Last Updated on January 19, 2024
After eight years, ISO 27002:2022 is finally here. The changes are not just about the controls themselves, but also about making them easier to understand and apply.
What does that mean for your business?
Luckily, the transition should be pretty seamless…
But if you’re worried, have no fear because in today’s episode I’m joined by Danny Manimbo and Ryan Mackie, Company Principals at Schellman, who helped design the new standard.
Join us as we discuss:
- What’s new with ISO 27002
- What has stayed the same
- The reasoning behind the update to the standard
- The grace period for getting certified
What’s New with ISO 27002?
There’s a lot that is new with ISO 27002, but Danny and Ryan were able to give us a mile high view.
“ISO 27002 is getting away from that control objective format that everybody’s used to. It’s a pivot away from that in a more simplified approach with those themes.” — Ryan Mackie
First of all, there was a net drop of 21 controls. ISO 27002 went from 114 to 93 controls, spread across the four new domains. The organizational and technology clauses include over 75% of the new control set.
24 of the new controls reflect a consolidation of 56 controls from the 2013 version. Each of these 24 new controls incorporates at least two, and sometimes up to four, controls from the 2013 version. For example, controls 11.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.
There are also 11 new controls, reflecting changes in threats, technology and regulatory focus since 2013. Examples include 5.23 Information security for use of cloud services, 8.28 Secure coding and 5.7 Threat intelligence.
Other significant changes come under the “ease of use” heading. These include rationalizing the former 14 sections down to just four, plus two annexes. To help filter, understand and apply controls, as well as map them to other security frameworks, each control is now associated with various attributes, like Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover) and Control types (Preventive, Detective and Corrective).
What’s Stayed the Same?
Needless to say, a lot has changed, but it’s not all new. In fact, all the controls from the prior version found a home somewhere in ISO 27002:2022, and 35 controls are unchanged except for their number.
One of the key control areas that made it to the new version with few overall changes are the physical security controls (now clause 7). With the update from the 2013 version, the “traditional” physical security controls have been augmented with new controls around physical security monitoring.
“A lot of the new controls are as a result of some of those changes in the technological landscape, either over the last 10 years, or since spring of 2020 with the onset of COVID.” — Danny Manimbo
The concept of physical security is still prominent in ISO 27002, despite the fact that so much of the world is now working remotely.
Why the New Changes?
Anytime there’s an update to a set of controls, it’s important to know the rationale behind the changes. In this case it’s obvious: technology, threats and regulations have all changed massively since 2013. Cloud/SaaS adoption has skyrocketed, for example. Likewise, the shift from people working behind firewalls to the vaporization of the organizational perimeter with COVID has radically changed network security demands.
Many other changes, like the restructuring and the addition of attributes, are meant to help you apply the guidance in your environment, as well as align your ISO 27002 controls with other information security frameworks. The latter is more important than ever as many organizations now need to demonstrate compliance with multiple cyber frameworks, e.g., ISO 27001 and NIST 800-171 in US government supply chains.
How Long Do You Have?
If this change is impacting you, how long do you have to make your changes and bring your ISO 27001 certified Information Security Management System (ISMS) in line with the new updated ISO 27002?
Take heart. Nobody is beating down your door to make sure that you’re compliant with the new version of the standard. A transition period is necessary to allow ISO certification bodies, as well as certified organizations, to implement changes so their certificates aren’t negatively impacted. While it hasn’t yet been officially announced, it’s logical and likely that the transition timeframe for certified firms to move to a new or amended version of ISO 27001 will be two years.
For instance, if a new ISO 27001:2022 is published in June 2022, you would theoretically have until May 31st of 2024 to be certified under that new version of the standard. But that doesn’t mean you should wait. Start making your plans now and set yourself up for success.
What’s next?
To listen to the podcast on ISO 27002:2022 in its entirety, click here.
Looking for more tips on getting ready for ISO 27000 family changes? We recommend this recent post: Are You Ready for the New ISO 27001:2022?