ISO/IEC 27001 and ISO/IEC 27002 are both under revision. ISO/IEC 27002 is scheduled to be published in January 2022, and ISO/IEC 27001 will follow shortly thereafter. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) joint technical committee, ISO/IEC JTC 1, is changing the structure of the ISO/IEC 27001/27002 control framework after nearly 20 years.
What Is the Difference Between ISO/IEC 27001 and ISO/IEC 27002?
Organizations can achieve certification to ISO/IEC 27001 but not ISO/IEC 27002. ISO/IEC 27001 documents requirements for establishing, implementing, maintaining, and continually improving an information security management system, while ISO/IEC 27002 is designed for organizations to use as a reference for selecting controls and provides guidelines for information security management practices including the implementation and management of controls, taking into consideration the organization’s information security risk environment. Organizations can get certified to standards that contain requirements but cannot get certified to standards that provide guidance.
Changes in ISO/IEC 27001:2022
The main changes in ISO/IEC 27001:2022 include:
- Annex A references to the controls in ISO/IEC 27002:2022, which includes the control title and the control;
- The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”;
- The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.
Changes in ISO/IEC 27002:2022
ISO/IEC 27002:2013 contains 114 controls in 14 domains; ISO/IEC 27002:2022 will contain 93 controls in 4 domains:
- Chapter 5 – Organizational (if they do not fall under any other domain) – 37 controls
- Chapter 6 – People (if they concern individual people) – 8 controls
- Chapter 7 – Physical (if they concern physical objects) – 14 controls
- Chapter 8 – Technological (if they concern technology) – 34 controls
There are now 5 control attributes for each control:
- How to categorize – preventative, detective, corrective
- Information security properties – confidentiality, integrity, availability
- Cybersecurity concepts – identify, protect, detect, respond, recover
- Operational capabilities – governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance
- Security domains – governance and ecosystem, protection, defense, resilience
Twelve new controls have been introduced in the new version of ISO/IEC 27002:
- Threat intelligence
- Identity management
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- User endpoint devices
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Web filtering
- Secure coding
Sixteen controls were deleted due to duplication or better alignment under other controls:
- Review of the policies for information security
- Mobile device policy
- Ownership of assets
- Handling of assets
- Password management system
- Delivery and loading areas
- Removal of assets
- Unattended user equipment
- Protection of log information
- Restrictions on software installation
- Electronic messaging
- Securing application services on public networks
- Protecting application services transactions
- System acceptance testing
- Reporting information security weaknesses
- Technical compliance review
There are a few controls that were modified and integrated to become one main control. Here are a few examples:
- “Inventory of Assets” is modified as “Inventory of information and other associated assets”.
- “Acceptable use of assets” changed to “Acceptable use of information and other associated assets”.
- Policy on cryptographic controls and key management etc. changed to “Use of Cryptography controls”.
- Event logging renamed to “Logging”.
- Admin and operator logs changed to “Monitoring activities”.
- Information transfer policies and procedures, agreement on Information transfer, etc. combined as a main control under “Information transfer”.
Accreditation for ISO/IEC 27001 Information Security Management Systems CBs
ANAB is the first management systems accreditation body in the United States, accrediting certification bodies (CBs) to ISO/IEC 17021-1. Management systems certification bodies, like those that issue certifications to ISO/IEC 27001, can demonstrate credibility by attaining ANAB accreditation. This level of confidence passes down to organizations seeking certification, since they know which bodies can be trusted.
You can learn more about ISO/IEC 17021-1 certification bodies here.