The implementation rate of the ISO/IEC 27001 Information Security Management System Standard has been increasing rapidly in recent years. We can say that many factors such as the understanding of the importance of information security / cyber security concepts by country governments, the publication of Personal Data Protection Regulations (GDPR, etc.), the attacks faced by organisations, triggered this.
Although the number of organisations implementing ISO 27001 is increasing, the ISO 27002 standard behind the ISO 27001 standard is not known by many. While ISO/IEC 27001 specifies the mandatory requirements of the management system, ISO/IEC 27002 is an advisory guide standard. It is a standard that is a guide for the implementation of controls included in Annex-A of ISO 27001 Information Security Management System Standard, but is not subject to audit.
ISO/IEC 27001: Determines the management system requirements for information security management.
ISO/IEC 27002: Determines the necessary security controls and good practice examples for information security management.
Although there is no absolute rule, the update period of ISO standards is considered to be 5 years. At the end of this period, the standard is withdrawn to the status of «under review», and whether the standard can be withdrawn or not, the update requirements are evaluated. The ISO/IEC 27002 standard, which was last published in 2013, was revised and updated as ISO/IEC 27002:2022 version on February 15, 2022.
Updating the ISO/IEC 27002 standard brings with it the need to update the related standards. ISO/IEC 27017, 2018, 27701… in particular, ISO/IEC 27001… update requirements of related standards arise. The ISO/IEC 27001 standard is also expected to be updated in 2022 Q4.
What changes have occurred in ISO 27002:2022 Version?
If we consider the changes in the standard under two headings: structural change and change in content;
Structural Changes
Change in the definition of the standard:
The first noticeable change is the change in the name of the standard. The standard, which is defined as “Information technology – Security techniques – Code of practice for Information Security controls” in the ISO 27002:2013 version, is expressed as “Information security, cyber security and privacy protection – Information Security controls” in the 2022 version.
We can say that the “Cyber Security” change in the name of the standard heralds a radical change in the content.
Change in the number of controls:
The standard, which contains 114 controls under 14 domains in the 2013 version, includes a total of 93 controls in 4 categories in the 2022 version. The controls in the 2022 version are grouped under four headings: Organisational, Human, Technological and Physical.
Cyber Security Approach:
In the ISO/IEC 27002:2013 version, an information security perspective is approached, while in the 2022 version, Cyber Security is addressed. In ISO/IEC 27002:2022, we see the NIST Security framework Define, Protect, Detect, Respond, and Recover concepts. This change seems to bring about a radical change in the Information Security Management Systems implemented. While the “Information Security” approach in the previous version of the standard causes some flexibility in controls, I think it would not be wrong to say that more specific frameworks will be drawn with the “Cyber Security” approach.
Attribute Table:
With this change that came with the 2022 version came an Attribute Table evaluated with 5 attributes for each control.
- Control Type : A property to view controls from the perspective of when and how the control changes the risk in relation to the occurrence of an information security event.
- Information Security Features : An attribute for displaying controls from the perspective of information characteristics that controls will contribute to their protection.
- Cyber Security Concepts: It is the feature of seeing the controls from the perspective of associating the controls with the cyber security concepts defined in the cyber security framework explained in ISO/IEC TS 27110.
- Operational Attributes: A qualification to view controls from the perspective of the practitioner’s information security capabilities.
- Security Areas: A qualification to view controls from the perspective of the four information security areas. The attribute values consist of #Governance_and_Ecosystem, #Protection, #Defence, and #Durability.
Control Layout:
The following headings are included for each control.
- Control Title : Short name of the control
- Attribute table: The table with the values of the attributes
- Control: What is control
- Purpose: Why the control should be applied
- Guidance: How control should be applied
- Other Information: Reference to explanatory text or other relevant documents
Changes in Controls
New Controls:
There are 11 new controls that come with version ISO/IEC 27002:2022. These:
- 5.7 Threat intelligence
- 5.23 Information security for the use of cloud services
- 5.30 ICT preparation for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Deleting information
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Renamed Controls:
In the 2022 version, the names of 23 controls were changed. E.g;
- Control 12.7.1 Information systems audit controls changed to 8.34 Information systems protection during audit tests.
- Control 15.1.3 Information and communication technology supply chain changed to 5.21 Managing information security in the ICT supply chain.
Canceled Controls:
Although the reduced number of controls makes one think that the controls were canceled, no controls were canceled in the 2022 version. Only some controls have been combined. In the new version, 54 controls are combined into 24 Controls. E.g;
- Controls 5.1.1 Information security-related policies and 5.1.2 Information security-related policies are combined under 5.1 Information security-related Policies.
- Controls 11.1.2 Physical entrance controls and 11.1.6 Delivery and loading areas 7.2 Combined at physical entrance.
Split Controls:
There is only one control divided: 18.2.3 Technical compliance review, 5.36 Compliance with policies, rules and standards for information security, and 8.8 Management of technical vulnerabilities.
35 controls remained the same by changing the control number.
Be First to Comment