Confirming the year-long buzz, ISO27001:2013 is finally updated to ISO/IEC 27002:2022 in March this year. It is essential to know how will ISO/IEC 27002:2022 update impact businesses in Australia. The noteworthy change has grabbed the eyeballs from the business world.
But, before hopping on to the new standards and specifications, let’s have a quick recap on ISO27001:2013.
ISO27001:2013
ISO27001:2013 upgrade was initially introduced in 2013. International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) had jointly released it in 2005. It has been the first choice of businesses for providing security via Information Security Management Systems. The standard secured the business information of an organisation. It included sensitive information, intellectual property and financial information, employee information, and third-party client data.
ISO/IEC 27002:2022 update
With the dropping of the ‘code of practice’ phrase, the purpose of ISO/IEC 27002:2022 has been clearly demonstrated. It is a reference set of information security controls and has some new inclusions and deletions.
Old to new phrase transition
The old phrases replaced are Information Technology, Security Techniques, and Code of Practice for information security management, have been replaced. The new phrases are Information Security, Cyber Security, and privacy protection.
What’s new?
The new ISO 27002:2022 has 93 controls contrary to the 114 controls from the former version. The changes are listed below, and its detailed procedures can be found in Annexure A
‘Themes’ for New controls
- Organizational (37 controls)
- People (8 controls)
- Technological (34 controls)
- Physical (14 controls)
Each theme has been listed below with its controls as per ISO27002:2022. Businesses can refer to Annexure A for detailed procedures.
Organisational controls
| ISO 27002 5.1 Policies for information security |
| ISO 27002 5.2 Information security roles and responsibilities |
| ISO 27002 5.3 Segregation of duties |
| ISO 27002 5.4 Management responsibilities |
| ISO 27002 5.5 Contact with authorities |
| ISO 27002 5.6 Contact with special interest groups |
| ISO 27002 5.7 Threat intelligence |
| ISO 27002 5.8 Information security in project management |
| ISO 27002 5.9 Inventory of information and other associated assets |
| ISO 27002 5.10 Acceptable use of information and other associated assets |
| ISO 27002 5.11 Return of assets |
| ISO 27002 5.12 Classification of information |
| ISO 27002 5.13 Labelling of information |
| ISO 27002 5.14 Information transfer |
| ISO 27002 5.15 Access control |
| ISO 27002 5.16 Identity management ISO 27002 5.17 Authentication information |
| ISO 27002 5.18 Access rights |
| ISO 27002 5.19 Information security in supplier relationships |
| ISO 27002 5.20 Addressing information security within supplier agreements |
| ISO 27002 5.21 Managing information security in the ICT supply chain |
| ISO 27002 5.22 Monitoring, review and change management of supplier services |
| ISO 27002 5.23 Information security for use of cloud services |
| ISO 27002 5.24 Information security incident management planning and preparation |
| ISO 27002 5.25 Assessment and decision on information security events |
| ISO 27002 5.26 Response to information security incidents |
| ISO 27002 5.27 Learning from information security incidents |
| ISO 27002 5.28 Collection of evidence |
| ISO 27002 5.29 Information security during disruption |
| ISO 27002 5.30 ICT readiness for business continuity |
| ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements |
| ISO 27002 5.32 Intellectual property rights |
| ISO 27002 5.33 Protection of records |
| ISO 27002 5.34 Privacy and protection of PII |
| ISO 27002 5.35 Independent review of information security |
| ISO 27002 5.36 Compliance with policies and standards for information security |
| ISO 27002 5.37 Documented operating procedures |
ISO 27002 6 People controls
| ISO 27002 6.1 Screening |
| ISO 27002 6.2 Terms and conditions of employment |
| ISO 27002 6.3 Information security awareness, education and training |
| ISO 27002 6.4 Disciplinary process |
| ISO 27002 6.5 Responsibilities after termination or change of employment |
| ISO 27002 6.6 Confidentiality or non-disclosure agreements |
| ISO 27002 6.7 Remote working |
| ISO 27002 6.8 Information security event reporting |
ISO 27002 7 Physical controls
| ISO 27002 7.1 Physical security perimeter |
| ISO 27002 7.2 Physical entry controls |
