Important Updates to ISO 27002 for 2022 (And Impacts to ISO 27001)

April 2022

Overview

Cybersecurity threats are escalating around the globe and can affect any organization. The International Organization for Standardization (ISO) developed standards to provide solutions to these types of global challenges.
 
On February 15, 2022, ISO issued an update to ISO 27002 (which impacts the Annex A of ISO 27001). The goal was to make the standards more relevant and up to date with the latest technologies and security threats. The changes will also make it easier for organizations to comply with the standard.
 
Notable changes include:
  • Name Change – The standard will be renamed from ISO 27002:2013 to ISO 27002:2022
  • Control Changes
    • Decreased the number of information security controls in Annex A from 114 to 93
    • Introduced 11 new controls and merged controls to avoid redundancy
  • Restructured the sections - 4 main domains now (instead of the previous 14)
  • Greater Attention and Emphasis on Cyber risks 
 

What are the differences between ISO 27001 and 27002?

ISO/IEC 27001 and ISO/IEC 27002 (their formal names) are the primary ISO standards designed to enhance the security of an organization’s information.
 
  • ISO 27001 is the actual certification standard for organizations – they get certified against it. As the globally recognized standard, it provides the requirements to establish, implement, maintain, and continually improve an organization’s information security management system. The current version, ISO27001:2013 will be renamed ISO/IEC 27001:2013+A1:2022 (the last major updates occurred in 2013, with some minor revisions in 2017).
  • ISO 27002 provides guidance to organizations on selecting, implementing and managing information security controls listed in the Annex A of ISO 27001. Organizations cannot get a certification against ISO 27002 since it is a supporting standard containing guidance - not requirements. The updated name is now ISO/IEC 27002:2022.
 

What are the new controls?

  1. The 11 new control topics introduced are:
  2. Threat intelligence (5.7)
  3. Information security for the use of cloud services (5.23)
  4. ICT readiness for business continuity (5.30)
  5. Physical security monitoring (7.4)
  6. Configuration management (8.9)
  7. Information deletion (8.10)
  8. Data masking (8.11)
  9. Data leakage prevention (8.12)
  10. Monitoring activities (8.16)
  11. Web filtering (8.22)
  12. Secure coding (8.28)
 

What are the section changes?

ISO restructured the sections from 14 total sections down to 4-sections and 2-annexes.


Sections

  1. Organizational Controls (37) – Now Domain 5
  2. People Controls (8) – Now Domain 6
  3. Physical Controls (14) – Now Domain 7
  4. Technological Controls (34) – Now Domain 8

Annexes

  1. Annex A, which includes guidance for the application of attributes, and
  2. Annex B, which corresponds with ISO/IEC 27002:2013.
 

When do the changes take place?

  • ISO 27002 was updated on February 15, 2022 (ISO 27002:2022)
  • Annex A of ISO 27001 will be aligned with these changes sometime during 2022 – although the official date has not been announced (ISO 27001:2013+A1:2022)
 

What does this mean for organizations?

Organizations already certified to ISO 27001:2013 will need to update their certification to align with the revised standard. They may also want to:
  • Purchase the new guide
  • Review and update policies, procedures, and documentation (i.e., Internal Audit Plan/Policy, Statement of Applicability, Risk Assessment, Asset Inventory, and other components)
  • Perform a gap analysis
  • Inform their certification body on the planned timing to certify to the new standard
 

When must organizations comply/adopt?

Certified organizations will have a transition period to update their certification (once the official update to ISO 27001 is published). The transition period will be defined by your Certification Body.
 
Organizations without a certification should certify to the new 2022 standard.
 

Benefits of ISO 27001 Certification?

  • Improved security – By identifying and addressing information security risks, organizations are better positioned to protect their data and reduce the risk of a data breach.
  • Address global customer requirements – Having ISO 27001 certification can help an organization meet the security compliance requirements of global customers.
  • Competitive advantage – By demonstrating your organization meets the highest standards for information security it can increase trust and transparency with your customers.
  • Mitigate risks – Certification can help mitigate the risk of cyberattacks and data breaches which may cause organizations to lose customers, incur regulatory fines, and suffer damage to their brand and reputation.
 

Potential Impacts of Cybersecurity threats? 

Cyberattacks and data breaches may cause organizations to lose customers, incur regulatory fines, and suffer damage to their brand and reputation. That is why cybersecurity is critical for all organizations.
 

How can BDO help?

Choosing the right service auditor is critical to an organization’s success. Our trusted and experienced team collaborates with organizations to develop a comprehensive and defensible compliance program to meet various security standards.
 
We can help existing clients during the transition and can help new clients get their certification.