Changes in the New ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements and ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls have been released. The latest revision of ISO/IEC 27002 was published in February 2022, and ISO/IEC 27001 followed in October 2022. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) joint technical committee, ISO/IEC JTC 1, changed the structure of the ISO/IEC 27001/27002 control framework after nearly 20 years.

What Is the Difference Between ISO/IEC 27001 and ISO/IEC 27002?

Organizations can achieve certification to ISO/IEC 27001 but not ISO/IEC 27002. ISO/IEC 27001 documents requirements for establishing, implementing, maintaining, and continually improving an information security management system, while ISO/IEC 27002 is designed for organizations to use as a reference for selecting controls and provides guidelines for information security management practices including the implementation and management of controls, taking into consideration the organization’s information security risk environment. Organizations can get certified to standards that contain requirements but cannot get certified to standards that provide guidance.

Changes in ISO/IEC 27001:2022

The main changes in ISO/IEC 27001:2022 include:

• Annex A references to the controls in ISO/IEC 27002:2022, which includes the control title and the control;
• The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”;
• The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.

ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements is available on the ANSI Webstore.

Changes in ISO/IEC 27002:2022

ISO/IEC 27002:2013 contains 114 controls in 14 domains; ISO/IEC 27002:2022 contains 93 controls in 4 domains:

• Chapter 5 – Organizational (if they do not fall under any other domain) – 37 controls
• Chapter 6 – People (if they concern individual people) – 8 controls
• Chapter 7 – Physical (if they concern physical objects) – 14 controls
• Chapter 8 – Technological (if they concern technology) – 34 controls

There are now 5 control attributes for each control:

• How to categorize – preventative, detective, corrective
• Information security properties – confidentiality, integrity, availability
• Cybersecurity concepts – identify, protect, detect, respond, recover
• Operational capabilities – governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance
• Security domains – governance and ecosystem, protection, defense, resilience

Twelve new controls have been introduced in the new version of ISO/IEC 27002:

• Threat intelligence
• Identity management
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• User endpoint devices
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Web filtering
• Secure coding

Sixteen controls were deleted due to duplication or better alignment under other controls:

• Review of the policies for information security
• Mobile device policy
• Ownership of assets
• Handling of assets
• Password management system
• Delivery and loading areas
• Removal of assets
• Unattended user equipment
• Protection of log information
• Restrictions on software installation
• Electronic messaging
• Securing application services on public networks
• Protecting application services transactions
• System acceptance testing
• Reporting information security weaknesses
• Technical compliance review

There are a few controls that were modified and integrated to become one main control. Here are a few examples:

• “Inventory of Assets” is modified as “Inventory of information and other associated assets.”
• “Acceptable use of assets” changed to “Acceptable use of information and other associated assets.”
• Policy on cryptographic controls and key management etc. changed to “Use of Cryptography controls.”
• Event logging renamed to “Logging.”
• Admin and operator logs changed to “Monitoring activities.”
• Information transfer policies and procedures, agreement on Information transfer, etc. combined as a main control under “Information transfer.”

ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls is available on the ANSI Webstore. The 2022 and 2013 revisions of this international standard are available together as the ISO/IEC 27002:2022 and ISO/IEC 27002:2013 – IT Security, Cybersecurity, and Privacy Protection Transition Set.

Accreditation for ISO/IEC 27001 Information Security Management Systems CBs

ANAB is the first management systems accreditation body in the United States, accrediting certification bodies (CBs) to ISO/IEC 17021-1. Management systems certification bodies, like those that issue certifications to ISO/IEC 27001, can demonstrate credibility by attaining ANAB accreditation. This level of confidence passes down to organizations seeking certification, since they know which bodies can be trusted.

You can learn more about ISO/IEC 17021-1 certification bodies here.