ISO 27002 Update: What You Need to Know

March 17, 2022

Computer security stock photo

At a glance

  • The main takeaway: The ISO/IEC 27002 update, is an important standard that provides guidance on cybersecurity and allows businesses to identify controls appropriate for their security risk.
  • Impact on your business: The new ISO/IEC 27002 standard will change the way businesses look at their security controls from threat intelligence and cloud to data masking and web filtering. 
  • Next steps: Aprio’s Information Assurance Team of qualified professionals can help you understand the new updates and the impact to your organization.

Schedule a consultation today with one of Aprio’s Information Assurance professionals.

The full story:

On Feb 15, 2022, the International Organization for Standardization (ISO) released the new ISO/IEC 27002 standard. The updated standard revises the guidance around implementation of the Annex A controls related to the Information Security Management System (ISMS) certification for ISO/IEC 27001.

For companies that are currently certified, there is a 3-year transition period to adopt the new standard. This aligns with the certification cycle for ISO/IEC 27001 certifications being valid for 3 years.

Why you should care about ISO/IEC 27002

ISO/IEC 27002 are the instructions for your ISO/IEC 27001. The ISO/IEC 27001 is still the actual standard; however, ISO/IEC 27002 provides detailed guidance on how to determine and implement controls for related information security risks to meet the requirements of the standard based on Annex A.

What has changed in the new standard?

At a high level, the control sets were reorganized into 4 categories (Organizational, People, Physical, and Technological), when previously there were 14 control domains. The total number of Annex A controls was reduced from 114 to 93, with much of the reduction related to the removal of redundant controls as 57 controls were merged and reduced to 24 controls.

In addition to reducing the number of controls in certain areas, 11 new controls were added. Below is a breakdown of the new controls:

  • A5 – Organizational Controls
    • 5.7 – Threat intelligence: Information relating to information security threats should be collected and analyzed to produce threat intelligence.
    • 5.23 – Information security for use of cloud services: Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.
    • 5.30 – ICT readiness for business continuity: ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
  • A7 – Physical Controls
    • 7.4 – Physical security monitoring: Premises should be continuously monitored for unauthorized physical access.
  • A8 – Technological Controls
    • 8.9 – Configuration management: Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
    • 8.10 – Information deletion: Information stored in information systems, devices or in any other storage media should be deleted when no longer required.
    • 8.11 – Data masking: Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
    • 8.12 – Data leakage prevention: Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
    • 8.16 – Monitoring activities: Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.
    • 8.23 – Web filtering: Access to external websites should be managed to reduce exposure to malicious content.
    • 8.28 – Secure coding: Secure coding principles should be applied to software development.

The bottom line

With the comprehensive ISO/IEC 27002 standard, companies should perform a risk analysis to help ensure that their risk management and ongoing monitoring aligns to the new requirements. If you’re struggling with understanding the new updates and how they will impact your organization, Aprio’s Information Assurance Team of highly qualified professionals can help you chart your path forward.

Schedule a consultation today with one of Aprio’s Information Assurance experts.

Related resources

Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Stay informed with Aprio. Subscribe now.

About the Author

Powell Jones

Powell Jones, CISA, CCSFP, is a partner on Aprio’s Information Assurance Services team. Powell works with clients of all sizes, from startups to multinational companies. His experience in ISO certifications, SOC reporting, HITRUST CSF and third-party risk management helps clients select the right reporting options and gain efficiencies in managing multiple compliance frameworks and requirements. He uses his technical expertise and strong understanding of business processes, IT controls, and data security to help clients safeguard and grow their businesses.

(770) 353-3157