A new version of ISO 27002 was published at the beginning of March 2022. ISO 27002:2022 is an international standard for initiating, implementing, maintaining, and improving information security management in organisations of all types and sizes, and supports the implementation of an ISMS (information security management system) based on the requirements of ISO 27001:2013. It can also be used as a guidance document for organisations determining and assessing commonly accepted information security controls.
The 2022 version of the Standard is significantly longer than the 2013 version, which it replaces.
In summary:
- It lists 93 controls (against the 114 controls in the 2013 version)
- These controls are grouped into 4 themes rather than 14 clauses
- 11 new controls have been added
- Controls now have five types of ‘attribute’ to make them easier to categorise
Organisations of all types and sizes create, collect, process, store, transmit and dispose of information in many forms, including electronic, physical and verbal. Information security is realised by implementing an appropriate set of controls, including policies, rules, processes, procedures, organisational structures, and software and hardware functions. To meet its specific security and business objectives, an organisation should define, implement, monitor, review and improve these controls where necessary. ISO 27002 offers guidance on a broad range of information security controls that are commonly applied in many different organisations.
The categorisation of controls is re-structured in ISO 27002:2022 based on the following four themes:
- Clause 5 Organisational controls
- Clause 6 People controls
- Clause 7 Physical controls
- Clause 8 Technological controls
Annex A of the guidance document explains how an organisation can use attributes to create its own information security views based on the control attributes defined in ISO 27002, of which there are five. An organisation can use attributes to create different views which are different categorisations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort, or present controls in different views for different audiences.
The five attributes are:
- Control type (an attribute to view controls from the perspective of when and how the control modifies the risk with regard to the occurrence of an information security incident – Preventive, Detective, Corrective)
- Information security properties (an attribute to view controls from the perspective of which characteristic of information the control will contribute to preserving – Confidentiality, Integrity, Availability)
- Cybersecurity concepts (an attribute to view controls from the perspective of the association of controls to cybersecurity concepts – Identify, Protect, Detect, Respond, Recover)
- Operational capabilities (an attribute to view controls from the practitioner’s perspective of information security capabilities – Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, Information security assurance)
- Security domain (an attribute to view controls from the perspective of four information security domains – Governance and Ecosystem, Protection, Defence, Resilience)
As an example, control # 6.3 is a People Control titled Information security awareness, education, and training with the following five attributes:
- Control type: Preventive
- Information security properties: Confidentiality, integrity, availability
- Cybersecurity concepts: Protect
- Operational capabilities: Human resource security
- Security domains: Governance and Ecosystem
Control # 7.7 is a Physical Control titled Clear desk and clear screen with the following five attributes:
- Control type: Preventive
- Information security properties: Confidentiality
- Cybersecurity concepts: Protect
- Operational capabilities: Physical security
- Security domains: Protection
Annex B shows the correspondence between the control in ISO 27002:2022 and the previous 2013 version and identifies eleven new controls as follows:
- Control 5.7 Threat intelligence
- Control 5.23 Information security for use of cloud services
- Control 5.30 ICT readiness for business continuity
- Control 7.4 Physical security monitoring
- Control 8.9 Configuration management
- Control 8.10 Information deletion
- Control 8.11 Data masking
- Control 8.12 Data leakage prevention
- Control 8.16 Monitoring activities
- Control 8.23 Web filtering
- Control 8.28 Secure coding
For further advice or consultation, contact Antaris here so we can connect you with our Information Security expert.
