Make Information Security a Priority with ISO2700#

The goal of ISO 27002 is to give businesses advice on choosing, putting into place, and administering information security controls while taking into consideration their environment and appetite for threats to information security.

What connection does ISO 27002 have to ISO 27001?#

Organizations can conform to ISO 27001, an international management system standard that gives them a framework for managing information security using best practices.

According to the Standard, which adopts a risk-based approach to information security management, organizations must evaluate their information security risks and choose the best policies. The Standard’s Annex A lists these controls, while ISO 27002 goes a step further and offers implementation recommendations.

What caused the February 2022 revision of ISO 27002?#

To reduce common information security risks, controls in ISO 27002 and, by association, controls in Annex A of ISO 27001 are designed.

The revisions made to the ISO 27002:2022 Standard (released on 15 February 2022) address some of the dangers that have emerged since the 2013 edition was issued, such as the expansion of cyber-related threats and the trend toward home and remote working. Threats develop naturally over time.

Additionally, it gave the International Organization for Standardization the chance to reformat the Standard and make it more readable and accessible to users.

What Significant Changes Are Made from the 2013 Standard?#

The current version of ISO 27002 has undergone numerous significant revisions. A list of them is shown below:

1. The Title

First, the title of the revised ISO 27002 standard no longer includes “Code of Practice.” This modification aims to reflect the 2022 version’s intended purpose as a reference collection of general information security policies and recommendations. The complete title has been changed to “Information Security, Cybersecurity and Privacy Protection — Information Security Controls,” which reflects a larger context and that data protection is now taken into account along with preventing, detecting, and responding to cyber-attacks.

2. the controls

The 93 controls in the ISO 27002:2022 upgrade replace the 114 in the previous version. Utilizing the 93 controls:

  • There have been 58 updates;

  • There have been 24 control mergers;

  • There have been 11 new control introductions.’

3. Topics:

Instead of the previous 14 clauses, the controls are now divided into 4 “themes,” which are organized into the following common categories:

  • Organizational controls (37 of them) and

  • Technological (34 controls)

  • (14 controls) Physical

  • eople (8 controls)

4. Attributes are introduced:

Along with the controls being organized into the four themes, another notable update is the addition of five “attributes” where you may tag controls with hashtags to enable you to filter, sort, or display controls in various ways, such as by:

  • Control method (e.g., preventive, detective, corrective, etc.).

  • Features of information security (relating to confidentiality, integrity, availability).

  • Ideas about cybersecurity (following the NIST approach with identify, protect, detect, respond, recover).

  • Capabilities for operations

  • Domains for security (e.g., governance and ecosystem, protection, defense, resilience).

Although using characteristics is not required, it is suggested that doing so will facilitate an organization’s controls categorization process. The Standard can be used in many contexts by organizations and industry groups with the aid of attributes.

What makes ISO 27002 significant?#

Information security risks and threats will always exist if your organization collects, utilizes, or analyzes data. You should have an Information Security Management System (ISMS) to guarantee the confidentiality, accessibility, and integrity of all information and information assets. Businesses that are new to information security management must primarily overcome its enormous reach. Most managers are unsure of where to start when it comes to implementing and maintaining an ISMS because it covers such a wide range of topics. Implementing the measures recommended in ISO/IEC 27002 is an excellent place to start if this describes you or if you just want to keep on top of your information security.

See also

Interested in information security governance, risk and compliance? Enrol in MCSI’s MGRC - Certified GRC Expert