Changes to ISO 27002

---

Why the change to ISO 27002

To set some context, ISO 27002 provides the guidance for the Annex A controls which are found in the 27001 standard. Given the 27001 standard was written in 2013, the world of information security has changed beyond measure in the last 9 years, this is a really positive change.

The change to the 27002 guidance means that the 27001 Standard will now be prioritised for update and it is expected that as early as May 2022, the new 27001:2022 standard will be released. You will have 2 years to make the transition as all 2013 certificates will expire in 2024.

What are the key Changes to ISO 27002

1. The Code of Practice now includes specifically 1) cyber security and 2) privacy protection. Therefore, if you are processing personal information, then you will need to add associated controls to your systems.
2. The control groups have now been reduced from 15 'sections' into 4 'themes'. 
3. Of the previous (approx) 140 control points, they have for the most part been incorporated into the 4 themes. However, there are 11 new controls (see the table below) that will need to be assessed and included in your system if they are appropriate to you

What do I need to do to update to 27002:2022

Ideally, buy a copy of the ISO 27002 code of practice from the ISO website. You can then start to plan the changes to your Statement of Applicability and Risk Assessment. 

You have 2 years to make the changes, but recognise the need for the review in your system somewhere (e.g. set an Objective, and discuss it at Management Review so you are fully planned and resourced. 

 New Controls in ISO 27002 

New Control Point	Control No	What is this looking for?
Threat intelligence	5.7	What systems are you using to proactively review and foresee material threats to your information and information systems?
Information security for use of cloud services	5.23	This will enhance your controls on cloud services that you use (i.e. demonstrate how you control your cloud services (acquisition, use, management and exit from cloud services)
ICT readiness for business continuity	5.30	If you are not operating with ISO 22301, this will enhance your current controls - effectively making you have a mini-Bbusiness Continuity system with objectives and metrics.
Physical security monitoring	7.4	Most organisations have physical controls, but this enhances the requirements to ensure you are on top of all elements and the associated data
Configuration Management	8.9	This covers requirements to manage the security configurations of hardware, software and networks – so you can manage unauthorised or incorrect changes
Information deletion	8.10	This ensures that config information and other information (e.g files etc) have been deleted from drives (both physical and virtual)
Data masking	8.11	What systems have you got in place to ensure that data (which could be lost or hacked) cannot be attributed to a person
Data leakage prevention	8.12	How do you ensure that data cannot be leaked or disclosed by individuals or systems
Monitoring activities	8.16	What systems (either automated or manual) are you using to look for anomalous behaviour
Web Filtering	8.23	What filters are you using to manage access to external websites to reduce exposure to malicious content?
Secure Coding	8.28	You will need to apply secure coding to software development

---

Related Articles

Comparing Cyber Essentials to ISO 27001
Use 27001 to meet the Hiscox recommendations
How GDPR is protecting Personal Data