What is ISO 27002:2022?
ISO/IEC 27002:2022 is an update to the previously published ISO/IEC 27002:2013 standard. This information security standard reference is used to support ISO 27001. This standard is published by the International Organization for Standardization (ISO) and the International Electrical Commission (IEC). ISO 27002 is closely associated with ISO 27001 as a supporting set of controls used for ISMS and how organizations may choose to implement them.
It is important to note that ISO 27002 is not a certifiable standard by itself. It acts as a point of reference for information security, cyber security and privacy protection controls that are based on internationally recognized standards of best practices for organizations planning on ISO 27001 certification.
For a detailed comparison between ISO 27001 and ISO 27002 click here.
ISO 27002 controls can be found in Annex A of ISO/IEC 27001. This is the section most information security experts will refer to when the topic of security controls is discussed. It’s important to note that while the outline of each control in Annex A is only a few sentences, ISO 27002 refers to each control with an average of one page per each. This is simply because the ISO 27002 standard must explain how each control works, what is the objective of said control, and how that particular control can be implemented.
ISO 27002:2022 Update
Drastic changes were made to this ISMS framework structure in February of 2022, replacing the previous published release from 2013. Despite the structural modifications the documents purpose remains the same; providing a generic reference set of information security controls used within the context of ISO 27001 Information Security Management System (ISMS).
Key Updates – ISO 27002:2022
14 Categories Reduced to 4 Domains
- A.5 Organizational Controls
- A.6 People Controls
- A.7 Physical Controls
- A.8 Technological Controls
Additionally, there are 2 annexes referenced:
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
The ultimate impact of ISO 27002 is in its contribution to the stability of and organizations ISMS. A key difference is that ISO 27002 is not intended to distinguish between applicable controls used or not within an organization. ISO 27002 is to be used as a reference for the selection of security controls rather than a certification process.
Security control reduction due to consolidation
With the consolidation of controls in ISO 27002, the number of security controls is now reduced to 93 from 114. Specifically, out of the 93 controls, 58 were updated, 24 were merged and 11 new controls we created.
Eleven new controls overview
While already referenced across multiple controls, the latest version of ISO 27002 gave these topics a more focused detail and guidance in their own control.
Of the eleven controls, there are three that are most impactful:
- 7 – Threat intelligence: Keeping your organization secure is only possible by identifying threat possibilities. Only by doing this will you be able to calculate any risks posed to the company and implement measures to mitigate the risk. This organizational control offers guidance to the collection and analysis of data regarding threats to information security. Consideration is given to the strategy, tactical implementation and operations of threat intelligence.
- 23 – Information security for use of cloud services: Organizations are migrating to cloud services at an ever-increasing rate. As a consequence of this pace, most companies make the assumption that security risk identification and control is the responsibility of the cloud service provider. This, however, is not often the case. This control provides guidance for the acquisition, use, management and exit from third-party cloud services. It clearly states that your organization must define in detail, the responsibilities of both your organization and your cloud service provider.
- 28 – Secure coding: As companies are constantly increasing that develop software, poorly coded sections can result in major vulnerabilities. For example, an absence of validation of input parameters can lead to SQL injections, XSS attacks etc. The technical control guidance provided here ensures secure coding principles that should be applied in software development.
Attribute values introduced for controls
The final major change introduces five attributes, including values for each.
- Cybersecurity concepts: #Identify, #Protect, #Detect, etc.
- Information Security Properties: #Confidentiality, #Integrity and #Availability
- Security domains: #Governance_and_Ecosystem, #Protection, #Defense, etc.
- Control types: #Preventive, #Detective and #Corrective
- Operational capabilities: #Governance, #Asset_management, #Information_protection, etc.
Now when referencing Annex A, attributes will link one or more values from each attribute to any of the security controls. Easier grouping and sorting are the result of this change. As an example, if an organization wishes to strengthen preventative controls, filtering using the #preventative value in the attribute Control types will present a list of preventative control references.
Annex B in this version remains retroactive to ISO/IEC 27002:2013 and allows for an easy transition to ISO 27002s updated version.
ISO 27002 changes and its impact on your organization
When planning out your ISO 27001 information security management system project, it would be safe to assume that both ISO 27001 and ISO 27002 would be the cornerstone of your ISMS. Using the security controls included in the new ISO 27002 will result in alignment to the current industry best practices. Your infrastructure may benefit more as a result of the new introductions as a strengthened integration to existing frameworks, regulations or standards.
How Interfacing can Help Ease the Burden of ISO/IEC 27002:2022 Documentation
With the growing complexity of managing ISO 27000 series requirements, organizing information in a central location becomes increasingly important. When an auditor comes to site, they will assess management’s oversight of their third-party service providers as well as the company’s own controls. The majority of this oversight revolves mainly around documentation and the ability to review it. Proving this to an auditor means providing them with a record management system that can draw on the accuracy & speed of access to the who, when and how’s of the organizations operations objectives.
Interfacing’s Enterprise Process Center® digital platform solution maintains a complete library of:
- Processes
- Procedures
- Roles & responsibilities
- Risks
- All requirements
- Internal policies
- Aligned indicators (KPIs)
- Controlled indicators (Monitoring)
All of the above within a centralized Integrated Management System (IMS), allowing your organization to fast-track certification and simplify creation, communication (new & changes) and update of information security controls, processes and associated/related documentation.
Additionally Interfacing’s IMS also offers a Quality Management System for automating the training of your different controls and audits (action item management/CAPA) as well as managing all your documentation, files, processes, procedures, roles, risks & controls.
We offer an entire library of content to jump start your program or use as a reference library for the operating controls used to validate the maturity of your current ISO 27001 documentation.
Why Interfacing?
Interfacing’s Enterprise Process Center® (EPC) provides you with a tool to control your compliance processes by helping you manage the audit, assessment and execution of your underlying business process management. This will make compliance easier and more transparent throughout your organization.
Enterprise Process Center® will give your company the ability to automatically and continuously monitor and manage your compliance initiatives. Implementing controls associated with processes and tasks ensures that compliance requirements are followed, while automatic tracking and documentation of all process changes gives management complete oversight.
If you would like to see more or discuss how Interfacing can help your organization, be sure to click below.
Contact us more for information.
Audit & Compliance
Efficiently govern your business complexity and continuous transformation through process based quality, performance and compliance management solutions.
Compliance Management Services
Compliance is a vital element of the internal control process of any organization, helping control content and reduce costs.
Gain Transparency with the Enterprise Process Center®
Interfacing’s Digital Twin Organization software provides the transparency and Governance to improve Quality, Efficiency and ensure Regulatory Compliance.
Read Our Blogs
Take a moment to read blogs about GXP, Regulatory Compliance, today’s trends, and much much more!
Discover how your organization benefits from an Interfacing solution.
A key differentiator of Interfacing to other digital and business transformation consulting firms is that Interfacing offers its own innovative technology solution in support of transformation programs. Interfacing’s software solutions deliver the transparency required to reduce complexity, improve execution and facilitates agility and change.
Interfacing’s integrated management system is a one-stop-shop for managing transformation programs. We know it’s a very competitive environment out there. It is for that reason our strength is in our commitment to maintain flexibility throughout the project lifecycle whether it is in our innovative products or in our team of experts.
Try It Now For Free!
Document, improve, standardize, and monitor your business processes, risks and performance with Interfacing’s Business Process Management Software (BPM Software) the Enterprise Process Center®!