#27002: A refreshing revision of the standard with a streamlined structure, new content and contemporary indexing. In the first quarter of 2022, the update of ISO/IEC 27002 has been released as a harbinger for the revision of ISO/IEC 27001 expected in the fourth quarter of 2022. Read here what has changed with the new ISO 27002:2022 - and what this means in terms of the revision of ISO 27001:2022.
ISO 27002 and ISO 27001
ISO 27002 defines a broad catalog of general security measures that should support companies in implementing the requirements from Annex A of ISO 27001 - and has established itself as a practical standard guide in many IT and security departments as a recognized tool. At the beginning of 2022, ISO 27002 was comprehensively revised and updated - an overdue step in the opinion of many experts, considering the dynamic development in IT in recent years and knowing that standards are reviewed for up-to-dateness every 5 years.
For companies with an ISO 27001 certificate - or companies that want to tackle certification in the near future - the innovations that have now been introduced are relevant in two respects: Firstly, with regard to necessary updates to their own security measures; but secondly, because these changes will have an impact on the update of ISO 27001 expected at the end of the year and will therefore be relevant for all future certifications and recertifications. Reason enough, therefore, to take a closer look at the new ISO 27002.
Note: ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection - Information security controls. The standard is currently only published in English and can be ordered from the ISO website.
New structure and new topics
The first obvious change in ISO 27002:2022 is the updated and significantly streamlined structure of the standard: instead of the previous 114 security measures (controls) in 14 sections, the reference set of the updated version ISO 27002 now comprises 93 controls, which are clearly subdivided and summarized in 4 subject areas:
- 37 security measures in the "Organizational controls" section
- 8 security measures in the area of "People controls"
- 14 security measures in the area of "Physical controls"
- 34 security measures in the area of "Technological controls"
Despite the reduced number of security measures, only the control "Removal of Assets" was actually deleted. The streamlining is due to the fact that 24 security measures from existing controls were combined and restructured to meet the protection objectives in a more focused manner. A further 58 security measures were revised and adapted to meet contemporary requirements.
The new edition of ISO 27002 gives information security managers a precise outlook on the changes that will become the new certification standard with the new edition of ISO 27001.
New security measures
Furthermore - and this is probably the most exciting part of the update - ISO 27002 has been extended by 11 additional security measures in the new version. None of these measures will come as a surprise to security experts, but taken together they send a strong signal and help companies arm their organizational structures and security architectures against current and future threat scenarios in a timely manner.
The new measures are:
Threat intelligence
Capturing, consolidating and analyzing current threat intelligence enables organizations to stay current in an increasingly dynamic and evolving threat environment. In the future, evidence-based analysis of attack information will play a key role in information security to develop the best possible defense strategies.
Information security for the use of cloud services
Many organizations today rely on cloud-based services. With this comes new attack vectors and accompanying changes and significantly larger attack surfaces. In the future, companies will have to consider appropriate protection measures for their introduction, use, administration and make them binding in their contractual rules with cloud service providers.
ICT readiness for business continuity
The availability of information and communications technology (ICT) and its infrastructures is essential for ongoing business operations in companies. The basis for resilient organizations are planned business continuity objectives and ICT continuity requirements derived, implemented and verified from them. The requirements for the timely, technical recovery of ICT after a failure establish viable business continuity concepts.
Physical security monitoring
Break-ins in which sensitive data or data carriers are stolen from the company or compromised represent a significant risk for companies. Technical controls and monitoring systems have proven effective in deterring potential intruders or detecting their intrusion immediately. In the future, these will be standard components of holistic security concepts for detecting and deterring unauthorized physical access.
Configuration management
Incorrectly configured systems can be abused by attackers to gain access to critical resources. While previously underrepresented as a subset of change management, systematic configuration management is now focused on as a security measure in its own right. It requires organizations to monitor the proper configuration of hardware, software, services and networks, and to harden their systems appropriately.
Information deletion
Since the General Data Protection Regulation came into force, organizations must have appropriate mechanisms in place to delete personal data on request and ensure that it is not retained for longer than necessary. This requirement is extended to all information in ISO 27002. Sensitive information should not be kept longer than necessary to avoid the risk of unwanted disclosure.
DQS Audit Guide for ISO 27001
Valuable expertise
Data masking
The goal of this security measure is to protect sensitive data or data elements (e.g., personal data) through masking, pseudonymization, or anonymization. The framework for the appropriate implementation of these technical measures is provided by legal, statutory, regulatory and contractual requirements.
