, detect, respond, and/or recover.
• Operational capabilities: governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management, and information security assurance.
• Security domains: governance and ecosystem, protection, defense, and resilience.
By having each control defined and grouped, an organization can manage their time and focus on the most valuable controls that meet their needs, thus, benefiting more from the standard itself.
Furthermore, attributes enable organizations to integrate other security management systems and frameworks too.
Organizations that already use the ISO/IEC 27002:2013 standard and do not have these attributes linked to their controls can use the ISO/IEC 27002:2022 Annex A—Using attributes for a better understanding of how to use them with their controls. On the other hand, the newly added Annex B—Correspondence of ISO/IEC 27002:2022 with ISO/IEC 27002:2013, allows certified organizations to easily upgrade to the ISO/IEC 27002:2022 standard by providing detailed information on which controls are new and which have been merged.
The adoption of these changes will ensure that businesses are able to maintain continuous control over their information security, despite the nature of cyberattacks changing.
How do these changes affect the organizations that already use this standard?
Many organizations that are already using ISO/IEC 27002 are concerned about how they will address the new updates. For certified organizations that have already implemented an Information Security Management System based on ISO/IEC 27001:2013, there will be a transition period to align with the new ISO/IEC 27002 controls. This will be effective after the new version of ISO/IEC 27001 is officially released. The updated version of ISO/IEC 27001:2022 is expected to be published towards the end of Q2 2022, possibly Q3 2022.
In addition, both the newly added Annex A and Annex B of ISO/IEC 27002 assist in addressing this revised standard. As mentioned above, Annex A explains the use of attributes, which aim to help organizations combine different controls for various usages. On the other hand, Annex B provides references for control identifiers of the 2013 edition to maintain reliability.
These annexes will help organizations determine the appropriate controls that fit within their information security management systems and are deemed to improve the relevance of such systems.
After these new controls are added to ISO/IEC 27001, organizations need to consider the following:
1) The list of controls should be aligned in the Statement of Applicability (SoA);
2) Policies and procedures should be updated, and if necessary, create new documents that correspond with the new controls;
3) The risk treatment process should be reviewed and adapted to the new controls;
4) Internal Audit Program should be updated and aligned with the updated controls as per ISO/IEC 27002:2022.
Organizations need to adapt to these changes, specifically the 11 new controls, which should be addressed and included in risk treatment and documentation. This process will be the biggest challenge for organizations that want to transition from the old to the new control set, as they must recognize what should be included in the implementation of those new controls. Logically, organizations need to determine first, whether such controls are applicable for implementation based on their risk assessment. Nevertheless, organizations need to understand that they might face some additional challenges and complex issues while adapting to some of these new controls.
Hence, to attain the most out of this revised standard, every organization that wants to address their changing business needs should review, evaluate, and carefully consider the new control set mentioned in ISO/IEC 27002:2022, and implement them in a suitable way to their management system already in place.
However, considering that ISO/IEC 27002:2022 provides a detailed explanation of each control, this will ease the transition process for organizations. Additionally, the set of attributes added to the new version of ISO/IEC 27002 will make the process of selecting controls easier and more effective.
How do these changes affect the organizations that already use this standard?
Many organizations that are already using ISO/IEC 27002 are concerned about how they will address the new updates. For certified organizations that have already implemented an Information Security Management System based on ISO/IEC 27001:2013, there will be a transition period to align with the new ISO/IEC 27002 controls. This will be effective after the new version of ISO/IEC 27001 is officially released. The updated version of ISO/IEC 27001:2022 is expected to be published towards the end of Q2 2022, possibly Q3 2022.
In addition, both the newly added Annex A and Annex B of ISO/IEC 27002 assist in addressing this revised standard. As mentioned above, Annex A explains the use of attributes, which aim to help organizations combine different controls for various usages. On the other hand, Annex B provides references for control identifiers of the 2013 edition to maintain reliability.
These annexes will help organizations determine the appropriate controls that fit within their information security management systems and are deemed to improve the relevance of such systems.
After these new controls are added to ISO/IEC 27001, organizations need to consider the following:
1) The list of controls should be aligned in the Statement of Applicability (SoA);
2) Policies and procedures should be updated, and if necessary, create new documents that correspond with the new controls;
3) The risk treatment process should be reviewed and adapted to the new controls;
4) Internal Audit Program should be updated and aligned with the updated controls as per ISO/IEC 27002:2022.
Organizations need to adapt to these changes, specifically the 11 new controls, which should be addressed and included in risk treatment and documentation. This process will be the biggest challenge for organizations that want to transition from the old to the new control set, as they must recognize what should be included in the implementation of those new controls. Logically, organizations need to determine first, whether such controls are applicable for implementation based on their risk assessment. Nevertheless, organizations need to understand that they might face some additional challenges and complex issues while adapting to some of these new controls.
Hence, to attain the most out of this revised standard, every organization that wants to address their changing business needs should review, evaluate, and carefully consider the new control set mentioned in ISO/IEC 27002:2022, and implement them in a suitable way to their management system already in place.
However, considering that ISO/IEC 27002:2022 provides a detailed explanation of each control, this will ease the transition process for organizations. Additionally, the set of attributes added to the new version of ISO/IEC 27002 will make the process of selecting controls easier and more effective.
