The New ISO/IEC 27002:2022 – What’s in it?

The new version of ISO/IEC 27002 has been released recently, replacing the 2013 version. 27002 is the accompanying document to the International Standard for Information Security, ISO/IEC 27001:2013 and describes an extensive list of controls organizations can use to mitigate information security risks.

The heavy focus of the information security community in the context of the ISO standards has often been on the controls, whereas information security, and therefore the 27001 standard, is primarily about risk management. Only by doing proper risk management do you end up with controls to handle risks, so the controls are necessarily secondary. The new 27002 is also very explicit where information security requirements are derived from:

-???????Risk assessment;

-???????Legal, statutory, regulatory and contractual requirements;

-???????(Internal) principles, objectives and business requirements.

Structure of ISO/IEC 27002:2022

The new 27002 is now simply called “Information Security Controls” and not any more “Code of Practice for Information Security Controls”. The aim is now therefore more on the listing of possible controls and organization may use than on providing an integrated whole that would constitute “best practice” in information security.

The total number of controls in the 2022 edition is 93, down from the 140 in the 2013 edition. However, all controls from 2013 are still there: many have simply merged into single controls of the 2022 edition.

The 93 controls have been divided into four large “Themes”:

1.?????Organizational controls (37)

2.?????People controls (8)

3.?????Physical controls (14)

4.?????Technological controls (34)

All controls get a large number of “Attributes” attached to them, which themselves are subdivided into five categories:

a.?????Control type: preventive, detective or corrective;

b.?????Information security properties: confidentiality, integrity, availability (CIA);

c.?????Cybersecurity concepts: identify, protect, detect, respond, recover;

d.?????Operational capabilities: 15 capabilities, ranging from governance asset management, HR to physical security.

e.?????Security domains: governance and ecosystem, protection, defence, resilience.

All the attributes are used with annoying hashtags (#preventive, #confidentiality, etc.) to “make searching easier” but this does not improve clarity of the document at all. But they may come in handy in case you want to publish your controls on social media!

Mergers and Acquisitions

Despite what the foreword states, no controls from 2013 have been deleted. I remember an earlier draft of the document where it seemed some old controls were gone, but according to Table B.2 — Correspondence between controls in ISO/IEC 27002:2013 and controls in ISO/IEC 27002:2022, there is a complete mapping from the 2013 to the 2022 edition.

What did happen was several mergers. For instance, the old controls 5.1.1 and 5.1.2 about policies for information security are now contained in a single control 5.1 Information security policies. Controls 8.3.1, 8.3.2 and 8.3.3 on handling of removable media are now contained in a single control 7.10 Media handling. This obviously reduces the number of controls considerably, so space was made for new controls.

The new controls are as follows:

5.7 Threat intelligence

5.23 Information security for cloud services (but see ISO/IEC 27017 for a more extensive set of controls related to cloud service)

5.30 ICT readiness for business continuity

7.4 Physical security monitoring

8.9 Configuration management

8.10 Information deletion

8.11 Data masking

8.12 Data leakage prevention

8.16 Monitoring activities

8.23 Web filtering

8.28 Secure coding

With these new controls, some gaps in the old list have been stopped and new ICT developments since 2013 have been caught up with.

What’s next?

The current ISO/IEC 27001:2013 is being updated with this new set of controls and will be published as an Amendment later this year. This is not a formal revision of the standard, though: after the amendment has been published, a full revision of 27001 will be done, which will incorporate potentially larger changes, including the new text of the Harmonized Approach, the common text and structure for all management system standards.