With the publication of the new ISO/IEC 27002:2022 in February 2022, ISO kicked off the longawaited update cycle of information security standards covered by the ISO 27000 family. In this article, we will look into the consequences for the global security professionals’ community that try to keep their environment as secure as possible.
But the story is a bit more complicated than just updating a series of global information security standards. Since the 2013 publication of the previous generation, the world of information security has changed drastically because of the increased pressure on cybersecurity and cloud security.
And I have not mentioned the new world of data protection and privacy yet, GDPR has not only pushed the data protection expectations in Europe, but many regions have also assimilated similar data protection rules.
In this new era, there is no privacy nor data protection without cybersecurity. And a well-built information (cyber) security management system – in whatever format – is an absolute requirement to protect yourself, your organization, and your peers. It is not only about your own protection anymore.
To understand the impact of the ISO/IEC 27002 update, allow me to take a step back first.
ISO/IEC 27001 as the reference standard for many security approaches
First of all, it must be said that ISO/IEC 27001 (a.k.a. Information Security Management System – ISMS) version 2013 is the current master standard, although it has been updated with 2 minor corrections in 2014 and 2015, consolidated in version 2017, but these were rather nonessential cosmetic updates.
Considering the 2013 version, compared with the current state of technology almost 10 years later, it was quite obvious that the standard needed a revamp.
And normally an ISO standard is reviewed every 5 years, therefore, in that perspective as well, it was long overdue, which raised a lot of criticism from the field.
On the other hand, the topics, sections, controls, and measures in the current standard still have a robust, valid general approach. That can be complemented perfectly with other more detailed technical frameworks (like NIST, CIS controls, COBIT, CSA, etc.) and best practices to match the current state-of-the-art security requirements.
The standard has been built from various global security practices. And it still is the common ground that glues them together.
The goal of this standard is to support an effective security, not just a compliance checklist, as many think.
Do keep in mind that ISO/IEC 27001 is also a global reference standard for many other derived frameworks. Some are more lightweight, whereas others focus more on specific sectors or target specific organizations for instance small and medium-sized enterprises or businesses (SME/SMB).
The ISO 27000 pack of standards
For a long time, ISO/IEC 27001 has been the main auditable and certifiable standard for information security.
ISO/IEC 27701 was added a few years ago (quite recent in ISO terms), to extend the enterprise security approach with data protection and privacy. In fact, ISO/IEC 27701 ties together the requirements of ISO 29100 (privacy), GDPR, and the ISMS approach.
These certification standards are complemented with a collection of essential guidelines, code of practices, and metrics on activities you need to implement to make the management system work, including risk management, incident management, business continuity, auditing, assessments, building and protecting evidence, measurements, or application development.
Many are derived from other main ISO standards, like ISO 31000, ISO 22301, ISO 29100, ISO 20000, while many refer to ISO/IEC 27002.
It is quite clear that the latest update of ISO/IEC 27002 will have a major impact on these other essential guidelines. Firstly ISO/IEC 27001, but many more to come.
What is the connection between ISO/IEC 27001 and ISO/IEC 27002?
You might think that question is rhetorical, or in contrast you may find the connection obvious, however, it is not.
Many think that ISO/IEC 27001 is the main standard and that the ISO/IEC 27002 provides additional, in depth guidelines to ISO/IEC 27001 Annex, but that does not stand correct.
In fact, the first thing that is mentioned in the ISO/IEC 27001 Annex A (normative) is: “The control objectives and controls listed in Table A.1 are directly derived from and aligned with those listed in ISO/IEC 27002:2013[1], Clauses 5 to 18 and are to be used in context with Clause 6.1.3.”.
This means that ISO/IEC 27002 is the Code of Practice as the main guide for the requirements listed in ISO/IEC 27001, or said differently, that the requirements in ISO/IEC 27001 are a compacted list of ISO/IEC 27002. Consequently, if the ISMS requirements must be updated, the ISO/IEC 27002 update comes first.
The most prominent changes in the new ISO/IEC 27002?
