The new ISO/IEC 27002:2022 – new structure for information security

The ISO standardization body has taken its time in publishing the new version of ISO/IEC 27002. As a rule, ISO standards have a cycle of five years; here it is nine years. ISO/IEC 27002:2022 replaces ISO/IEC 27002:2013 and brings with it a number of changes. Just looking at the title “Information security, cybersecurity and privacy protection – Information security controls” shows that the new version takes a broader view of information security (Cybersecurity) and also focuses on data protection (Privacy Protection). For comparison, the title of ISO/IEC 27002:2013: “Information technology – Security techniques – Code of practice for information security controls”.

Basically, the international standard ISO/IEC 27002 is an important part of the 27000 series of standards. It defines general measures (controls) for greater information security and specifies the requirements for the measures listed in Annex A of ISO/IEC 27001. It contains further information on the implementation of the controls listed there.

However, ISO/IEC 27002 is not mandatory for companies and cannot be certified. However, it often serves as a guideline when setting up information security management systems (ISMS). Since the structure of ISO/IEC 27002:2022 differs greatly from the old version, it is to be expected that the ISO/IEC 27001 standard relevant to the establishment of an ISMS and other ISO 27000 standards will be adapted accordingly in the coming months.

The most striking change is the completely new structure of the measures (controls), which differs fundamentally from the previous version. Instead of 114 measures in 14 areas, there are now only 93 measures in ISO 27002:2022. These are divided into the following four topic categories (number of measures in parentheses):

1. Organizational measures (37)
2. Personal measures (8)
3. Physical measures (14)
4. Technical measures (34)

Of the previous measures, only one measure was dropped (A.11.2.5 Removing values/assets). Other measures were combined into topics with similar content for a better overview. A total of 11 new measures were added. These include controls such as threat intelligence, information security in cloud services, physical access monitoring, and configuration management.

Each individual control contains further information such as a description, a proposal for implementation and, more recently, the purpose of the measure (avoids discussions with the auditor) and, above all, a table with additional attributes. The latter are intended to provide more clarity and offer another option for sorting or filtering the measures. The table contains the following attributes for each measure:

• Control type: This attribute shows the mode of action of the corresponding measures when a security incident occurs. The attribute values are Preventive (Control acts before an incident occurs), Detective (Control acts when an incident occurs) and Corrective (Control acts after incident occurs).
• Information security property: The properties of information security describe the classic protection goals of confidentiality, integrity and availability.
• Cybersecurity concepts: The Cybersecurity Concepts attribute considers the timing of actions based on the cybersecurity frameworks described in ISO/IEC 27110. The possible attribute values are Identify, Protect, Detect, Respond, and Recover.
• Operational capabilities: Operational capabilities include attributes such as governance, identity and access management, network security, or physical security.
• Security Domains: The Security Domains domain includes the following four attribute values for measures: Governance and Ecosystem (includes risk management and external service provider security, among others), Protection (includes physical security, identity and access management, or IT security administration, among others), Defense (incident management), and Resilience (business continuity).

As already mentioned, ISO/IEC 27002 specifies the requirements for the measures listed in Annex A of ISO/IEC 27001 for higher information security. It is therefore often additionally used as a kind of guide when setting up an ISMS. But with the publication of the new ISO/IEC 27002:2022, there is no reason for companies that have already implemented and certified an ISMS to rush or panic. This is because the current ISO/IEC 27001:2013 continues to form the standard for certification. In the catalog of measures in Annex A, it refers to the previous version of ISO 27002:2013.

However, it is expected that the ISO body will adapt ISO/IEC 27001, and in particular the controls in Annex A, to the new structure of ISO/IEC 27002 this year in order to synchronize the standards. After that, as usual, there will be a transition period of up to two years from the month of publication. Companies that have already implemented an ISMS according to the current ISO/IEC 27001 therefore still have some time to implement it. However, it would be best for them to start looking at the new ISO/IEC 27002:2022 measures structure now and analyze the possible need for changes to their existing ISMS. Then they will be well prepared and can provide the necessary resources for adapting the ISMS in good time.

If you have any questions regarding information security, the introduction or implementation of ISO 27001 or data protection, please do not hesitate to contact your team at aigner business solutions GmbH. Simply use our contact form. You can also reach us by phone at our head office in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch office in Munich on +49 (0) 89 413 2943 – 0.