Preparing your Organisation for Changes to ISO/IEC27002
Paul Robinson
GRC Consultant
CyberCX
With the release of the revised 3rd edition of ISO/IEC27002, it’s time to start planning for the review of your ISMS to ensure that your controls are maintained, up to date and your cybersecurity risks are being managed effectively in line with recognised international best practices.
What is ISO/IEC27002?
ISO/IEC27002 is designed to provide supporting guidance when considering, selecting, and implementing the controls contained in Annex A of ISO/IEC27001. While ISO 27002 is not a certifiable standard, compliance with its information security management guidelines brings your organisation one step closer to meeting ISO 27001 requirements.
The ISO/IEC Joint Technical Committee has undertaken a thorough and comprehensive review of the controls in ISO/IEC27002. The outcome means that ISO27001 Annex A will in time be updated accordingly to align it to the best practice guidance contained in ISO/IEC27002.
What is Changing in ISO/IEC27002?
Firstly, the term “Code of Practice” has been dropped to better reflect the intended purpose of the standard as a set of “Reference Controls”.
Where there were previously 114 controls arranged around 14 clauses and 35 categories in the 2nd edition, there will now be 93 controls arranged around 4 core themes:
- Organisational Controls (37 controls)
- People Controls (8 controls)
- Physical Controls (14 controls)
- Technological Controls (34 controls)
There are 11 brand new controls introduced as follows:
| Control Identifier | Control Name |
| 5.7 | Threat Intelligence |
| 5.23 | Information Security for use of cloud services |
| 5.30 | ICT readiness for Business Continuity |
| 7.4 | Physical Security Monitoring |
| 8.9 | Configuration Management |
| 8.10 | Information Deletion |
| 8.11 | Data Masking |
| 8.12 | Data Leakage Prevention |
| 8.16 | Monitoring Activities |
| 8.23 | Web Filtering |
| 8.28 | Secure Coding |
The introduction of the new controls recognises the growing importance of cloud service provision to organisations and the importance of robust data protection.
An interesting and useful inclusion in the 3rd edition of ISO/IEC27002 is the inclusion of “Attributes”. These include:
| Control Type | Information Security Properties | Cybersecurity concepts | Operational Capabilities | Security Domains |
| #Preventive
#Detective #Corrective |
#Confidentiality
#Integrity #Availablity |
#Identify
#Protect #Detect #Respond #Recover |
#Governance
#Asset Management #Information Protection #Human Resource Security #Physical Security #System & Network Security #Application Security #Secure Configuration #Identity & Access Management #Threat & Vulnerability Management #Continuity #Supplier Relationships Security #Legal and Compliance #Information Security Event Management #Information Security Assurance |
#Governance & Ecosystem
#Protection #Defence & Resilience |
The inclusion of attributes introduces the opportunity to include reference to these in Statements of Applicability and introduces the ability to filter on the most appropriate and relevant controls when undertaking risk treatment activities.
Why are the changes needed?
International Standards typically enter revision periods every 5 years after release. This ensures that they are reviewed and revised by an international panel of industry experts and standards writers, thus ensuring they remain relevant and up to date with changes in the external environment.
In the case of information security standards, it is vital that they maintain pace and are modernized in line with changes to technology and the ever evolving threat landscape.
The need for simplification of the controls has been recognized and implemented following feedback regarding the sheer number of controls in the second edition and the need for a less complex structure when implementing and maintaining the controls.
The changes are designed to allow for versatility in approach, helping organisations and industry bodies select and apply the controls in their own context.
What do I need to do?
Firstly, there is no need to panic. Take time to read ISO/IEC27002, focusing on the 11 new controls and the 58 updated ones.
Once you are confident that you understand the controls and their intent, take some time to review your ISMS risk assessment and compare your existing controls to those contained in the 3rd edition of ISO/IEC27002. This may mean that you need to undertake additional risk treatment actions or revisit existing policies and operational controls to ensure they remain relevant.
Review and update your Statement of Applicability to align the controls to your ISMS. Consider inclusion of the attributes to allow for filtering and possible consolidation of controls.
Take the opportunity to communicate all these changes to the organisation to maintain awareness and promote the use of the new controls and changes that have been made to the ISMS.
Will this affect my certification?
Not immediately. There will be a transition period, (normally at least 2 to 3 years) for the changes to be considered, implemented and externally assessed. Speak to your certification body assessor at their next planned visit to map out a sensible timeline to transition which works for both parties and your own certification lifecycle.
The controls themselves are not to be considered mandatory but supplement the requirements in ISO27001 clause 6.1.3 [c] which refers to Annex A of the standard which contains the controls.
As already mentioned, Annex A in ISO27001 will, in time be revised to remain aligned with ISO/IEC27002, however for the time being you will still need to demonstrate that you have considered and referenced the controls contained in Annex A of ISO27001 when undertaking ISMS risk treatment activities to verify that none have been omitted.
What else will be impacted by the revision of ISO 27002?
Other support standards in the ISO 27000 family will also be impacted by the revision of ISO 27002 and include:
- ISO 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services; Currently this standard provides cloud-based guidance on the ISO 27002:2013 controls and introduces new CLD controls. For cloud services providers it extends 33 of the ISO 27002 controls and introduces 5 new CLD controls, for the Cloud Services Provider it extends 31 of the ISO 27002 controls and introduces 7 new CLD controls.
- ISO 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; Currently this standard provides additional implementation guidance over and above ISO 27002 for Public Cloud PII protection for a number of controls (16) and introduces 13 new Security controls and 12 new privacy controls.
- ISO 27701 – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. Currently this standard provides privacy information management guidance on the ISO 27002:2013 controls and introduces new PIM controls. For PII Controllers it extends 37 of the ISO 27002 controls and introduces 31 new PIM controls, for the PII Processors it extends 37 of the ISO 27002 controls and introduces 18 new PIM controls.
Webinar series
CyberCX has hosted a webinar series that outlined the changes made to ISO/IEC 27002:2022, demonstrated how the third edition has been updated and simplified to make adoption easier. Watch the webinar recordings to learn about how these changes will affect your ISMS and how your organisation can prepare to implement them.