There have been many posts, articles, and webinars on the ISO/IEC 27002 update, therefore, I do not wish to overelaborate. But the best news is: ISO/IEC 27002:2022 contains a matching table to explain the match between the 2013 and 2022 version, and also the other way around.
For clarity let me quickly point out the main differences.
New organization of the security controls
In essence, the most important update is a complete reorganization of the controls main categories. A brief overview: the ISO/IEC 27002:2013 standard contains 14 security control clauses, 35 subcategories with 114 controls. The 2022 version contains 4 main clauses with 93 controls. Essentially, the 2013 version has the controls organized on operational functions, the 2022 version is based on PPT (people, process and technology).
To be specific it is: PPPT: Policy, People, Physical and Technology.
New controls in ISO/IEC 27002:2022
New approach to control classification
So there is one less level of organization, this oversimplification is not necessarily an improvement. Regardless, the new ISO/IEC 27002:2022 covers this lack of organization by using attributes (including Operational capabilities), explained in Annex A of ISO/IEC 27002. The interesting part of this approach is that you can easily match your existing ISO/IEC 27001 implementation controls with the new ISO/IEC 27002 structure.
Merged controls
In essence, no controls are removed from the 2013 version, but duplicate or similar controls are merged to end up with 93 instead of the previous 114 controls.
What about the ISO/IEC 27001?
For the moment, at the publication of ISO/IEC 27002:2022, ISO/IEC 27001 is not changed yet, this means that the current certification standard stays put with the old controls until republication. However, in early February, just before the final publication of ISO/IEC 27002:2022, ISO launched a review cycle of ISO/IEC 27001:2013 to update the standard with the new Annex from ISO/IEC 27002.
This review will take 12 weeks, which is a fixed ISO procedure. So you might expect some official news sometime in May – June 2022.
A small surprise: the new update will not be a new version but an amendment, which is a minor update not a complete overhaul or new version.
Just keep in mind that the main clauses in the ISO/IEC 27001 are “management” clauses, aligned with the PDCA cycle of ISO 9001 (which also has been kept in place, unchanged from the 2015 version). In this case, the amendment is clearly a replacement of ISO/IEC 27001 Annex, with a condensed table version of ISO/IEC 27002:2022, with the previously discussed controls.
What about your existing ISO/IEC 27001 certification?
So far, the first signals are correct and confirmed, there will be a shorter update cycle for existing ISO/IEC 27001 certifications.
Instead of the typical 3 years, there will be a required update within 2 years. But in reality, most – if not all – implementations are already enforcing the security controls of the new version. Just double-check on the new controls in the 2022 version.
So, in conclusion: implement a few extra security controls (which you should have already), update your Statement Of Applicability, rename the controls or cross-match the existing controls with the 2022 version, then you are on the clear to proceed with an updated certificate on the next external audit cycle, even a surveillance audit.
And the other standards?
It is not clear yet what will happen with the other ISO/IEC 27000 standards in the pack, but it is likely that they will get a similar review to match up with ISO/IEC 27002:2022.
However, as they all will need to pass through the same official review, it will take some time to have them all aligned.
Certainly for ISO/IEC 27701 (PIMS), this is an important concern. But in the strictest sense, ISO/IEC 27701 requirements point to the ISO/IEC 27001 clauses, and the normative Annexes (Annex A for PII Controllers and Annex B for PII Processors) do not mention ISO/IEC 27002. Hence, once the ISO/IEC 27001 is officially updated, ISO/IEC 27701 recheck should be fairly straight-forward.
Epilogue
Except for a growing set of standards in the ISO 29100 area, with new and updated guidelines for privacy/data protection management, there is a new section you should keep an eye on.
That is ISO/IEC TS 27100 Cybersecurity – Overview and concepts, ISO/IEC TR 27103:2018 Cybersecurity and ISO and IEC Standards, ISO/IEC TS 27110:2021, Cybersecurity framework development guidelines.
Ergo, except for important updates on information security, privacy and data protection, also cybersecurity will get its fair needed changes accordingly.
PECB makes staying up-to-date with such updates simple, with easy-to-follow training courses on ISO/IEC 27001, ISO/IEC 27002, GDPR, and much more.
