With the ISO 27002:2022 revision, a reference set for information security controls to be used based on information security risk management has been provided and aims to improve other 27000 family standards.
The ever-growing threat environment, security vulnerabilities and the rapid growth of digital technology seem to meet the missing needs with the ISO 27002:2022 update.
What’s new in ISO 27002:2022?
ISO 27002:2013 was divided into 14 clauses and contained 114 controls. This has been restructured, version 2022 includes 93 controls divided into 4 sections:
5. Organizational (37 controls)
6. People (8 controls)
7. Physical (14 controls)
8. Technological (34 controls)
Answers to Your Essential Questions
1 – What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the main standard and companies can certify; Companies cannot obtain certification ISO 27002:2022 as it is only a supporting standard.
In Annex A, ISO 27001 only provides a list of security controls, but does not explain how they can be implemented; ISO 27002 lists the same controls and provides guidance on how to implement them. However, this guide in ISO 27002 is not mandatory, meaning companies can decide whether to use them.
2 – When will these changes take place?
ISO 27002 was updated on 15 February 2022 and Annex A of ISO 27001 will be brought into line with these changes.
Updates to ISO 27001 Annex A will be in 2022, the date has yet to be announced.
3 – We want to start implementing ISO 27001, should we wait until the changes are published or should we start now?
If your current or potential customer is waiting for you to get certified, you should start as soon as possible; If you can wait until the end of 2022 with your project, you can wait for the updated standard.
In other words, this decision has nothing to do with standards – it depends on how quickly you need ISO 27001 certification.
4- Now if we start with the ISO 27001 application, will we continue with the new control sets or the old ones?
You should start with existing controls, as the changes to ISO 27001 have not yet been published.
Migration to the new revision of the standard will be a minor effort, as changes to controls are only moderate and you will have plenty of time to update documentation for new controls.
5- We have already implemented ISO 27001, what do we need to change in our documentation?
Changes in standards are mostly related to the re-organization of controls, so no changes in the technology section’s will be needed, only changes in documentation.
Since the changes are moderate, our recommendation is that you do not add new documents or delete any existing documents.
6- When do we need to change our documents?
The transition period for these changes has not yet been released but will likely be 24 months from the official ISO 27001:2022 update date.
Therefore, you will have plenty of time to comply.
7 – Does the certification body need to check for changes in the documents?
Yes, if your company is certified, the certification body will check whether you have adapted your documents during the transition period.
Since they will do this during regular surveillance audits, there will be no need to plan a new audit.
Impact on relevant ISO 27000 standards
There are many standards and frameworks related to or based on ISO 27002:2013. Replacing the standard with a new version will definitely affect them.
First of all, ISO 27001 is expected to receive an update shortly after ISO 27002:2022 is finalized and published. According to current understanding, the ISO 27001 update will be limited to minor text changes and a complete revision of Annex A in accordance with the ISO 27002 update.
It is expected to be updated in common standards such as ISO 27701, ISO 27017 and ISO 27018.
While the overall structure of the standard is similar to other standards, a major change has been made in how the control sections are structured. ISO 27002:2013, which consists of 14 clauses, will be replaced by 4 clauses, as shown in the next comparison.
What should we do?
First, keep in mind that under normal circumstances, the publication of a new standard to be confirmed will be a transitional period. Normally the transition period will be 24 months depending on where the certification is in the current certification cycle.
You can start preparing by purchasing the published version of ISO 27002:2022.
What can you do at this stage?
Although not limited to the list below, these may be the first things you can do;
• Purchase the updated standard,
• Comparing the new standard and the old one,
• Making a risk analysis and checking the GAP analysis,
• Select applicable controls and set your ISMS policies, standards and updates.
• Update your Statement of Applicability,
• Update your internal audit program to include selected updated controls …. Etc.
Post from CFE