ISO 27001 & ISO 27002 Updates (2022)

Organisations all across the globe are alarmed by the threat of cyber peril. Shockingly, cybercriminals can invade 93% of information assets without the slightest indication. To cope with cyber terrorism and attacks, firms rely on the Information Security Management Systems such as ISO/IEC 27000 family.

ISO 27001 and ISO 27002 seem analogous, but in reality, they both have individuality as standards in the International Security Management System. To meet the challenges of the alarming potential threats in 2022, these standards have been updated as anticipated for quite some time.

So, what are the latest updates in the Information Security Management System? What aspects do you need to consider when having your business certified to the updated ISO standards? This article will unfold the distinctions between the two standards and how they are related.

What’s the Difference Between ISO/IEC 27001 and ISO/IEC 27002?

Organisations can get certified for standards with requirements but not for standards that provide guidance. So first off, firms obtain certifications to ISO 27001 but not to ISO 27002. That’s because:

  • An organisation needs ISO/IEC 27001 standard for implementing, establishing, maintaining, and constantly upgrading its information security management system.
  • ISO/IEC 27002 is designed around guidelines and used as a reference for selecting controls for the information security management system framework. In addition, organisations employ these guidelines for their data protection, management, and implementation of controls.

An In-depth look at ISO 27001 and ISO 27002 Updates

Here is a quick overview of the ISO 27001 and ISO 27002 latest versions:

Newest updates: New changes have been introduced to ISO 27002 on February 15, 2022, according to which Annex A of ISO 27001 will also be aligned with the latest changes. However, the ISO 27001 latest version is yet to be published but is expected to be announced anytime soon in 2022. (Hint: October)

Series of evolution and its importance: The current framework has been in operation for 20 years. The standards have seen multiple naming changes, i.e., British Standard (BS 7799) Part 1 and 2, which later became ISO 17799 in 2000. The standards further evolved to ISO 27001/27002:2005, after which they were revised to ISO 27001:2013 and ISO 27002:2013 and finally to ISO 27001:2022 and ISO 27002:2022.

Notable updates: The term “Code of Practice” is dropped from the title of ISO 27002 latest version. The updated title better defines its purpose as a set of references for information security controls. Furthermore, the standard itself is notably extended than the previous version, with the records being reordered and updated. Finally, some controls have been removed, added, and even merged in the ISO 27002 latest version.

Changes in ISO 27001:2022

The key updates in ISO 27001 latest version include:

  • Firstly, Annex A now complies with the 93 controls of ISO 27002:22 rather than the 114 controls of 27002:2013.
  • Secondly, the note in Clause 6.1.3 c now features editorial amendments. Furthermore, the key points include deleting the term “control objective” and replacing the phrase “Information security control” with the word “Controls.”
  • Finally, thanks to the revisions, the description of Clause 6.1.3 d is now highly readable and ambiguity-free.

Changes in ISO/IEC 27002:2022

The 2013 version had 114 controls in 14 domains while the newest version has 93 controls in 4 domains; These are:

The New Themes

ISO 27002:2013 contains 114 controls in 14 domains, while the new ISO 27002:2022 contains 93 controls in 4 domains:

  • Organisational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls)

New Controls

ISO has proposed 12 new controls to follow the latest information security trends. The new controls are:

  • Threat intelligence
  • Identity management
  • Information security for using cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Monitoring Activities
  • Secure coding

New Hashtags or Attributes

The final update introduces 5 new attributes or hashtags to simplify the categorisation process. These are:

  • Control type: Detective, Preventative, Corrective
  • Cybersecurity concept: Identify, Protect, Respond and Recover
  • Information security properties: Confidentiality, Integrity, Availability
  • Operational capabilities: Governance and Asset management
  • Security domains: Protection, Defense, Resilience

If your organisation already has the information security management system certification of ISO/IEC 27001:2013, the system is all set to meet the challenges. Besides, a 2 year transition period allows organisations to update their management system. So, you lose nothing by implementing the ISMS that complies with ISO 27001:2013.

However, waiting for the ISO 27001 latest version might leave your organisation at an increased risk of cyber perils. GCC  is a leading independent certification body, and we take pride in helping businesses get global recognition. Have a look at the complete ISO 27001 Certification Process.