The British Standards Institute (BSI) recently released an updated version of ISO/IEC 27002 – Code of Practice for Information Security Controls. This was the first major update since the 2005 release. Many organizations are interested in how the changes will impact their information security program.
What Really Changed?
In our review, very little in the way of information security substance was changed in this version. While several controls were added and several more removed, the update is largely an exercise in moving and renumbering. The essential “key” controls are still required – they have just been moved to a different location.
Some of the key moves seem justified – like consolidating all third-party security controls into one domain. (Understanding the rationale for renaming the domain “Supplier Relationships” from ‘Third-Party” is more difficult.) While some sections such as 5.0 Information Security Policy remained unchanged, several areas such as Operational Security had major changes.
The ISO 27002:2013 Change Heat Map
In our efforts to decipher the changes between ISO 27002:2005 and 2013, we found it very difficult to wade through the vast numbering changes. In order to help our clients manage this information, we created a change “heat map”. In short, the map uses color coding to try to indicate areas of large change (red) versus areas that remained similar (green).
The heat map aligns both of the versions (like this sample image) to try to visualize what was maintained, added and removed between versions.
So what does this mean for Information Security Policies?
Most organizations will change little with this update – unless they included specific ISO 27002 references in written policy documents. In that case, they will have to change a large number of references. (Which it might make sense to remove for future versions!)
The core requirements to develop, maintain and distribute written information security policies are still key to the standard. (As they are with every information security regulation.) The work will be in deciding how and when to address the new control objectives, and then include those within your written information security policies. In future releases of our PolicyShield Security Policy Subscription and Information Security Policies Made Easy, we will include any needed sample policies to fill in the gaps.