What’s the ISO 27002: 2022 Update?

ISO/IEC 27002 has not been updated since 2013, but that all changed when the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) published an update to the standard in February 2022 – ISO/IEC 27002:2022. So, what does this mean for organizations that look to the guidance standard for direction on how to configure their information security management system (ISMS) to achieve compliance? 

On Episode 2 of Compliance Crosswalk, hosts Arti Lalwani and Blaise Wabo sit down with guest Steve Holladay of Arrowhead Training to discuss the updated ISO 27002 and share insights on how the recent changes will impact listeners’ organizations.   

Making ISO 27002 Easier to Understand 

Steve Holladay has been in the standards industry for 40 years and is a consulting professional with Arrowhead Training – a company on a mission to demystify management system accreditation requirements through standards training. His decades of experience made him the perfect guest to discuss insights on the newly revised ISO 27002.  

To kick things off, the group explored the change in nomenclature from domain to themes. Through mergers and elimination of redundancies, the new ISO 27002 reduces the 114 controls formerly categorized by domains down to 93 controls, and groups them into four themes – Organizational controls, Technological controls, Physical controls, and People controls.  

Worth noting: None of the previous controls were actually eliminated, merely merged. In addition 11 new controls were added. Fortunately, the standard contains two annexes which users can use to trace the updated controls back with their corresponding former controls, and vice versa. 

In his view, Steve believes replacing domains with themes will assist the business leaders in better understanding their ISMS and how the controls help secure information. The challenge that many of those working in non-tech companies encountered with the 27002:2013 standard was understanding the definition of the domains. After all, they were written for IT professionals rather than management.  

By shifting to the concept of themes, stakeholders should better comprehend what the standard is trying to accomplish as it relates to their business or management system. Steve anticipates high acceptance of the standard as a result of this revision.  

And as a bit of advice, he recommends organizations don’t attempt to jam their current ISMS into the four new theme areas. Rather, they should redesign their ISMS from the ground up around the themes. While it will take some work, it will result in a more effective system.  

Designed for Present and Future Threats 

Threats to information security are always evolving, and so one of the 11 new controls added to ISO 27002 centers on “threat intelligence.” It’s a significant change that is especially relevant in the post-pandemic era where online activity and the danger of cybercrime remain elevated.  

According to Steve, there was previously a “one and done” mentality to risk assessment. “Once the risk assessment was done, organization’s really didn’t look at it again.” The new guidance frames threats as a danger that needs to be continuously evaluated with appropriate actions put into place to safeguard against them.  

Blaise praises the updated standard for its flexibility, particularly in this environment of increased ransomware attacks, and rapid cloud adoption which makes organizations more vulnerable to cyber crimes. ISO 27002 gives companies latitude to implement their own controls while meeting the objectives of the themes. “I think this is a win for the industry.” 

Arti stresses that an ISMS is a management system and was never meant to be a checkbox system that is reviewed  once a year. Positioning the risk assessment within an ISMS as a  living document will make things easier for everyone when it comes time for the annual audit.  

Time to Get Started 

Considering that ISO 27002 is a guidance standard, will the actual ISO 27001 standard be similarly updated? Most operators in the space might assume so, but Steve shared some inside knowledge: ISO 27001 will be amended sometime between now and October.  

This is good news for organizations currently in a holding pattern in anticipation of the change. Since the upcoming revision will be an amendment rather than an update, organizations can immediately start applying the 27002:2022 guidance standard to their ISMS to achieve compliance.  

“We want to encourage clients not to wait,” says Steve. “Go ahead and start exploring the standard. You’re way ahead of the game by looking at those controls and understanding how ISO 27002:2022 will fit within your organization.” 

Arti wholeheartedly agrees on getting a jump on things and recommends those currently undergoing their ISO 27001 audit to update their ISMS using the available ISO/IEC 27002:2022guidance. This way, an updated  SOA will reflect compliance with the new control set. 

A parting message: Reach out to your certification body (CB). The CB will let you know any available updates to your current ISO 27001 certificate. Purse an ISO 27001 certificate to ensure your ISMS is conforming with the  standard and confirm your controls are robust and effective to counter all threats – those present and those yet to come.  

Click here to watch the full video of this episode.

Click here to stream all episodes of the Compliance Crosswalk podcast.