Last February, the new version of ISO 27002:2022 was published.
ISO 27002 is a guide of the ISO 27000 family of standards, which provides best practices in information security, which now with the new update are called security controls.
What are the main changes in ISO 27002?
- Orientation to the concepts of Cybersecurity: identify, detect, respond and recover;
- From 14 domains to 4 broad categories grouping all controls:
- Organizational: 37 controls, 34 existing, 3 new and.
- Personal: 8 controls, all existing, none new;
- Physical: 14 controls, 13 existing, 1 new; and
- Technological: 34 controls, 27 existing, 7 new;
- Although the number of controls is reduced, from 114 controls to 93, they have not actually been removed, but 24 controls have been grouped together, 58 controls have been updated, and 11 new controls have been added for the areas of cloud services, threat intelligence and secure development, and many from the previous version have been grouped together.
What are the 11 new controls?
The new controls by category are:
Clause 5. Organizational Controls
- 5.7 Threat Intelligence
- 5.23. Information Security for the Use of Cloud Services
- 5.30. ICT Preparedness for Business Continuity
Clause 7. Physical Controls
- 7.4. Monitoring of Physical Security
Clause 8. Technological Controls
- 8.9. Configuration Management
- 8.10. Deletion of information
- 8.11. Data masking
- 8.12. Data leakage prevention
- 8.16. Activity monitoring
- 8.23. Web filters
- 8.28. Development / Secure code
How do I become ISO 27002 certified?
We should remember that ISO 27002 is a guide to support ISO 27001, which is the certifiable standard. Therefore, if the organization is about to be certified, it would still do so on the current ISO 27001:2013 standard.
If the organization is already ISO 27001 certified, the certification program will specify the time to take measures to comply with the adaptation.
How long would I have to adapt?
Once the ISO 27001 update is approved with the update of Annex A, where the current controls are specified. Usually, a period of 2 years is given to adapt the certifications.
If an organization is in the process of implementing or certifying ISO 27001, this should be taken into account, although it could already work or proactively start adapting to the new ISO 27002.