ISO 27001 and 27002 Changes in 2022

March 15, 2022

ISO 27002 Changes in 2022

ISO 27002:2022 is divided into four chapters. This is in sharp contrast to ISO 27002:2013, which comprises fourteen chapters.

  1. Organizational controls (chapter 5)
  2. People controls  (chapter 6)
  3. Physical controls  (chapter 7)
  4. Technological controls  (chapter 8)

ISO 27002 Revision - what has changed

The security controls contained in Annex A have been updated (the number of controls decreased from 114 to 93)

Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.

11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number.

The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).

ISO 27001 amendment - what will change

An amendment to ISO 27001, which is the main standard to which companies are  certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022

Adoption timeline for 27002 changes

Despite the changes set out within the ISO 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO 27001 is officially updated and published.

27002 Control Structure Change Summary

  • 35 controls remained the same with change in control number and realigned to the 4  sections;
  • 11 new controls were added;
  • 23 controls have been renamed to make them easier to understand
  • Even thought the number of controls have been reduced (from 114  to 93 ); no controls are excluded;
  • 57 controls have been merged into 24 controls;
  • Only one control was split; Control 18.2.3 Technical Compliance Review was split into: 5.3.6 – Compliance with policies, rules and standards for information security; and 8.8 – Management of technical vulnerabilities

How will 2002 Updates Impact My Current Certification?

ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.

Not all of the nearly 100 example control measures detailed in ISO 27002 are relevant for every organisation, but when they are, they must be in place in order for your organisation to comply with ISO 27001.

When will InfoSecAssure Assessments include 27002 2002?

InfoSecAssure will be updating the platform to include a full 27002 assessment when the revised 27001 standard is released in late 2022.

Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.