In this article, we look at the ISO 27002 Major Update.
A Brief History of ISO (ISO 27002 Major Update)
The origins of the ISO 27001/2 standard go back more than 20 years stemming from the British Standard BS 7799 Part 1 and 2, first published in the late 1990s. In 2000, ISO adopted the ISO 17799 standard and then renumbered it to the current standard reference: ISO 27001/27002. In late 2013, the current standard ISO27001:2013 was published. While the name has changed a few times, the structure of this internationally revered set of control standards has remained intact until now: DIS 27002.
Why is ISO Important?
The rise in cyber-threats and the increased need for information security places emphasis on organizations concentrating efforts on protecting sensitive data by implementing the security standards provided by the International Organization for Standardization or specifically, ISO 27001/27002. ISO 27001 is a favored standard in establishing an Information Security Management Systems (ISMS), used in maintaining and managing technical, physical, and lawful controls. With over two decades as an established and predictable security control framework, the ISO 27001/27002 is finally getting a facelift.
What are the Changes?
- Reorganization: The ISO 27002 major update will be a reorganization of the existing framework controls. The recognizable 14 control domain structure is no longer in use. This structure will be replaced by 4 chapters serving as the base for all framework controls. Each framework control will be classified as one of the following: organizational, people, technological, and physical. The recognizable 14 control domain structure is no longer in use.
- Control Reduction: Through a combination of consolidation and enhancement, the original total of 115 Annex A control has been reduced to 93. Many of the remaining controls have been revised, and the new protocol includes an introduction of 11 brand-new controls and one control was removed.
- Control Attributes: Each control will have 5 characteristics that will provide the ability to have alternate refined views, depending on the medium being utilized: a database, spreadsheet, or application.
Do I Need to Update My ISMS?
Not yet. The ISO 27002 major update is just a Code of Practice. This means you cannot certify against it. However, it is also expected that the ISO 27001:2013 will be updated shortly after.
What You Need to Do Now:
Now is the time to take notice of this action and have conversations on how these changes will impact your ISMS. While imminent changes are not going to be necessary – this year, it is important to look ahead and be prepared, as this might affect your company during your next re-certification time.
The earliest that an organization would need to adopt and adhere to the updated framework would be one year after the new ISO 27001 code of practice has been approved and released, which is likely to occur towards the end of 2021/early 2022. The expectation is that the updated ISMS framework integration would coincide with the organization’s recertification date. There are significant alterations in the structure of the DRAFT DIS 27002, which will, in turn, impact the organization’s infrastructure, processes, and maintenance within the ISMS. Therefore, the earlier businesses can begin to analyze their existing ISMS protocol and compare this to the proposed changes in the ISMS, the smoother the transition when the time comes for recertification.
For detailed information on how this change could impact your ISMS, Contact Your ISO Expert.
Details on the Control Changes
4 New Control Chapters containing 93 controls:
- Chapter 5 Organization (37 controls)
- Chapter 6 People (8 controls)
- Chapter 7 Physical (14 controls)
- Chapter 8 Technological (34 controls)
5 Control Attributes:
- Control Type (preventive, detective, corrective)
- Information Security Properties (confidentiality, integrity, availability)
- NIST Cyber Security Concept (identify, protect, detect, respond, recover)
- Operational Capabilities (governance, asset management, physical security – 15 in total)
- Security Domains (governance and ecosystem, protection, defense, and/or resilience)
11 New Controls Added:
- Threat intelligence
- Information security for use of cloud services
- Information and communication technology (ICT) readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
1 Control Removed:
- Removal of assets
Various controls relating to the following 22 topics have been combined to reduce redundancy:
- Policies for information security
- Information security in project management
- User endpoint devices
- Inventory of information and other associated assets
- Acceptable use of information and other associated assets
- Information transfer
- Storage media
- Access control
- Authentication information
- Access rights
- Monitoring, review, and change management of supplier services
- Information security during disruption
- Identification of legal, statutory, regulatory, and contractual requirements
- Compliance with policies and standards for information security
- Information security event reporting
- Management of technical vulnerabilities
- Installation of software on operational systems
- Application security requirements
- Security testing in development and acceptance
- Separation of development, test, and production environments
- Change management