Data leakage prevention
Preventive security measures are required to mitigate the risk of unauthorized disclosure and extraction of sensitive data from systems, networks, and other devices. Potential channels for uncontrolled leakage of this identified and classified information (e.g., email, file transfers, mobile devices, and portable storage devices) should be monitored and, if necessary, technically supported by active prevention measures (e.g., email quarantine).
Monitoring activities
Systems for monitoring anomalies in networks, systems and applications are now part of the standard repertoire in IT departments. Similarly, the requirement to use systems for attack detection has found its way into current legal and regulatory requirements. Continuous monitoring, automatic collection and evaluation of appropriate parameters and characteristics from ongoing IT operations are a must in proactive cyber defense and will continue to drive technologies in this area.
Web filtering
Many untrusted websites infect visitors with malware or read their personal data. Advanced URL filtering can be used to automatically filter potentially dangerous websites to protect end users. Security measures and solutions to protect against malicious content on external websites are essential in a globally connected business world.
Secure coding
Vulnerabilities in in-house developed code or open source components are a dangerous point of attack, allowing cybercriminals to easily gain access to critical data and systems. Up-to-date software development guidelines, automated test procedures, release procedures for code changes, knowledge management for developers, but also well thought-out patch and update strategies significantly increase the level of protection.
Attributes and attribute values
Another innovation was introduced for the first time in ISO 27002:2022 to help security managers navigate the broad mix of measures: In Annex A of the standard, five attributes with associated attribute values are stored for each control.
The attributes and attribute values are:
Control types
- Control type is an attribute for the view of controls from the point of view of when and how a control changes the risk related to the occurrence of an information security incident.
- #preventive #detective #corrective
Information security properties
- Information security properties are an attribute that can be used to view controls from the perspective of what protection goal the control is intended to support.
- #Confidentiality #Integrity #Availability
Cybersecurity concepts
- Cybersecurity concepts look at controls from the perspective of mapping controls to the cybersecurity framework described in ISO/IEC TS 27110.
- #Identify #Protect #Detect #Respond #Recover
Operational capabilities
- Operational capability looks at controls from the perspective of their operational information security capabilities and supports a practical user view of the controls.
- #Application security #Asset management #Continuity #Data protection #Governance #Human resource security #Identity and access management #Information security event management #Legal and compliance #Physical security #Secure configuration #Security assurance #Supplier relationships security #System and network security #Threat and vulnerability management
Security domains
- Security domains are an attribute that may be used to view controls within the perspective of four information security domains
- #Governance_and_Ecosystem #Protection #Defence #Resilience
The attribute values marked with hashtags are intended to make it easier for security managers to find their way through the broad catalog of measures in the standard guide and to search and evaluate them in a targeted manner.
Changes in ISO 27002: A conclusion
The new edition of ISO 27002 provides information security managers with a precise outlook on the changes that will become the new certification standard with the new edition of ISO 27001. At the same time, the innovations remain within a manageable framework: The restructuring of the catalog of measures makes the standard more transparent and is undoubtedly a step in the right direction in view of the increasing complexity and decreasing transparency of security architectures. The newly included measures will also come as no surprise to experienced security experts and modernize the outdated ISO standard quite considerably.
Certification according to ISO 27001
How much effort do you need to invest to get your ISMS certified according to ISO 27001? Get information free of charge and without obligation.
We look forward to talking to you.
What the update means for your certification
ISO/IEC 27001:2022 was published on October 25, 2022. This results in the following deadlines and timeframes for users to transition:
Last date for initial/re-certification audits according to the "old" ISO 27001:2013
- After April 30, 2024, DQS will conduct initial and recertification audits only according to the new standard ISO/IEC 27001:2022
Transition of all existing certificates according to the "old" ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022
- There is a 3-year transition period starting from October 31, 2022
- Certificates issued according to ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 are valid until October 31, 2025 at the latest, or have to be withdrawn on this date.
DQS: Simply leveraging Quality
Our certification audits provide you with clarity. The holistic, neutral view from the outside on people, processes, systems and results shows how effective your management system is, how it is implemented and mastered. It is important to us that you perceive our audit not as a test, but as an enrichment for your management system.
Our claim always begins where audit checklists end. We specifically ask "why", because we want to understand the motives that led you to choose a certain way of implementation. We focus on potential for improvement and encourage a change of perspective. In this way, you can identify options for action with which you can continuously improve your management system.
DQS Newsletter
André Saeckel
Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.