ISO/IEC 27002:2022 consider as a High-Level Breakdown for this Update of the information security Management systems. ISO standards typically go through a systemic review cycle every five to seven years. In March 2018, this process was started for ISO 27002. Nearly three years later came the release of the Draft International Standard (DIS) for ISO 27002 in January 2021. The review window on those potential updates closed in April 2021, and now the new standard is complete. As of February 15, 2022, the new ISO 27002 standard became available on the ISO standards store.
In less than four years, ISO and its dedicated team of experts and members have been able to revise one of the most recognized standards and produce a version that is now ready for consumption.
The question now becomes, what changed? What can organizations expect as the transition to this new version begins?
What is ISO 27002?
ISO 27002 is intended for use as a reference when determining and implementing controls for information security risk treatment in an ISO 27001 Information Security Management system (ISMS). It provides best practices and support for those of you designing your ISMS to meet the requirements of the standard based on Annex A (which will also soon be updated within an amended version of ISO 27001).
What Are the Changes In ISO 27002:2022?
What follows is a high-level breakdown of this update to answer said questions.
While there are a number of advancements included in the 2022 version of ISO 27002 that will be vetted in future communications, the key elements to understand include:
- Categories vs. Domains: The control sets are now organized into four (4) categories or themes as opposed to fourteen (14) control domains. The 4 categories include Organizational, People, Physical, and Technological.
- Less Controls: There are 21 less controls in the 2022 version.
- Less Control Redundancy: 24 controls in the 2022 version included merged controls from the 2013 version.
- New Controls: 11 new controls help update the standard to the current information security and cyber security landscape.
- The “Purpose” Element: Rather the use of a control objective for a group of controls, the controls within the 2022 version now have a purpose element applied to each.
- “Attributes to Controls:” The intention is to enhance the risk assessment and treatment approach, allowing organizations to create different views—i.e., different categorizations of controls as seen from a different perspective to the control themes.
To summarize, there are a total of 93 controls in the 2022 version of 27002:
- 11 are new.
- 24 controls were merged from two, three, or more controls from the 2013 version.
- 58 controls from the 2013 version were reviewed and revised to better align with the current information security and cyber security environment.
The 2022 version of ISO 27002 also includes two very useful annexes. There is two version of ISO 27002 includes two very useful annexes as the below:
Annex A, which includes guidance for the application of attributes, as well as
Annex B, which corresponds with ISO/IEC 27001:2013.
Both appear to be useful in helping bridge the gap between versions of this standard. They also further clarify the new application of controls from the 2022 version.
ISO 27002:2022 Moving Forward
The new ISO 27002:2022 represents a comprehensive standard, the creation of which clearly required tremendous effort by ISO, the committees, experts, and members.
This latest update will surely help those already utilizing ISO 27002 as well as those seeking an information security, cyber security, and privacy protection control framework. Now that the update has been formally published, the next step will be the establishing of a timeline for transition to this new version, as well as updates to ISO 27001.
In the meantime, organizations interested or affected can continue to dissect the details within ISO 27002:2022 so that their understanding is as thorough as possible for when their latest certification phase begins under these new requirements.
you can check the main recourse for this is article here.
This standard is mainly for:-
- Information Security
- Cybersecurity And Privacy Protection
- Information Security Controls
You can also check the previous version for ISO 27001 Here
Oss Middle East Company:
Aim to help organization in all sectors in Egypt and Middle East to apply the international standard in Quality Management systems in all fields.