Get a quote
Home Resources Blog February 2022

What are the Changes to the Information Security Standard, ISO 27001?

25 February 2022
The 2013 version of the Information Security Management Standard ISO 27001 is finally undergoing an overhaul and ISO 27002 has been introduced. The ISO/IEC JTC 1/SC 27/WG 1 committee have reviewed the standard and this blog outlines those changes below.

ISO/IEC 27002 was published in February 2022

  • Contain 93 controls in 4 domains:

    • Organization (37), People (8), Physical (14), Technological (34)

  • Twelve new controls - Introduced in new version

  • Sixteen controls - Deleted due to duplication or better alignment under other controls

  • A few controls - Modified and integrated to become one main control

ISO/IEC 27001 scheduled for publication in April-June 2022

  • Annex A references to the controls in ISO/IEC 27002:2022

  • The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control

  • The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity

ISO/IEC 27001 full revision of 27001 (4th Ed) will start later this year with an anticipated publication in 2025.

IAF ISMS Working Group drafted a mandatory document on the certification transition. Currently, it's not clear exactly when it will be released, but as written it specifies a 2-year transition from the publication date of ISO 27001.

What has Changed in ISO 27002?

The main difference between the Draft International Standard (DIS) and the 2013 version is the structure of the control set.

While majority of the ISO 27002 controls remains unchanged, the controls have been regrouped from 14 categories to 4 broad categories that include:

  • Organizational

  • People

  • Physical

  • Technology

The number of controls based on the DIS:

  • Reduced from 114 to 93

  • Introduction of 12 new controls

  • Deletion of 3 existing controls

  • Consolidation of 48 controls into the current 19 controls.

Twelve New Controls Introduced

Annex

5.7 >> Threat intelligence
5.16 >> Identity management
5.23 >> Information security for use of cloud services
5.30 >> ICT readiness for business continuity
7.4 >> Physical security monitoring
8.1 >> User endpoint devices
8.9 >> Configuration management
8.10 >> Information deletion
8.11 >> Data masking
8.12 >> Data leakage prevention
8.22 >> Web filtering
8.28 >> Secure coding

Bid farewell to some existing controls as they are consolidated into other controls:

  • Review of the policies for information security,

  • Mobile device policy,

  • Ownership of assets,

  • Handling of assets,

  • Password management system,

  • Delivery and loading areas,

  • Removal of assets,

  • Unattended user equipment,

  • Protection of log information,

  • Restrictions on software installation,

  • Electronic messaging,

  • Securing application services on public networks,

  • Protecting application services transactions,

  • System acceptance testing,

  • Reporting information security weakness, and

  • Technical compliance review

Clauses & Categorizations

The categorization of controls given in Clauses 5 to 8 are referred to as themes.

Controls are categorized as:

  1. People controls (Clause 6) - if they concern individual people;

  2. Physical controls (Clause 7) - if they concern physical objects;

  3. Technological controls (Clause 8) - if they concern technology;

  4. Organizational controls (Clause 5) - otherwise they are categorized as organizational.

There are two informative annexes:

  • Annex A – Using attributes
    • Annex A explains how an organization can use attributes (see 4.2) to create its own views based on the control attributes defined in this document or of its own creation.
  • Annex B – Correspondence with ISO/IEC 27002:2013
    • Annex B shows the correspondence between the controls in this edition of ISO/IEC 27002 and the previous 2013 edition.

Attributes

The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes.

Each control will be assigned hashtags that align with 5 control attributes.

I.    Control types

  • View from the perspective of when and how the control impacts the risk outcome with regard to the occurrence of an information security incident.

  • Attribute values consist of

    • #Preventive (the control acts before a threat occurs),

    •  #Detective (the control acts when a threat occurs) and

    • #Corrective (the control acts after a threat occurs).

II.    Information security properties

  • View from the perspective of which characteristic of information the control will contribute to preserve.

  • Attribute values consist of :

    • #Confidentiality

    • #Integrity

    • #Availability

III.    Cybersecurity concepts

  • View from the perspective of the association of controls to cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27101.

  • Attribute values consist of:

    • #Identify

    • #Protect

    • #Detect

    • #Respond

    • #Recover

IV.    Operational capabilities

  • View from the practitioner’s perspective of information security capabilities.

  • Attribute values consist of

    • #Governance,

    • #Asset_management,

    • #Information_protection,

    • #Human_resource_security,

    • #Physical_security,

    • #System_and_network_security,

    • #Application_security,

    • #Secure_configuration,

    • #Identity_and_access_management,

    • #Threat_and_vulnerability_management,

    • #Continuity,

    • #Supplier_relationships_security,

    • #Legal_and_compliance,

    • #Information_security_event_management and Information_security_assurance

V.    Security domains

  • View controls from the perspective of information security fields, expertise, services and products.

  • Attribute values consist of

    • #Governance_and_Ecosystem,

    • #Protection,

    • #Defence and

    • #Resilience

Benefits to the new version

  • The new controls align well with new risks. Well implemented, the controls will better protect your business from harm.

  • Alignment with the NIST cybersecurity Framework and its “5 functions” (Identify, Protect, Detect, Respond, and Recover) should benefit many. With an increasing number of companies subject to FedRAMP, CMMC, NIST 800-171, and the Presidential Executive Order, this will simplify maintaining an environment aligned with both ISO 27001 and NIST guidance.

  • The hashtags within ISO 27002 provide an additional taxonomy that can make security documentation much easier to work with.


Author - Lynette Rowe, NQA Business Unit Manager