Preparing your Organisation for Changes to ISO/IEC27002
With the release of the revised 3rd edition of ISO/IEC27002, it’s time to start planning for the review of your ISMS to ensure that your controls are maintained, up to date and your cybersecurity risks are being managed effectively in line with recognised international best practices.
ISO/IEC27002 is designed to provide supporting guidance when considering, selecting, and implementing the controls contained in Annex A of ISO/IEC27001. While ISO 27002 is not a certifiable standard, compliance with its information security management guidelines brings your organisation one step closer to meeting ISO 27001 requirements.
The ISO/IEC Joint Technical Committee has undertaken a thorough and comprehensive review of the controls in ISO/IEC27002. The outcome means that ISO27001 Annex A will in time be updated accordingly to align it to the best practice guidance contained in ISO/IEC27002.
Firstly, the term “Code of Practice” has been dropped to better reflect the intended purpose of the standard as a set of “Reference Controls”.
Where there were previously 114 controls arranged around 14 clauses and 35 categories in the 2nd edition, there will now be 93 controls arranged around 4 core themes:
There are 11 brand new controls introduced as follows:
|Control Identifier||Control Name|
|5.23||Information Security for use of cloud services|
|5.30||ICT readiness for Business Continuity|
|7.4||Physical Security Monitoring|
|8.12||Data Leakage Prevention|
The introduction of the new controls recognises the growing importance of cloud service provision to organisations and the importance of robust data protection.
An interesting and useful inclusion in the 3rd edition of ISO/IEC27002 is the inclusion of “Attributes”. These include:
|Control Type||Information Security Properties||Cybersecurity concepts||Operational Capabilities||Security Domains|
#Human Resource Security
#System & Network Security
#Identity & Access Management
#Threat & Vulnerability Management
#Supplier Relationships Security
#Legal and Compliance
#Information Security Event Management
#Information Security Assurance
|#Governance & Ecosystem
#Defence & Resilience
The inclusion of attributes introduces the opportunity to include reference to these in Statements of Applicability and introduces the ability to filter on the most appropriate and relevant controls when undertaking risk treatment activities.
International Standards typically enter revision periods every 5 years after release. This ensures that they are reviewed and revised by an international panel of industry experts and standards writers, thus ensuring they remain relevant and up to date with changes in the external environment.
In the case of information security standards, it is vital that they maintain pace and are modernized in line with changes to technology and the ever evolving threat landscape.
The need for simplification of the controls has been recognized and implemented following feedback regarding the sheer number of controls in the second edition and the need for a less complex structure when implementing and maintaining the controls.
The changes are designed to allow for versatility in approach, helping organisations and industry bodies select and apply the controls in their own context.
Firstly, there is no need to panic. Take time to read ISO/IEC27002, focusing on the 11 new controls and the 58 updated ones.
Once you are confident that you understand the controls and their intent, take some time to review your ISMS risk assessment and compare your existing controls to those contained in the 3rd edition of ISO/IEC27002. This may mean that you need to undertake additional risk treatment actions or revisit existing policies and operational controls to ensure they remain relevant.
Review and update your Statement of Applicability to align the controls to your ISMS. Consider inclusion of the attributes to allow for filtering and possible consolidation of controls.
Take the opportunity to communicate all these changes to the organisation to maintain awareness and promote the use of the new controls and changes that have been made to the ISMS.
Not immediately. There will be a transition period, (normally at least 2 to 3 years) for the changes to be considered, implemented and externally assessed. Speak to your certification body assessor at their next planned visit to map out a sensible timeline to transition which works for both parties and your own certification lifecycle.
The controls themselves are not to be considered mandatory but supplement the requirements in ISO27001 clause 6.1.3 [c] which refers to Annex A of the standard which contains the controls.
As already mentioned, Annex A in ISO27001 will, in time be revised to remain aligned with ISO/IEC27002, however for the time being you will still need to demonstrate that you have considered and referenced the controls contained in Annex A of ISO27001 when undertaking ISMS risk treatment activities to verify that none have been omitted.
Other support standards in the ISO 27000 family will also be impacted by the revision of ISO 27002 and include:
CyberCX has hosted a webinar series that outlined the changes made to ISO/IEC 27002:2022, demonstrated how the third edition has been updated and simplified to make adoption easier. Watch the webinar recordings to learn about how these changes will affect your ISMS and how your organisation can prepare to implement them.