All Blogs

How to Get Your ISO/IEC 27001:2022 Game On – Here’s Everything You Need to Know

Ethan Altmann
July 19, 2022

Have you ever watched Jeopardy? Chances are that you have seen the age-old game show at least once or twice. With over 8000 episodes and countless accolades, it would be hard to have not seen it, if you’re from the USA (which, I am not, so in truth, Mastermind is more my thing… but let’s stick with Jeopardy here – I’m taking this somewhere, I promise). So you know the premise; the ever-intellectual Mayim Bialik supplies her contestants with confounding answers to questions and expects contestants to deliver the correct question.

Here is a typical example, just to make sure we’re all on the same page:

Answer: A small decapod crustacean often featured in traditional Louisiana cooking.

Question: What is a crayfish?

Here’s another example:

Answer: In 2012, this one-hit wonder had the world singing in Korean.

Question: Who is Psy?

Ready for another? Fab.

Answer: Released ahead of its correlating and auditable counterpart, this framework enables companies to get ready for the upcoming ISO/IEC 27001:2022.

Question: What is the already released ISO/IEC 27002:2022?

Didn’t see that one coming, did you? Well here is the thing; the release of ISO/IEC 27002:2022 is a bit like Jeopardy – it’s an answer to a question (or a whole lot of questions!) that has yet to be asked. But how important is this new framework? And what do you need to be aware of?

In this post, I’ll break it all down so you’ll walk away with everything you need to know.

The Connection to ISO/IEC 27001

In order to gauge the significance of the release of ISO/IEC 27002:2022, you'll first need to  understand its relationship with ISO/IEC 27001. The latter is a standard against which an organization undergoes an audit, and is certified for - the former, is not. So, how are they connected?

ISO/IEC 27001 can be divided into two distinct sections – Chapters 4 through 10 are considered to be the “ISMS” section, focusing on matters such as sufficient managerial investment in the information security management system (ISMS), both in terms of allocation of financial resources, and active involvement (through performing management reviews). Other elements of this section focus on performing a risk assessment and defining an information security policy, with key performance indicators (KPIs) for measuring success.

The second component of ISO/IEC 27001 is titled “Annex A” and is composed of 114 “controls”, covering an array of topics in information security, the majority of which are technical (such as operations security and communications security). These 114 controls are each given a title, and then a brief description as to what exactly the organization must do in order to satisfy the control. Each control forms a crucial part of ISO/IEC 27001, and as such, the unsatisfactory implementation of a control (without a justification of non-applicability) can constitute a major non-conformity. Therefore, ISO/IEC developed a secondary document, aimed at providing greater detail per control, as well as clear implementation guidance. And this is where ISO/IEC 27002 enters the picture.

Differences Between ISO/IEC 27001 and ISO/IEC 27002

It is important to note the intricacies of the linguistic differences between the two documents: ISO/IEC 27001 uses the word “shall” in all controls, meaning that the implementing organization must adhere to precisely what is written. ISO/IEC 27002, on the other hand, uses the word “should”, meaning that what is written is advice, indicating the most common implementation guidance for any given control, but the implementation methodology is not required and is not the only way of satisfying the control.

You should also be aware that ISO/IEC 27002 offers further detail and implementation guidance only for the controls of “Annex A”, and not for the requirements outlined in chapters 4-10, the “ISMS” section of ISO/IEC 27001.


So now that we understand (hopefully!!) the differences between the two documents, let’s dive into what’s changed between ISO/IEC 27002:2013 and ISO/IEC 27002:2022, the update.

Firstly, and perhaps most obviously, the structure is significantly different; beforehand, the 114 controls were broken down into 14 domains, spanning different, highly specific topics within information security. Now, the 93 controls (yes we’ll get to that, hold your horses) are broken down into 4 domains, which are much more general. They are:

  • Organizational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls)

Secondly, and no less strikingly, the control count is much lower, with 11 (yes ONLY 11!!) new controls. So where did 32 controls disappear to (because ya know, 114+11-93=32)? Nowhere! The previous version of the standard had significant overlap between many controls, which have now been merged together. And what are these 11 new controls?

  1. Threat intelligence, requiring organizations to stay on top of the most up-to-date threats, and analyze them, as to ensure pro-activity as opposed to reactivity.
  2. Information security for use of cloud services, requiring organizations to ensure that cloud service usage aligns with organizational information security policies, and that these policies are reflective of cloud service usage. Organizations for which this new control is applicable are likely to wish to adopt ISO/IEC 27017 too.
  3. ICT readiness for business continuity, requiring organizations to ensure that business continuity plans and business impact analysis (BIA) include a close focus on ICT systems (as more organizations move towards cloud computing).
  4. Physical security monitoring, requiring organizations to continuously monitor access to their premises using tools such as CCTV, motion detectors etc.
  5. Configuration management, requiring organizations to enforce defined configurations, using a form of centralized management.
  6. Information deletion, requiring organizations to delete data that is no longer needed, as is best practice in privacy related frameworks.
  7. Data masking, requiring organizations to perform data anonymization where required by relevant regulations and legislations (once more, a best practice in privacy related frameworks).
  8. Data leakage prevention, requiring organizations to install a DLP solution on any systems or networks that store or process sensitive data. This will minimize the chances of an intentional or unintentional data breach.
  9. Monitoring activities, requiring organizations to actively monitor for anomalies, such as by configuring alerts to be triggered by the collection of specified logs.
  10. Web filtering, requiring organizations to manage employee internet access, to minimize the chances of exposure to malicious content (such as viruses, or phishing content).
  11. Secure coding, requiring organizations to establish a minimum baseline for coding practices, as to ensure that code meets a defined security standard, including code from third-party libraries.

These new controls are a “sign of the times”, indicative of the industry-wide shift towards modern, cloud computing infrastructures, as well as a significant increase in ISO/IEC 27001 adoption by SaaS companies, and predominantly technological companies in general.

Thirdly, and either most or least significantly (depending on how you look at it), is the introduction of an entirely new element to ISO/IEC 27002 - namely the control attribute table. This table introduces #hashtagging to the standard, allowing organizations to filter the standard by specific properties (Confidentiality, Integrity, or Availability or C,I,A), controls types (e.g. preventative) and concepts (e.g. identify). This will allow organizations adopting the standard to take a more holistic approach towards continuous management of the controls. This will enable a shift from using the standard purely for annual auditing and certification, towards using it for posture monitoring, similar to how mature organizations use the NIST CSF and the CIS Critical Security Controls.

Eagle-eyed readers (you, perhaps?) may have noticed that all of the above is related to ISO/IEC 27002:2022, and at present, audits are conducted against ISO/IEC 27001:2013, so why does all this matter? Well, ISO/IEC 27001:2022 is scheduled for release in Q4 of this year, and now we know exactly what to expect. The new ISO/IEC 27001 standard against which organizations will be audited (likely starting Q3-4 2023 for organizations that wish to transition early) will be composed of an ISMS section that is almost entirely unchanged, and an Annex A that is a more concise (table-ized, if that’s a word, which it’s probably not) version of ISO/IEC 27002:2022.

Conclusion

You can think of the new ISO/IEC 27002:2022 as a great way to get ahead of the game, to prepare for the next generation of ISO/IEC 27001 audits; to improve information security posture and maturity and most importantly, to get ready for your next Jeopardy audition.

Ethan Altmann
Compliance Product Owner - Chief framework cross-referencer, Control-understander, Evidence-mapper

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.