In March 2022 the International Standards Institute (ISO) made an official update to the cyber security standard ISO/IEC 27002. The last update was in 2013, so nine years have passed. This is significant because many organizations decided to base their information security program on the ISO 27002:2013 framework. In this article we will summarize (1) what changes were made, and (2) how your organization can respond.
Major Changes Between 2013 and 2022
When we first reviewed the 2022 update, our first reaction was: “Not again!” Much like the 2013 update, rather than making substantial changes to the core topics covered, the 2022 update was a massive renumbering exercise. Here’s a summary of what changed.
Flatter Control Outline – Fewer Categories
One of the massive structural changes was the reduction in overall control categories. Instead of having 16 core categories and 100+ subcategories with sequential numbering (in the 2013 update), the 2022 update reduces the number of categories to three: Organization Controls, Physical Controls, and Technical Controls. While this might be a good idea for some implementation, it creates a massive renumbering nightmare. For example, 12.3.1 Information Backup, has now become 8.13 Information Backup. This cascades throughout the 2022 update and generally makes if VERY difficult to track your previous controls against the new standard. In our opinion, this flattened outline makes understanding and complying with the standard harder – not easier.
New Security Control Structure
One positive change in the 2022 update is that controls are more granular and more details are provided to test implementation. In the previous 2005 and 2013 versions, each control “objective” was more vague and required interpretation, generally by a cyber security professional. The new control structure provides more details on how the control can be implemented and validated.
The layout for each control contains the following:
— Control title: Short name of the control;
— Attribute table: A table shows the value(s) of each attribute for the given control;
— Control: What the control is;
— Purpose: Why the control should be implemented;
— Guidance: How the control should be implemented;
— Other information: Explanatory text or references to other related documents
CIA And Risk Mappings
One of the major changes to the 2022 update are new “tags” in each control to various categories defined in the Standard. For example, the classic categories of Confidentiality, Integrity and Availability are now added. The standard also tags certain controls as either “preventative” or “corrective” and creates other categories such as “Cyber Security Concepts”. So for example, the Control 5.11 Return of Assets has the following:
Control Type | Information Security Properties | Cyber Security Concepts | Operational Capabilities |
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management |
While these concepts will help in a formalized risk assessment, we wonder if they are going to be meaningful to organizations in the real world. The extra information is useful, but also tends to add complexity in the reading and understanding of the control objectives.
What’s new in ISO 27002:2022 standard?
The main question security professionals want answered is this: “What new security controls are required?” The update did add several new control categories, summarized below. The issue we have is that these controls are already considered best-practices, and are explicitly part of other frameworks such as the NIST CSF. So while the updates are valid, most organizations will not be looking to these additions as major updates to their own internal control framework. In fact, except for a few small niches, the ISO 27002:2002 update provide virtually no new cyber controls that haven’t already been considered.
As we note below, organizations that must maintain strict adherence to the Standard and get validated according to the ISO 27001 protocols will want to cover these new control areas. Organizations using ISO 27002 for general guidance and structure will find filling the gaps very straightforward.
New Control | Summary and Comments |
8.9 Configuration Management | Formal system configuration management, including secure baselines and related management controls. |
8.10 Information Deletion | Formal controls for information deletion |
8.11 Data Masking | Controls for making data not-readable, mostly by encryption (similar to PCI-DSS requirements) |
8.12 Data Leak Prevention | This is a general category that encompasses a variety of controls related to protecting information from disclosure. The entire ISO framework is designed for data leak prevention. |
8.16 Monitoring Activities | Various controls related to monitoring of people and systems. |
8.23 Web Filtering | A special new control for actively filtering internet traffic |
8.28 Secure Coding | A new control to address secure software development practices |
For organizations with gaps in security policy coverage, our policy template library covers each of the new control areas.
Should we update our Information Security Policies for ISO 27002:2022?
The short answer is: Maybe. If your organization is going to be officially certified against the new standard using ISO 27001, then you should perform a gap-analysis between your existing controls and the new ISO 2002 standard. You can then fill any cyber security content gaps. You will also most likely need to update any mappings you created between your internal controls and the 2022 update. If your organization is not seeking certification, then the new controls updates are not likely to impact your existing information security policies in a significant way.
The control category requirement for “information security policies” changed only slightly. It went from 5.1.1 to 5.1 Policies for Information Security. Being the first control category within the outline is a key signal to any organization. You cannot have robust information security program without a comprehensive set of written information security policies.
Keeping Your Cyber Controls Insulated
This is one of the many reasons that we use a Common Security Policy approach to compliance. Using a common approach, your organization has a single cyber security control framework that is based on (1) leading cyber practices and (2) threats likely to impact the organization. “Compliance” is then handled by mapping your internal controls to various third-party frameworks such as ISO 27002, NIST CSF, HIPAA, CMMC, CIS and others. This approach not only enables a more effective approach to managing cyber security, but it insulates your program against massive number changes like the recent 27002 update. To learn more about the Common Security Policy approach, contact us or sign up for a trial of ComplianceShield.