In mid-Feb 2022 ISO published a long-awaited update to the ISO/IEC 27002 standard which details all of the controls they recommend to keep an organization (more) secure. Let’s be clear, this is not the ISO27001 requirements standard that you become certified to, but its slightly older and much longer brother (now 76 pages!) on which Annex A of the ISO27001 requirements standard is based. In this article we’ll look at what’s happened in the ISO27002 update and what this might mean for you if you’re certified, or planning to certify, to ISO27001.
Having purchased a draft of the document early last year, we invested one hundred and ninety-eight hard-earned Swiss Francs to buy the finished article from the ISO website as soon as it came out. An initial read suggest that, if there are any changes since the draft, they are too slight for us to notice.
Opening the PDF in anticipation, the Foreword tells us what’s changed in high level overview which is:
So let’s look at each of these in turn to explain the ISO27002 update in more detail…
The first thing to note is the change of title; “Information technology – Security techniques – Code of practice for information security controls” has now become “Information security, cybersecurity and privacy protection — Information security controls”. This seemingly subtle change of wording reflects an increased emphasis on information security, cybersecurity and privacy being a combined discipline and makes us wonder how this may affect the future structure of some other standards in these areas. The fact that the document is no longer a code of practice shows a trend by ISO towards using terms such as “reference” and “guidance” to refer to standards that are not requirements.
The introduction and the first clause (Scope), whilst reasonable enough, don’t present anything not seen in the previous version of the standard, so we’ll move swiftly on. Strangely, in Clause 2 (Normative references) whereas the previous version simply referred the reader to the ISO27000 vocabulary document, the new one doesn’t do this, instead (in Clause 3 – Terms, definitions and abbreviated terms) listing definitions of thirty-eight terms used (quoting their source as being ISO27000), followed by a glossary of forty-five abbreviations. Presumably there must be some ISO logic to this approach which they will explain in the fullness of time.
In Clause 4 (Structure of this document) the clauses used are then set out:
Clause 5 – Organizational controls
Clause 6 – People controls
Clause 7 – Physical controls
Clause 8 – Technological controls
Annex A – Using attributes
Annex B – Correspondence with ISO27002:2013
Clause 4 also describes the new system of themes and attributes, which is worth a minute to fully appreciate its intention.
The themes are pretty straightforward and are simply groupings of controls into those associated with:
And you will recognise these as being clauses 5 to 8 above.
The idea of attributes however, is a whole different ball game, and takes a bit of explaining. The first thing to say is that attributes are optional and you can choose to completely ignore them, even (as far as we know) for ISO27001 certification. Secondly, if you do decide to use attributes, you don’t have to use the ones given in the ISO27002 standard; you can make up your own. What ISO is trying provide is a tool for further classifying the controls in a way that is useful and meaningful for the organization.
As a starter set, ISO27002 suggests the following attributes:
Let’s take the first of these as an example. Each of the 93 controls in ISO27002 has been labelled according to whether it is Preventive, Detective or Corrective. So if your organization realises it has a lack of capability in finding out that it’s been hacked (as in “they were in our network for 12 months before we found out”), you can filter the ISO27002 controls by the Detective attribute value and identify which of them might help you in this area. It’s a similar idea with the Cybersecurity concepts attribute which labels the controls according to their position in the framework sequence of Identify, Protect, Detect, Respond and Recover.
Annex A of ISO27002 goes into more detail about attributes and clarifies that you’re probably going to need a spreadsheet or database to use them effectively. It also gives a tantalizing clue (we believe – it’s not overly clear) as to one of the potential uses of your own attributes, which is to label the controls according to the risks that they are intended to treat. So if risk 16 in your risk assessment is treated by four controls, label each of them with a #16 tag. Controls can treat multiple risks and thus have multiple tags so a particular control could be labelled with #12, #34 and #52 as well as #16.
That’s the principle anyway; whether it takes off remains to be seen.
And so we come to the actual controls themselves. There are now fewer of them; 93 compared with 114 in the previous standard but even so there are some new ones:
The above list of eleven controls is taken from Table B.2 in the standard where they are stated as “new” but in reality few organizations will regard the full list as additional things to be done; activities such as web filtering for example are pretty widespread as a default anyway and surely secure coding was covered to a great extent under 14.2.1 secure development policy in the old version? Maybe it’s just me.
If there are twenty-one fewer controls in the 2022 version then surely some controls have disappeared, right? Well, no. The mapping from the old controls to the new makes it clear that everything that was in the old version is also in the new one. There has just been a lot of merging.
And in case you were wondering, the quaint old term “teleworking” from the 2013 standard has now been replaced by “remote working” although teleworking still gets a mention in the guidance. You can’t keep an old term down.
ISO27002 is of course guidance, so what about the requirements standard ISO27001 which relies heavily on ISO27002 for the controls at Annex A? Everyone agrees that this will be updated but clear guidance on when is in short supply. 2022 seems to be favourite, but a look at the published work programme of the ISO committee responsible doesn’t currently seem to suggest that. When it does come, we suspect changes to the management system requirements are likely to be limited and of course Annex A will be replaced. The transition period is likely to be 2 or 3 years so if you’re currently implementing the 2013 version of ISO27001 (i.e. the current one) there seems to be little pressing need to stop.
So what do we think of the 2022 version of ISO27002 so far? Firstly, it’s good that it’s been updated at all – nine years is a long time to wait. And we can have confidence that the ISO development process has ensured that lots of clever and experienced information security people have had input to it. The most striking change, apart from the change in the number of controls, is the addition of the attributes idea and that certainly has some potential, especially if a dose of imagination is applied. We can’t pretend that we’ve read every control in detail so some judgement has to be reserved. Overall, it has to be said that anything that raises the profile of, and confidence in, the ISO27000 family of standards is a good thing, given the dire state of cybercrime worldwide.
Well done ISO, now onto ISO27001!
If you’re currently working towards certification, re-certifying or just considering certification to the ISO/IEC 27001 standard, we have a range of solutions to ensure you meet your compliance goals easily and efficiently.
From our award-winning toolkits to consultancy and internal auditing services, our products and services are available to streamline the process to ensure your organization achieves ISO27001 compliance.
Download our free ISO27001: 10 steps to certification guide to learn: