As ISO/IEC 27002:2022 has been published and the latest changes are reflected on Annex A in the ISO/IEC 27001:2013 version.
SMATICA.com is pleased to inform that it is now offering PECB ISO/IEC 27001 Lead Implementer and PECB ISO/IEC 27001 Lead Auditor training courses, based on the latest changes in the ISO/IEC 27002:2022 standard. For booking please visit www.smatica.com or email hello@smatica.com
ISO/IEC 27001 and ISO/IEC 27002 are primary ISO standards that aim to enhance the security of an organization’s information. ISO/IEC 27001 provides a framework to assist organizations in managing information security, while ISO/IEC 27002 provides implementation guidance for information security controls specified in ISO/IEC 27001.
The updated version of ISO/IEC 27002 has been published and the latest changes will also be reflected on Annex A in the ISO/IEC 27001:2013 version.
The following are the most common questions and answers that might help you clear the ambiguity with regards to the latest changes.
What are the improvements in ISO/IEC 27002:2022?
Number of controls
The revised version of ISO/IEC 27002 published in 2022 decreases the number of information security controls from 114 controls to 93 controls, covered in four sections:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
New controls
The ISO/IEC 27002:2022 introduced 11 new controls, as stated in the following:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Restructure of sections
The updated version of ISO/IEC 27002:2022 now has four sections and two annexes, instead of 14 sections, as in the previous version;
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
It is considered that based on the newest structure, the process of designation of responsibilities and the applicability of controls will be easier.
Merged Controls
Despite the number of controls being reduced, no controls were excluded in the latest version of the standard; however, they were merged.
Two examples of merged clauses are shown below:
Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.
How is ISO/IEC 27002:2022 impacting ISO/IEC 27001?
There will be an amendment to ISO/IEC 27001:2013 (referred to as ISO/IEC 27001:2013+A1:2022). As such, the latest changes in ISO/IEC 27002:2022 will be reflected in Annex A of ISO/IEC 27001 with a normative version of the 93 new controls.
What is the main difference between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 provides requirements for organizations that are seeking to establish, implement, maintain, and continually improve an information security management system. As such, organizations can get certified against it.
ISO/IEC 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO/IEC 27001. It is used as a reference and guidance on the best practices of information security management helping organizations in selecting, implementing, and managing controls.
In this regard, the main difference is that organizations might get a certification against ISO/IEC 27001 while they cannot get a certification against ISO/IEC 27002. It serves as supporting material in implementing the requirements and controls of ISO/IEC 27001.
What are the main changes in ISO/IEC 27001?
The main ISO/IEC 27001 parts which are clauses 4 to 10 will not be changed.
In this regard, some of the main changes in ISO/IEC 27001 will include:
- The number of Annex A controls which will be shortened from 114 to 93
- Annex A will be replaced with a normative version of the 93 new controls from ISO/IEC 27002:2022
- Clause 6.1.3c, where the term “Comprehensive list of control objectives and controls” will be toned down to the more appropriate “possible information security controls”
When should we start implementing the newest changes?
The new amendment of ISO/IEC 27001 that is expected to be published this year will include only changes in Annex A while clauses 4 to 10 will remain the same. Thus, a good suggestion would be to update the current documentation with the newly updated controls, including here the current risk assessment. PECB will add the new controls of ISO/IEC 27002:2022 and link them to the existing controls. As so, you can update or even develop new policies and procedures according to the new controls. Furthermore, you could update your security metrics in order to reflect your risk assessment, as well as the changes of Annex A. Once the updated Annex A of ISO/IEC 27001 is published, you will need to update the Statement of Applicability so it can be aligned with the new list of security controls.
In this regard, PECB will update the training courses again and also offer other resources which will make the transitioning period easier.
Will the changes affect my ISO/IEC 27001 certificate(s)?
Taking into consideration that the main part of ISO/IEC 27001, which are clauses from 4 to 10, have not been changed, your personal ISO/IEC 27001 certificate(s) will continue to remain valid, and you will not need to attend any additional training. If your certificate requires maintenance, then you should maintain it by submitting CPD and AMF. Anyhow, in case you would like to attend the updated training course with the changes in Annex A, you can do that, but your certificate will not be affected.
When will PECB offer the updated ISO/IEC 27001 and ISO/IEC 27002 training courses?
Please be informed that there hasn’t been any official update of the ISO/IEC 27001:2013 standard yet. As it can be seen on ISO’s website, the existing version remains current:
PECB is waiting for an official update. Most probably, based on the information that we currently possess, there won’t be a “full” standard update. Instead, ISO will only publish an amendment to the current ISO/IEC 27001:2013 standard, which means that there won’t be a change of the standard version. We will update our eLearning course; but, the time and date when that will happen largely depends on the release of this ISO/IEC 27001 Amendment.
In addition, the current ISO/IEC 27001 Lead Auditor exam is updated based on the ISO/IEC 27002:2022, and a draft amendment of the ISO/IEC 27001 standard which is fully in line with the ISO/IEC 27002:2022, and the changes are minimal, therefore, PECB recommends the candidates prepare for your exam based on the material that is assigned to them.