Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.
ISO 27002:2022 was released in February this year and with it the number of controls drops from 114 to 93, and instead of being placed in 14 sections they are now organised into 4. However even though the number of controls has been reduced, none of the previous controls are excluded. 57 of the previous controls have been merged into 24 controls under the new revision, and 1 of the controls was split in 2. On top of that there are 11 new controls as part of the 93 in the 2022 revision.
The 11 new controls introduced cover:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Remembering that you can only certify against ISO27001, since ISO27002 is only a supporting standard (although an important one for information and cyber security) what changes can be expected to ISO27001? In a nutshell not a lot. Clauses 4 to 10 in ISO27001 will remain the same with some minor word changes. However, the security controls in Annex A will be updated to reflect the new revision of ISO27002.
So, what are the implications for you right now if your ISMS is implemented or certified according to ISO27001. The short answer is as of now, April 2022, you don’t have a lot to worry about. Only after ISO27001 Annex A is updated to align to ISO27002 will the transition period start, and there should be a 2-year transition period for certified companies.
However, that doesn’t mean you should ignore the updates to ISO27002. There are 11 new controls worth looking into and knowing that a change is coming to ISO27001 as a result you should investigate how the changes will impact your risk treatments, Statement of Applicability, and policies and procedures. No harm in taking some lessons from ISO27002 now and planning for a change to ISO27001 in the future.