Updates in ISO 27002:2022

  1. Introduction 

The ISO 27002 standard, which was recently updated in February 2022 to replace the 2013 edition, provides a set of standardized controls for information security that can be incorporated into an Information Security Management System (ISMS) that is based on ISO/IEC 27001. Notwithstanding several structural changes made to the text, the fundamental objective of the ISO 27002 standard—to offer recommendations for creating information security controls within the bounds of an ISMS—has not changed. As a result, organisations can keep using the ISO 27002 standard as a comprehensive manual to enhance their information security procedures. 

The ISO/IEC 27002 standard, which was first published in 2005, has undergone multiple revisions to ensure that it remains current and relevant to the latest trends and security threats. The most recent version, ISO/IEC 27002:2022, was released in January 2022, replacing the previous ISO/IEC 27002:2013 edition. The updated standard offers organizations current guidance to enhance their information security measures and aligns with the evolving threat landscape. 

The latest version discusses the significant and ongoing changes that have occurred in the latest version of ISO 27002, which was released in 2022, and which have been in progress since 2005. 

Updates in ISO 27002:2022
  1. Background of ISO 27002 Certification 

ISO/IEC 27002, formerly known as ISO/IEC 17799, is the well-established standard for managing control measures for information security. The standard was created by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). The requirement of a methodical approach for managing information security control measures was recognized by businesses in the late 1990s, which led to the creation of the ISO/IEC 27002 standard.  ISO/IEC 17799, published in 2000, was the first edition of the standard which included guidelines regarding information security management[1]. 

ISO/IEC 17799 underwent a series of revisions over time to include more complex controls and recommendations for managing information security. In 2005, the standard was revised and renamed ISO/IEC 27002. The latest version of this standard, ISO/IEC 27002:2013, was published in 2013, and offers organizations a comprehensive structure for protecting and managing confidential information. 

2. Overview of 27002: 2022 

The most recent edition of the global information security management standard is ISO/IEC 27002:2022, which was issued in February 2022 and replaces its predecessor, ISO/IEC 27002:2013. The latest version of the standard has been modified and enhanced to better address the evolving threat environment and the evolving requirements of businesses. ISO/IEC 27002:2022 features a number of significant changes, including: 

  1. A revised structure: The standard has been restructured to align with ISO/IEC 27001:2013, the standard for information security management systems. This makes it easier for organizations to integrate the two standards and ensure that their information security management is aligned with their business objectives. 
  2. New controls: ISO/IEC 27002:2022 includes new controls to address emerging threats and technologies. For example, there are new controls related to cloud computing, the Internet of Things (IoT), and mobile devices. 
  3. Updated controls: The standard includes updated controls to reflect changes in technology and best practices. For example, there are updated controls related to cryptography, access control, and incident management. 
  4. Emphasis on risk management: The new version of the standard places greater emphasis on risk management, reflecting the importance of a risk-based approach to information security management. 

3. Notable Changes Introduced with ISO 27002: 2022 

ISO/IEC 27002:2022, the latest version of the international standard for information security management, includes several notable changes compared to the previous version. Here are some of the key changes: 

  1. Restructured framework: The latest version of the international standard for information security management, ISO/IEC 27002:2022, which was published in February 2022, has undergone structural modifications. The revisions were made to ensure that the standard is in line with ISO/IEC 27001:2013, the standard for information security management systems. This makes it simpler for organizations to combine the two standards, guaranteeing that their information security management is in sync with their business objectives. 
  2. New controls: The revised standard incorporates updated controls to tackle the latest threats and technologies. It features newly added controls that cover areas such as mobile devices, cloud computing, and the Internet of Things (IoT). 
  3. Updated controls: The ISO/IEC 27002:2022 standard has updated controls that take into account changes in technology and best practices. One such change is the revision of controls related to cryptography, access control, and incident management. 
  4. Emphasis on risk management: The emphasis on risk management has been increased in the latest version of the standard, highlighting the significance of adopting a risk-based strategy to manage information security. 
  5. More guidance on implementation: The latest version of the standard offers additional recommendations for implementing controls, which includes suggestions for using tools and techniques to facilitate the implementation of controls. 
  6. More focus on supply chain security: The latest version of the standard features a new section that covers supply chain security. This addition is a response to the increasing importance of managing risks related to third-party suppliers and partners. 
  7. Greater emphasis on human factors: The new version of the standard gives more importance to the role of human factors in information security management, highlighting the significance of creating awareness and training programs for employees and stakeholders. 

4. Implications arising from ISO 27002: 2022? 

The most recent edition of the worldwide standard for information security management, ISO/IEC 27002:2022, provides firms who apply it with a number of advantages. There might, however, be some drawbacks to its implementation. The following are some pros and drawbacks to take into account:

Advantages  

  1. Enhanced information security: A more thorough approach to managing information security is provided by the standard, allowing organisations to identify and reduce risks to their information assets, fortify their defences against cyber threats, and better preserve sensitive data.  
  2. Improved stakeholder trust: Adopting the standard can help firms show their commitment to information security to a variety of stakeholders, including regulators, partners, and clients, which can improve their dependability and trustworthiness. 
  3. Compliance with regulations: The standard can help firms adhere to rules, legislation, and standards pertaining to information security in the industry.  
  4. Improved efficiency: Improvements in operational efficiency can be made by integrating information security management with business goals and procedures, which can also help firms cut costs and streamline operations.  
  5. International recognition: The ISO/IEC 27002 standard, which is acknowledged globally, can help organisations show their commitment to information security.  

Disadvantages 

  1. Cost: Implementing the standard could cost a lot of money, including money spent on technology, education, and certification.  
  2. Time-consuming: Applying the standard can take a while, especially for businesses with complicated IT infrastructures or few resources. 
  3. Over-reliance on the standard: Instead of creating a risk-based approach to information security management, organisations may become unduly dependent on the standard as a checklist of measures.  
  4. Lack of flexibility: The requirement may not be adaptable enough to all organisations, especially those operating in unusual or frequently changing situations.  
  5. Resistance to change: The standard’s implementation may necessitate significant alterations to organisational culture, procedures, and systems. Employees and stakeholders may be resistant to these changes.

Conclusion :

The ISO/IEC 27002: 2022 framework, which is composed of strong and organised concepts that can aid in the establishment of an effective information security management practise, has the potential to be recognised and used globally. Due to the improvements made, the newest version of the standard is anticipated to be well-received; nonetheless, several drawbacks indicating an inefficient approach in terms of time and expense, in addition to incidental considerations like failure to accommodate, plague the potential of the standard. In order to secure their information assets from new cyber threats, companies should carefully weigh the advantages and disadvantages of applying the standard and use a risk-based approach to information security management. 

Checkout Other Whitepapers

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …

As defined by the EU Council, the NIS 2 directive “will set the baseline for cybersecurity risk management measures and reporting obligations …