To set some context, ISO 27002 provides the guidance for the Annex A controls which are found in the 27001 standard. Given the 27001 standard was written in 2013, the world of information security has changed beyond measure in the last 9 years, this is a really positive change.
The change to the 27002 guidance means that the 27001 Standard will now be prioritised for update and it is expected that as early as May 2022, the new 27001:2022 standard will be released. You will have 2 years to make the transition as all 2013 certificates will expire in 2024.
Ideally, buy a copy of the ISO 27002 code of practice from the ISO website. You can then start to plan the changes to your Statement of Applicability and Risk Assessment.
You have 2 years to make the changes, but recognise the need for the review in your system somewhere (e.g. set an Objective, and discuss it at Management Review so you are fully planned and resourced.
|New Control Point||Control No||What is this looking for?|
|What systems are you using to proactively review and foresee material threats to your information and information systems?|
|Information security for use of cloud services||5.23||This will enhance your controls on cloud services that you use (i.e. demonstrate how you control your cloud services (acquisition, use, management and exit from cloud services)|
|ICT readiness for business continuity||5.30||If you are not operating with ISO 22301, this will enhance your current controls - effectively making you have a mini-Bbusiness Continuity system with objectives and metrics.|
|Physical security monitoring||7.4||Most organisations have physical controls, but this enhances the requirements to ensure you are on top of all elements and the associated data|
|Configuration Management||8.9||This covers requirements to manage the security configurations of hardware, software and networks – so you can manage unauthorised or incorrect changes|
|Information deletion||8.10||This ensures that config information and other information (e.g files etc) have been deleted from drives (both physical and virtual)|
|Data masking||8.11||What systems have you got in place to ensure that data (which could be lost or hacked) cannot be attributed to a person|
Data leakage prevention
|8.12||How do you ensure that data cannot be leaked or disclosed by individuals or systems|
|Monitoring activities||8.16||What systems (either automated or manual) are you using to look for anomalous behaviour|
|Web Filtering||8.23||What filters are you using to manage access to external websites to reduce exposure to malicious content?|
|Secure Coding||8.28||You will need to apply secure coding to software development|
Related ArticlesComparing Cyber Essentials to ISO 27001
Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.
Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.
Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525