blog-post

Upcoming ISO 27002 Update

The increased need for information security places an emphasis on organizations to concentrate efforts in protecting their assets by implementing the security standards provided by ISO 27000 series.

A Quick Word On ISO 27002

At the core of the ISO 27000 series lies ISO 27001. This is a requirements specification standard for a complete and fully functional Information Security Management System (ISMS). Its goal is to enable organizations to implement the necessary controls to maintain security-related risks to acceptable levels.

ISO 27002 is an extension of the ISO 27000 series which serves as a “code of conduct” for selecting security controls within the process of implementing an ISMS and becoming compliant with the ISO 27001 standard.

The last version of the 27002 standard dates from 2013, but ISO announced that later this year a major update will be released: 27002:2021, aka FDIS 27002. which stands for “Final Draft International Standard”. If you want to learn more about ISO document stages, we cover this in more detail in another article: Understanding ISO document stages.

What Will Change In ISO 27002?

Reorganization

Within the new ISO framework, we expect to see a restructuring of the current controls. Thus, the recognizable 14 control chapters are going away, whereas 4 consolidated chapters will serve as the base for all framework controls. Each framework control will be classified as one of the following:

  • Organizational
  • People
  • Technological
  • Physical
Control Reduction

The original total of 115 controls from Annex A has been reduced to 93, grouped into the 4 previously mentioned chapters. While some controls have been combined, many of the remaining ones have been revised, and the new protocol includes an introduction of 11 brand-new controls:

  • Threat intelligence
  • Information security for use of cloud services
  • Information and communication technology (ICT) readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

There is also one that will go away:

  • Removal of assets
Control Attributes

Each control will have 5 characteristics that will provide the ability to have alternate refined views, depending on the medium being utilized: a database, spreadsheet, application. These characteristics are defined as:

  • Control Type (preventive, detective, corrective)
  • Information Security Properties (confidentiality, integrity, availability)
  • NIST Cyber Security Concept (identify, protect, detect, respond, recover)
  • Operational Capabilities (governance, asset management, physical security – 15 in total)
  • Security Domains (governance and ecosystem, protection, defense, and/or resilience)

Will My ISMS Need To Be Updated?

Imminent changes are not going to be necessary. Since ISO 27002 is merely a code of practice, it is not certifiable (that’s where ISO 27001 comes in). Organizations will have to wait for ISO 27001 to be updated accordingly, which we expect to happen soon after.

When that happens, organizations will still be able to (re)certify their ISMS against the 2013 version for a prolonged period, as ISO will provide a grace period for adapting to the new standard. However, companies should look ahead, as they will need to update their ISMS before the next certification cycle.

Share on:
comments powered by Disqus

Related Articles

For every type of business

If you’re interested in a complete Security Program without the high costs, a cyber security consultant is the best way to start.

Get started Now