ISO standards generally go through a review cycle every five to seven years. In March 2018, this process started for the ISO 27002: 2013 standard, and after the draft was published in January 2021, the ISO organization published the new ISO 27002: 2022 standard on February 15, 2022.
There are many improvements in the 2022 version of the ISO 27002 standard. Whether your organization is looking to implement ISO 27001: 2013 Information Technology – Security Techniques – Information Security Management Systems – Requirements or if you want to understand the impact of ISO 27002: 2022 on your processes and the current certification of ISO 27001: 2013 management system This article will guide you through the main changes and questions.
In summary, ISO 27002: 2022 Information Security, Cyber Security and Privacy – Information Security Controls is a reference document that aims to support organizations in establishing and implementing controls to assess the risk of information security in a security management system. Information based on ISO 27001: 2013 Information technology – Security techniques – Information security management systems – Requirements .
ISO 27001: 2013 vs. the 2013 and 2022 versions of ISO 27002
ISO 27001: 2013 provides the requirements for the creation, implementation, maintenance and continuous improvement of the Information Security Management System (ISMS) in your business.
ISO 27002: 2013 and its latest version (ISO 27002: 2022) is an international standard used as a guide for the selection and implementation of information security controls listed in Annex A to ISO 27001: 2013.
Unlike ISO 27001: 2013, your organization cannot receive ISO 27002 certification, as this is a guidance document, so it is considered a support standard.
What is new in ISO 27002: 2022 ?
The first significant change is that the term “code of practice” has been removed from the title of ISO 27002: 2022, which is now referred to as information security, cyber security and privacy protection – information security controls. This reflects its purpose as a reference for better identification and implementation of information security controls.
The ISO 27002: 2022 document is actually longer than the previous version because it goes into more detail and compares comparisons with the older version.
Continue reading to find out what has changed in more detail:
Number of controls
There are now a total of 93 controls, unlike the previous 114 controls. They are:
11 new controls for standard compliance with existing information security and cyber security:
- 5.7 Threat intelligence
- 5.23 Information security for using cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Monitoring physical security
- 8.9 Configuration Management
- 8.10 Delete information
- 8.11 Coverage
- 8.12 Prevent data leakage
- 8.16 Supervisory activities
- 8.23 Web Filtering
- 28 Secure coding
Updated ISO 27002: 2022 also includes :
Appendix A – A table to show the use of features as a way to create different views of controls.
Appendix B – A table showing the compatibility with the ISO / IEC 27002: 2013 controls and showing how the controls in this new version are related to the previous version. It also shows where the new controls are included.
How long should I update to ISO: 27002: 2022 ?
When a new standard is issued, there is usually a three-year transition period for certified organizations to upgrade their management system. As ISO 27002: 2022 is a backup standard, this transfer deadline will only be effective when an updated version of ISO 27001: 2013 is released.
At this time, there is no need to rush to review based on the ISO 27002: 2022 update; But if you can work with the new controls sooner, you will reduce the compliance burden and reap the benefits of implementing the controls they need to create. Managing your information security management system is easier. In addition, it is a great opportunity to update your organization’s controls to reflect the current state of business information security requirements.