| ISO 27002 7.3 Securing offices, rooms, and facilities |
| ISO 27002 7.4 Physical security monitoring |
| ISO 27002 7.5 Protecting against physical and environmental threats |
| ISO 27002 7.6 Working in secure areas |
| ISO 27002 7.7 Clear desk and clear screen |
| ISO 27002 7.8 Equipment siting and protection |
| ISO 27002 7.9 Security of assets off-premises |
| ISO 27002 7.10 Storage media |
| ISO 27002 7.11 Supporting utilities |
| ISO 27002 7.12 Cabling security |
| ISO 27002 7.13 Equipment maintenance |
| ISO 27002 7.14 Secure disposal or re-use of equipment |
ISO 27002 8 Technological controls
| ISO 27002 8.1 User endpoint devices |
| ISO 27002 8.2 Privileged access rights |
| ISO 27002 8.3 Information access restriction |
| ISO 27002 8.4 Access to source code |
| ISO 27002 8.5 Secure authentication |
| ISO 27002 8.6 Capacity management |
| ISO 27002 8.7 Protection against malware |
| ISO 27002 8.8 Management of technical vulnerabilities |
| ISO 27002 8.9 Configuration management |
| ISO 27002 8.10 Information deletion |
| ISO 27002 8.11 Data masking |
| ISO 27002 8.12 Data leakage prevention |
| ISO 27002 8.13 Information backup |
| ISO 27002 8.14 Redundancy of information processing facilities |
| ISO 27002 8.15 Logging |
| ISO 27002 8.16 Monitoring activities |
| ISO 27002 8.17 Clock synchronization |
| ISO 27002 8.18 Use of privileged utility programs |
| ISO 27002 8.19 Installation of software on operational systems |
| ISO 27002 8.20 Network controls |
| ISO 27002 8.21 Security of network services |
| ISO 27002 8.22 Web filtering |
| ISO 27002 8.23 Segregation in networks |
| ISO 27002 8.24 Use of cryptography |
| ISO 27002 8.25 Secure development lifecycle |
| ISO 27002 8.26 Application security requirements |
| ISO 27002 8.27 Secure system architecture and engineering principles |
| ISO 27002 8.28 Secure coding |
| ISO 27002 8.29 Security testing in development and acceptance |
| ISO 27002 8.30 Outsourced development |
| ISO 27002 8.31 Separation of development, test and production environments |
| ISO 27002 8.32 Change management |
| ISO 27002 8.33 Test information |
| ISO 27002 8.34 Protection of information systems during audit and testing |
Highlighting New controls
| Threat intelligence |
| Information security for use of cloud services |
| ICT readiness for business continuity |
| Physical security monitoring |
| Configuration management |
| Information deletion |
| Data masking |
| Data leakage prevention |
Attributes for better categorisation:
- Control type (preventive, detective and corrective)
- Information security properties (confidentiality, integrity and availability)
- Cybersecurity concepts (identify, protect, detect, respond and recover)
- Operational capabilities (governance and asset management, etc.)
- Security domains (governance and ecosystem, protection, defence and resilience)
Impact on businesses already certified with ISO 27001:2013
Businesses pre-certified with ISO27001:2013 will be provided a transition period of two-three years. The organisations will have to modify their management system to comply with this new version. We advise businesses to complete their renewal, audits etc., for ISO27002:2022 much prior to their certification date. Businesses must note that all future renewals will happen as per the new controls.
Instructions for new businesses implementing ISO/IEC 27002:2022
Earlier, businesses were allowed to select applicable controls as per ISO 27001:2013. This selection is a part of the risk management process. Now, the Statement of Applicability for organisations, will continue to be as per Annex A of ISO 27001:2013. But for the controls, the new ISO/IEC 27002:2022 update will play a key role.
How can Anitech help?
Having a reputation for helping businesses for over 15 years, Anitech is a leading advisory security provider. We have a team of experts that understand the ISM principles and ISO standards. Our team had seen the update coming and was prepared in advance!
We follow a risk management framework, and a well-planned strategy. This will help companies meet the new set of controls required in the updated version. Our consultancy has industry experience in aiding businesses, to meet ISO27001:2013 certification requirements.
So, why wait for tomorrow? Speak to our experts, call us now on 1300 802 163 or e-mail us at – info@anitechgroup.com or enquire here.
You can take a quick self-assessment test by clicking here.
