The Main Changes in the ISO 27002:2022 Standard Update

On February 16, 2022, ISO (International Organization for Standardization) published the ISO 27002 update, a standard designed for use by organizations as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on the certifiable standard ISO/IEC 27001.

The 2022 publication is the third version of the ISO 27002 standard, which had its first version in 2005 and the second in 2013, establishing a version update cycle every 8/9 years. It is currently only available in English.

The new version of the ISO 27002 standard has the following structure:

Introduction: contextualizes the value of information for organizations, how information security is achieved through the implementation of a set of security controls, the information security requirements that an organization must determine, the determination of controls to protect information, considerations of the information lifecycle (from creation to deletion), and the relationship of this standard with other standards (especially the ISO/IEC 2700 family).

• Clause 1 – Scope: indicates that this document is designed for organizations to use as a reference for the selection of controls in the process of implementing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard.
• Clause 2 – Normative references: there are no normative references in this standard.
• Clause 3 – Terms, definitions, and abbreviated terms: lists a set of terms, definitions, and abbreviations that apply in the context of this standard.
• Clause 4 – Document structure: determines the clauses, topics, and attributes, and structure design of each control included in the standard.
• Clauses 5 to 8: establishes control name, attribute table, purpose, implementation guide, and other information (if applicable) for security controls:
• Organizational (Clause 5).
• People (Clause 6).
• Physical (Clause 7).
• Technological (Clause 8).
• Annex A: This annex provides a table to demonstrate the use of attributes as a way to create different views of the controls.
• Annex B: Correspondence between ISO/IEC 27002:2022 and ISO/IEC 27002:2013
• Bibliography: List of other standards and documents used in this standard.

Below is a summary of the main changes in the ISO27001:2022 standard compared to the previous version:

1. Change in the name of the standard: The term “Code of practice” has been removed from the name of the new ISO 27002 standard. Its current name is “Information security, cybersecurity and privacy protection – Information security controls”, which reflects a broader context and now includes the prevention, detection, and response to cyberattacks, as well as data protection.
2. Changes in security controls: The ISO 27002:2013 standard contained 114 controls (divided into 14 Annexes). The 2022 version contains 93 controls, divided into 4 clauses that focus on the context of control application as follows:

• Organizational Controls: 37 controls
• People Controls: 8 controls
• Physical Controls: 14 controls
• Technological Controls: 34 controls

Of the current 93 controls:

• 58 have been updated
• 24 represent the merging of previous controls
• 11 have been introduced as new controls

This new approach also entails the disappearance of the “control objective” concept, although an attribute is included that allows the specific classification of the control into one or more of 15 established categories, as indicated in the following section.

3. Control attribute structure: each of the 93 controls contains a particular attribute structure that determines:

• Control type: attribute to view the controls from the perspective of when and how the control modifies the risk with respect to the occurrence of an information security incident, identifying whether it is Preventive, Detective, or Corrective.
• Information security properties: attribute to view the controls from the perspective of what characteristics of the information the control will contribute to preserving: Confidentiality, Integrity, or Availability.
• Cybersecurity Concepts: attribute to view the controls from the perspective of the association of the controls to the cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110 and used in other frameworks such as NIST-Cibersecurity Framework: Identify, Protect, Detect, Respond, Recover.
• Operational Capabilities: attribute to view the controls from the perspective of the information security capabilities professional. The values of this attribute are:
  • Governance,
  • Asset management,
  • Information protection,
  • Human resources security,
  • Physical security,
  • Systems and network security,
  • Application security,
  • Secure configuration,
  • Identity and access management,
  • Threat and vulnerability management,
  • Continuity,
  • Security of relationships with suppliers,
  • Legal compliance,
  • Information security event management
  • Information assurance
• Security Domains: attribute that allows you to view the controls from the perspective of four information security domains: Governance and ecosystem, Protection, Defense, Resilience

Example

Below is an example of the assignment of labels to the attributes of the controls, taking as a reference one of the new technological controls included in this version:

8.23 Web Filtering

Control

Access to external websites should be managed to reduce exposure to malicious content.

Purpose

Protect systems from being compromised by malware and prevent access to unauthorized web resources.

Guide

The organization should reduce the risks of its staff accessing websites that contain illegal information or are known to contain viruses or phishing material. One technique to achieve this works by blocking the IP address or domain of the website in question. Some browsers and anti-malware technologies do this automatically or can be configured to do so…[1]

[1] Unofficial Translation

Because the ISO 27001 standard, whose current version is still that of the year 2013, has an Annex A that refers to 114 security controls detailed in ISO 27002:2013, and taking into account the publication of the new version of ISO 27002:2022, it is expected that Annex A of the ISO 27001 standard will align with these new changes, and therefore the update of Annex A of ISO 27001 will occur at some point during the current year.

When this event occurs, organizations certified in ISO 27001:2013 that wish to maintain their certification taking into account the new Annex, must consider the following:

• Update your risk treatment process considering the new controls
• Update your statement of applicability
• Adapt some sections of your existing policies and procedures.
• Adapt some security metrics and indicators

Those organizations that do not update their ISMS considering the changes of Annex A, may have their certification revoked.

To carry out this update, organizations have a transition period that is typically 2 years from the official update date