The new ISO 27001: what to expect?


The lifespan of an ISO standard is 5 years. It is then evaluated whether the standard remains valid, needs revision, or should be retracted.

As you probably know the 27002:2022 was released on February 15, 2022.

What is the difference between ISO 27001 & ISO 27002?

ISO 27001 specifies the standards for implementing an Information Security Management System (ISMS), whereas ISO 27002 provides a set of security controls (or ‘measures’) that can be implemented to enhance your security.

ISO27001 uses regulations from ISO 27002) in its Annex A, however the wording is significantly different, with ‘should’ replaced by ‘shall’.

ISO 27001 is the verification standard, while ISO 27002 is “simply” a code of practice.

Important: At this stage, ISO is not expected to publish an ISO 27001:2022 in 2022. Instead, a modification will be made to the current version. Annex A will be replaced with a normative version of the 93 new controls included in ISO 27002:2022.

What’s new in ISO 27002:2022?

The 2013 edition of ISO/IEC 27002 has been replaced by the 2022 edition of the standard. The number of security controls has decreased from 114 to 93 in ISO/IEC 27002:2022.

  • A new classification of security controls into four broad categories or themes has been introduced.
  • The “code of practice” has been eliminated.
  • The standard now offers a comprehensive description of security controls with their associated properties.

The modifications made to the new version of the standard are intended to simplify the selection of security controls. However, both versions serve the same function. The intent of ISO/IEC 27002:2022 is to serve as a reference set for businesses selecting and implementing context-appropriate information security measures.

11 controls are new, 23 controls have been renamed, one control has been split into two sub-controls, 57 controls have been consolidated into 24, and 34 controls are unchanged.

The new themes are as follows:

  • 5. Organizational (37 controls)
  • 6. People (8 controls)
  • 7. Physical (14 controls)
  • 8. Technological (34 controls)

Some controls from ISO 27001:2013 appear to have been merged in ISO 27002:2022, while the following controls look new and might require some tweaking of your existing implementation – should you wish to include them in your Statement of Applicability:

Improvements in ISO 27002:2022

The 2022 edition includes fewer controls and chapters, has simplified certain areas, and has combined elements so that fewer steps are required to satisfy the standard.

To assist you in identifying relevant controls during risk mitigation, ISO 27002 controls are now marked by:

  1. Control type: preventive, detective, corrective
  2. Information security properties: confidentiality, integrity, availability (the familiar CIA triad)
  3. Cybersecurity concepts: identify, detect, protect, respond, recover (perfect for cross-referencing the NIST Cybersecurity Framework)
  4. Operational capabilities: application security, asset management, continuity, governance, human resource security, identity and access management, information protection, information security assurance, information security event management, legal and compliance, physical security, secure configuration, system and network security, supplier relationships security, threat and vulnerability management
  5. Security domains: defense, governance and ecosystem, protection and resilience

On the other hand, new focal points were established, with a greater emphasis on preventing, detecting, and responding to cyber-attacks, as well as data protection – as is already known from the NIST Cybersecurity Framework. This generally means that the effort required to implement them will increase for businesses. At the same time, it becomes more difficult to rule out controls if they are not applicable in your organization.

The upcoming changes in ISO 27001:2022

The ISO was not expected to publish ISO 27001:2022 in 2022.  It was expected that only the Annex A will be updated with the new ISO 27002. Surprisingly enough the proposed amendment was rejected last month (May 2022) leading to creation of a new version of the ISO27001 standard (DIS) .

There will undoubtedly be other changes coming up in the new version of the standard.  Stay tuned as we will update you as once the information becomes available.

How to transition to the latest version of the ISO 27001 Annex A

Organizations already certified will have a grace period of one to three years to implement the latest version of the Annex A upon its release. The period depends on your certification body and must be discussed prior to the surveillance or recertification audit.

If you are in the phase of implementing the ISMS, you should start immediately working on the following steps to ensure you are ready for the version:

1 – Risk management

Many organizations use the Annex A to approach a portion of the risk identification process. This is a good strategy for ensuring that some risks are not overlooked. With a meaningful change in the control structure and the multi-angle options provided by the classification of security measures, the first step should be to perform a new risk identification.

Your current risk treatment plan should be updated as well to reflect the new control structure and numbering. We created a model with smartcockpit that allows for a dual association of controls with versions 2013 and 2022, allowing for a smooth transition.

2 – Statement of Applicability

As expected, your statement of applicability (SoA) will need to be revamped to match the new classification of controls. It also means that some exclusions will not be applicable, and you may also need to justify new ones.

3 – Policies and procedures

Your organization’s documentation, like the SoA, will need to be reviewed to ensure that policies and procedures reflect the new numbering. It will also provide you with the opportunity to adapt and possibly reorganize your approach to documents. Modern ISMSs use agile documentation methodology to keep documents short and make it easier for employees to find information.

Because the standard change includes 12 new controls, the most challenging task is undoubtedly aligning the risk treatment and documentation. Abilene Advisors has 42 ISO 27001 ISMS in place as of today, audits over 50 of them yearly, and offers a comprehensive approach to governance and data privacy.

Author : Abilene Advisors

Source : Abilene Advisors

le clusis