Site icon The ANSI Blog

Changes in the New ISO/IEC 27001 and ISO/IEC 27002

IT engineer in action with new ISO/IEC 27001 and 27002 information security management systems requirements.

ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements and ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls have been released. The latest revision of ISO/IEC 27002 was published in February 2022, and ISO/IEC 27001 followed in October 2022. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) joint technical committee, ISO/IEC JTC 1, changed the structure of the ISO/IEC 27001/27002 control framework after nearly 20 years.

What Is the Difference Between ISO/IEC 27001 and ISO/IEC 27002?

Organizations can achieve certification to ISO/IEC 27001 but not ISO/IEC 27002. ISO/IEC 27001 documents requirements for establishing, implementing, maintaining, and continually improving an information security management system, while ISO/IEC 27002 is designed for organizations to use as a reference for selecting controls and provides guidelines for information security management practices including the implementation and management of controls, taking into consideration the organization’s information security risk environment. Organizations can get certified to standards that contain requirements but cannot get certified to standards that provide guidance.

Changes in ISO/IEC 27001:2022

The main changes in ISO/IEC 27001:2022 include:

ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements is available on the ANSI Webstore.

Changes in ISO/IEC 27002:2022

ISO/IEC 27002:2013 contains 114 controls in 14 domains; ISO/IEC 27002:2022 contains 93 controls in 4 domains:

There are now 5 control attributes for each control:

Twelve new controls have been introduced in the new version of ISO/IEC 27002:

Sixteen controls were deleted due to duplication or better alignment under other controls:

There are a few controls that were modified and integrated to become one main control. Here are a few examples:

ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls is available on the ANSI Webstore. The 2022 and 2013 revisions of this international standard are available together as the ISO/IEC 27002:2022 and ISO/IEC 27002:2013 – IT Security, Cybersecurity, and Privacy Protection Transition Set.

Accreditation for ISO/IEC 27001 Information Security Management Systems CBs

ANAB is the first management systems accreditation body in the United States, accrediting certification bodies (CBs) to ISO/IEC 17021-1. Management systems certification bodies, like those that issue certifications to ISO/IEC 27001, can demonstrate credibility by attaining ANAB accreditation. This level of confidence passes down to organizations seeking certification, since they know which bodies can be trusted.

You can learn more about ISO/IEC 17021-1 certification bodies here.

Exit mobile version