ISO 27002:2022 update: What changed? Will it affect my ISO 27001:2013 certification?
ISO Standards generally go through a review cycle every five to seven years. In March 2018, this process was started for the ISO 27002:2013 standard, and after the release of a draft in January 2021, the ISO Organisation published the new ISO 27002:2022 just last month, on February 15th.
There are many improvements in the 2022 version of the ISO 27002 Standard. Whether your organisation is looking to implement the ISO 27001:2013 Information technology – Security techniques – Information security management systems – Requirements standard, or if you want to understand the impact of ISO 27002:2022 on your processes and Management System current certification to ISO 27001:2013, this article will guide you through the main changes and questions.
In summary, ISO 27002:2022 Information security, cybersecurity and privacy protection – Information security controls is a reference and guidance document that aims to support organisations in determining and implementing controls for information security risk treatment in an information security management system based on ISO 27001:2013 Information technology – Security techniques – Information security management systems – Requirements.
ISO 27001:2013 vs ISO 27002:(2013 & 2022)
ISO 27001:2013 provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within your business.
ISO 27002:2013 and its newest version (ISO 27002:2022) is an international standard used as a guide for selecting and implementing information security controls listed in Annex A of ISO 27001:2013.
Unlike ISO 27001:2013, your organisation cannot become certified to ISO 27002, as this is a guidance document, so it’s considered a supporting standard.
What’s new in ISO 27002:2022?
The first noticeable change is that the term “code of practice” was dropped from the title of the ISO 27002:2022 Standard, which is now titled Information security, cybersecurity and privacy protection — Information security controls. This better reflects its purpose as a reference for determining and implementing information security controls.
Although some controls have been merged or removed, resulting in 21 fewer controls, the ISO 27002:2022 document is actually longer than its previous edition, as it goes into more detail and explores comparisons with the older version.
Keep reading to find out what changed in more detail:
Number of controls
There are now a total of 93 controls as opposed to the previous 114. They comprise:
New categories organisation
The controls are now organised into 4 categories (from Clauses 5 to 8 of the standard), instead of the 14 domains from the 2013 version:
As an initiative to make it easier to filter and organise controls that are relevant to the organisation, each control is now associated with attributes.
Attributes can be used to filter, sort or present controls in different views for different audiences. The attributes are divided into five categories, with corresponding attribute values (preceded by # to enable search capability in tools such as spreadsheets or databases).
These attributes were selected because they are considered generic enough to be used by different industries and types of organisations. The business can choose to disregard one or more of the given attributes and also create their own for a customised view.
Click on the images below to zoom in and see the attributes in detail:
The updated ISO 27002:2022 Standard also contains:
Will the changes to the ISO 27002 Standard affect my ISO 27001:2013 certification?
It is expected that an updated version of ISO 27001:2013 will be published in 2022. However, it is predicted to only include changes in Annex A (the part of the document that is referenced in ISO 27002:2022) while the main part of ISO 27001 (clauses 4 to 10) will remain the same.
Once the updated version of ISO 27001:2013 is published, a certified organisation must update its Statement of Applicability (SoA). The SoA is a document that shows how you have chosen to implement information security controls (referenced from Annex A) and shows the links between your information security risk assessment and treatment work. It includes justification for inclusion or exclusion of controls. Hence, if looking to update to ISO 27002:2022, organisations must review their existing controls listed in their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.
How long do I have to update to ISO:27002:2022?
Once a new standard is released, there is typically a three year transition period for certified organisations to update their management system. As ISO 27002:2022 is considered a supporting standard, this transition deadline will only be effective when the updated version of the ISO 27001:2013 Standard is published.
For now, there’s no need to rush a revision based on the ISO 27002:2022 update, but if you can work with the new controls sooner rather than later, you’ll reduce the compliance burden and enjoy the benefits of implementing controls that should make your Information Security Management System easier to manage. Furthermore, this is an excellent opportunity to update your organisation’s controls to reflect the current state and demands for business Information Security.
About the author
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.