Impacts on ISO 27001
ISO 27002 is the companion standard to ISO 27001 and provides best practices for implementing information security controls. The latest version, ISO 27002:2022, was published on February 15, 2022, and replaces ISO 27002:2013. ISO 27002 is an authoritative source, and these changes will impact ISO 27001 compliance.
ISO 27002:2022 completely restructures the controls with 14 main sections now reworked into four new main sections and two new attachments:
- Organizational security controls (clause 5, 37 security controls)
- Human security controls (clause 6, 8 security controls)
- Physical security controls (clause 7, 14 security controls)
- Technological security controls (clause 8, 34 security controls)
- Attachment A: Using attributes
- Attachment B: Mapping to ISO 27002:2013
The new structure improves the high-level understanding of security controls applicability and the allocation of responsibilities.
Version 27002:2022 reduces the number of security controls from 114 to 93. Most of these changes are a consolidation of controls because of advances in technology and improvements in implementation.
- 11 new controls
- 24 controls merged
- 23 controls renamed
- 1 control eliminated
- 34 controls unchanged, except for their reference number
The new version added a future-proofing schema with the introduction of attribution hashtags. That is intended to enable a standardized approach to sort and filter security controls using different views. That will facilitate and simplify the integration of ISO 27002:2022 security controls with other comparable information security standards, such as the NIST Cybersecurity Framework.
Attributes for each security control include:
- Control Type: Preventive, Detective, and Corrective.
- Information Security Properties: Confidentiality, Integrity, Availability.
- Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover.
- Operational Capabilities: Governance, Asset Management, Information Protection, Personnel Security, Physical Security, System, and Network Security, Application Security, Safe Configuration, Identity and Access Management, Vulnerability Management, Continuity, Supplier Relationship Security, Legal and Compliance, Security Information, and Event Management, Information Security Assurance.
- Security Domains: Governance and Ecosystem, Protection, Defense, Resistance.
For companies already certified or in the process of certification, there is a 2-year transition period that begins when ISO 27001 is officially aligned and updated at a future date.
When ISO 27001 Annex A is updated with the new controls:
- Perform a new risk assessment
- Update your risk treatment plan
- Align the new structure and classification of security controls
- Update the controls in the Statement of Applicability
- Update policies and procedures
- Implement control changes