Blog The ISO27002 Update and What this Means for ISO27001 Certification

The title

The first thing to note is the change of title; “Information technology – Security techniques – Code of practice for information security controls” has now become “Information security, cybersecurity and privacy protection — Information security controls”. This seemingly subtle change of wording reflects an increased emphasis on information security, cybersecurity and privacy being a combined discipline and makes us wonder how this may affect the future structure of some other standards in these areas. The fact that the document is no longer a code of practice shows a trend by ISO towards using terms such as “reference” and “guidance” to refer to standards that are not requirements.

Document structure

The introduction and the first clause (Scope), whilst reasonable enough, don’t present anything not seen in the previous version of the standard, so we’ll move swiftly on. Strangely, in Clause 2 (Normative references) whereas the previous version simply referred the reader to the ISO27000 vocabulary document, the new one doesn’t do this, instead (in Clause 3 – Terms, definitions and abbreviated terms) listing definitions of thirty-eight terms used (quoting their source as being ISO27000), followed by a glossary of forty-five abbreviations. Presumably there must be some ISO logic to this approach which they will explain in the fullness of time.

In Clause 4 (Structure of this document) the clauses used are then set out:

Clause 5 – Organizational controls

Clause 6 – People controls

Clause 7 – Physical controls

Clause 8 – Technological controls

Annex A – Using attributes

Annex B – Correspondence with ISO27002:2013

Clause 4 also describes the new system of themes and attributes, which is worth a minute to fully appreciate its intention.

Themes and attributes

The themes are pretty straightforward and are simply groupings of controls into those associated with:

1. People (8 controls)
2. Physical (14 controls)
3. Technological (34 controls)
4. Organizational (37 controls)

And you will recognise these as being clauses 5 to 8 above.

The idea of attributes however, is a whole different ball game, and takes a bit of explaining. The first thing to say is that attributes are optional and you can choose to completely ignore them, even (as far as we know) for ISO27001 certification. Secondly, if you do decide to use attributes, you don’t have to use the ones given in the ISO27002 standard; you can make up your own. What ISO is trying provide is a tool for further classifying the controls in a way that is useful and meaningful for the organization.

As a starter set, ISO27002 suggests the following attributes:

1. Control type
2. Information security properties
3. Cybersecurity concepts
4. Operational capabilities
5. Security domains

Let’s take the first of these as an example. Each of the 93 controls in ISO27002 has been labelled according to whether it is Preventive, Detective or Corrective. So if your organization realises it has a lack of capability in finding out that it’s been hacked (as in “they were in our network for 12 months before we found out”), you can filter the ISO27002 controls by the Detective attribute value and identify which of them might help you in this area. It’s a similar idea with the Cybersecurity concepts attribute which labels the controls according to their position in the framework sequence of Identify, Protect, Detect, Respond and Recover.

Pick your own attributes

Annex A of ISO27002 goes into more detail about attributes and clarifies that you’re probably going to need a spreadsheet or database to use them effectively. It also gives a tantalizing clue (we believe – it’s not overly clear) as to one of the potential uses of your own attributes, which is to label the controls according to the risks that they are intended to treat. So if risk 16 in your risk assessment is treated by four controls, label each of them with a #16 tag. Controls can treat multiple risks and thus have multiple tags so a particular control could be labelled with #12, #34 and #52 as well as #16.

That’s the principle anyway; whether it takes off remains to be seen.

The controls

And so we come to the actual controls themselves. There are now fewer of them; 93 compared with 114 in the previous standard but even so there are some new ones:

• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

The above list of eleven controls is taken from Table B.2 in the standard where they are stated as “new” but in reality few organizations will regard the full list as additional things to be done; activities such as web filtering for example are pretty widespread as a default anyway and surely secure coding was covered to a great extent under 14.2.1 secure development policy in the old version? Maybe it’s just me.

If there are twenty-one fewer controls in the 2022 version then surely some controls have disappeared, right? Well, no. The mapping from the old controls to the new makes it clear that everything that was in the old version is also in the new one. There has just been a lot of merging.

And in case you were wondering, the quaint old term “teleworking” from the 2013 standard has now been replaced by “remote working” although teleworking still gets a mention in the guidance. You can’t keep an old term down.

What about ISO27001?

ISO27002 is of course guidance, so what about the requirements standard ISO27001 which relies heavily on ISO27002 for the controls at Annex A? Everyone agrees that this will be updated but clear guidance on when is in short supply. 2022 seems to be favourite, but a look at the published work programme of the ISO committee responsible doesn’t currently seem to suggest that. When it does come, we suspect changes to the management system requirements are likely to be limited and of course Annex A will be replaced. The transition period is likely to be 2 or 3 years so if you’re currently implementing the 2013 version of ISO27001 (i.e. the current one) there seems to be little pressing need to stop.

Our overall verdict

So what do we think of the 2022 version of ISO27002 so far? Firstly, it’s good that it’s been updated at all – nine years is a long time to wait. And we can have confidence that the ISO development process has ensured that lots of clever and experienced information security people have had input to it. The most striking change, apart from the change in the number of controls, is the addition of the attributes idea and that certainly has some potential, especially if a dose of imagination is applied. We can’t pretend that we’ve read every control in detail so some judgement has to be reserved. Overall, it has to be said that anything that raises the profile of, and confidence in, the ISO27000 family of standards is a good thing, given the dire state of cybercrime worldwide.

Well done ISO, now onto ISO27001!

More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources