ISO 27001 Update: 2022. Here’s Everything You Need to Know

Have you ever watched Jeopardy? Chances are that you have seen the age-old game show at least once or twice. With over 8000 episodes and countless accolades, it would have been hard to miss it, especially if you’re from the USA (which, I am not, so in truth, Mastermind is more my thing… but let’s stick with Jeopardy here – we’ll get to the ISO 27001 update, I promise). So you know the premise; the ever-intellectual Mayim Bialik supplies her contestants with confounding answers to questions and expects contestants to deliver the correct question.

Here is a typical example, just to make sure we’re all on the same page:

Answer: A small decapod crustacean often featured in traditional Louisiana cooking.

Question: What is a crayfish?

Here’s another example:

Answer: In 2012, this one-hit wonder had the world singing in Korean.

Question: Who is Psy?

Ready for another? Fab.

Answer: Released ahead of its correlating and auditable counterpart, this framework enables companies to get ready for the upcoming ISO/IEC 27001:2022.

Question: What is the already released ISO/IEC 27002:2022?

Didn’t see that one coming, did you? Well here is the thing; the release of ISO/IEC 27002:2022 is a bit like Jeopardy – it’s an answer to a question (or a whole lot of questions!) that has yet to be asked. But how important is this new framework? And what do you need to be aware of?

In this post, I’ll break it all down so you’ll walk away with everything you need to know.

The ISO/IEC 27002:2022 Connection to The ISO 27001 Update 

In order to gauge the significance of the release of ISO/IEC 27002:2022, you'll first need to understand its relationship with ISO/IEC 27001. The latter is a standard against which an organization undergoes an audit, and is certified for - the former, is not. So, how are they connected?

ISO/IEC 27001 can be divided into two distinct sections – Chapters 4 through 10 are considered to be the “ISMS” section, focusing on matters such as sufficient managerial investment in the information security management system (ISMS), both in terms of allocation of financial resources, and active involvement (through performing management reviews). Other elements of this section focus on performing a risk assessment and defining an information security policy, with key performance indicators (KPIs) for measuring success.

The second component of ISO/IEC 27001 is titled “Annex A” and is composed of 114 “controls”, covering an array of topics in information security, the majority of which are technical (such as operations security and communications security). These 114 controls are each given a title, and then a brief description as to what exactly the organization must do in order to satisfy the control. Each control forms a crucial part of ISO/IEC 27001, and as such, the unsatisfactory implementation of a control (without a justification of non-applicability) can constitute a major non-conformity. Therefore, ISO/IEC developed a secondary document, aimed at providing greater detail per control, as well as clear implementation guidance. And this is where ISO/IEC 27002 enters the picture.

ISO/IEC 27001 vs 27002 

It is important to note the intricacies of the linguistic differences between the two documents: ISO/IEC 27001 uses the word “shall” in all controls, meaning that the implementing organization must adhere to precisely what is written. ISO/IEC 27002 controls, on the other hand, use the word “should”, meaning that what is written is advice, indicating the most common implementation guidance for any given control. However, the implementation methodology is not required and is not the only way of satisfying the control.

You should also be aware of the other difference between ISO/IEC 270001 and 27002;ISO/IEC 27002 offers further detail and implementation guidance only for the controls of “Annex A”, and not for the requirements outlined in chapters 4-10, the “ISMS” section of ISO/IEC 27001.

‍

The ISO 27001 Update Changes

So now that we understand (hopefully!!) the differences between the two documents, let’s dive into what’s changed between ISO/IEC 27002:2013 and ISO/IEC 27002:2022.

Firstly, and perhaps most obviously, the structure is significantly different; beforehand, the 114 controls were broken down into 14 domains, spanning different, highly specific topics within information security. Now, the 93 controls (yes we’ll get to that, hold your horses) are broken down into 4 domains, which are much more general. They are:

• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 controls)

Secondly, and no less strikingly, the control count is much lower, with 11 (yes ONLY 11!!) new controls. So where did 32 controls disappear to (because ya know, 114+11-93=32)? Nowhere! The previous version of the standard had significant overlap between many controls, which have now been merged together. 

 The 11 New ISO/IEC 27002 Security Controls

1. Threat intelligence, requiring organizations to stay on top of the most up-to-date threats, and analyze them, as to ensure pro-activity as opposed to reactivity.
2. Information security for use of cloud services, requiring organizations to ensure cloud Compliance - that cloud service usage aligns with organizational information security policies, and that these policies are reflective of cloud service usage. Organizations for which this new control is applicable are likely to wish to adopt ISO/IEC 27017 too.
3. ICT readiness for business continuity, requiring organizations to ensure that business continuity plans and business impact analysis (BIA) include a close focus on ICT systems (as more organizations move towards cloud computing).
4. Physical security monitoring, requiring organizations to continuously monitor access to their premises using tools such as CCTV, motion detectors etc.
5. Configuration management, requiring organizations to enforce defined configurations, using a form of centralized management.
6. Information deletion, requiring organizations to delete data that is no longer needed, as is best practice in privacy-related frameworks.
7. Data masking, requiring organizations to perform data anonymization where required by relevant regulations and legislations (once more, a best practice in privacy-related frameworks).
8. Data leakage prevention, requiring organizations to install a DLP solution on any systems or networks that store or process sensitive data. This will minimize the chances of an intentional or unintentional data breach.
9. Monitoring activities, requiring organizations to actively monitor for anomalies, such as by configuring alerts to be triggered by the collection of specified logs.
10. Web filtering, requiring organizations to manage employee internet access, to minimize the chances of exposure to malicious content (such as viruses, or phishing content).
11. Secure coding, requiring organizations to establish a minimum baseline for coding practices, as to ensure that code meets a defined security standard, including code from third-party libraries.

The new controls outlined above are a “sign of the times,” indicative of the industry-wide shift towards modern, cloud computing infrastructures, as well as a significant increase in ISO/IEC 27001 adoption by SaaS companies, and predominantly technological companies in general.

The Control Attribute Table

Thirdly, and either most or least significantly (depending on how you look at it), is the introduction of an entirely new element to ISO/IEC 27002 - namely the control attribute table. This table introduces #hashtagging to the standard, allowing organizations to filter the standard by specific properties (Confidentiality, Integrity, or Availability or C,I,A), controls types (e.g. preventative) and concepts (e.g. identify). This will allow organizations adopting the standard to take a more holistic approach towards continuous management of the controls. This will enable a shift from using the standard purely for annual auditing and certification, towards using it for posture monitoring, similar to how mature organizations use the NIST CSF and the CIS Critical Security Controls.

Eagle-eyed readers (you, perhaps?) may have noticed that all of the above is related to ISO/IEC 27002:2022, and at present, audits are conducted against ISO/IEC 27001:2013, so why does all this matter? Well, ISO/IEC 27001:2022 is scheduled for release in Q4 of this year, and now we know exactly what to expect. The new ISO 27001 standard against which organizations will be audited (likely starting Q3-4 2023 for organizations that wish to transition early) will be composed of an ISMS section that is almost entirely unchanged, and an Annex A that is a more concise (table-ized, if that’s a word, which it’s probably not) version of ISO/IEC 27002:2022.

To Conclude the ISO 27001 Update 

You can think of the ISO 27001 update and the new ISO/IEC 27002:2022 as a great way to get one step ahead, to prepare for the next generation of ISO/IEC 27001 audits; to improve information security posture and maturity and most importantly, to get ready for your next Jeopardy audition.

But, in case you’re not much of a Jeopardy player and you’re still mulling over the changes to ISO 27001 (or worse! Scratching your head wondering what is ISO/IEC 27002 altogether!?) anecdotes can help it make sense for your business. Pioneers in the field of Compliance automation solutions, we use data-driven, evidence-based automation to help you get through everything from the day-to-day of Compliance to navigating the big audits, sans the stress.  So if you ISO Help:2023, click here.