What to expect from the update to the ISO/IEC 27002 standard announced for 2022?

The ISO/IEC 27002 standard, published in 2007, is an international standard concerning information security management in organisations. It builds upon the ISO/IEC 27001 standard. It contains guidelines on the security controls described in ISO/IEC 27001. It explains in detail their objectives, operating principles and methods of implementation, as well as maintenance (monitoring, improvement). In doing so, it takes into account areas where information security risks may arise within organisations.

All ISO standards are subject to periodic reviews and are constantly modified to remain relevant to a rapidly changing reality. Undoubtedly, the digital technology sector is the most dynamic. It is also where the greatest number of threats are currently to be expected. Therefore, the ISO/IEC 27002 standard, which was last updated nearly a decade ago (in 2013), was in need of an update. Its new edition, which has been announced for some time, is likely to be published in February 2022.

The ISO/IEC 27002:2022 standard cancels and replaces the 2013 edition. It incorporates technical corrections introduced in 2014 (ISO/IEC 27002:2013/COR 1:2014) and 2015 (ISO/IEC 27002:2013/COR 2:2015). The changes to ISO/IEC 27002 are primarily intended to simplify the implementation of the standard.

In the new version of ISO/IEC 27002, the title ‘Information technology – Security techniques – Code of practice for information security controls’ in favour of “Information security, cybersecurity and privacy protection – Information security controls”. This change reflects the distinction between information security and cybersecurity, and also highlights the need for privacy protection. The term ‘Code of practice’ has been removed so that the title of the standard better reflects the fact that it is a reference set of security controls, rather than a set of rules that must be implemented without exception.

The structure of the updated ISO/IEC 27002 standard remains consistent with that of other ISO/IEC standards. However, it has been simplified compared to the ISO/IEC 27002:2013 version to better fulfil its role as a user-friendly tool. Simplified terminology has been introduced, and the security measures described have been classified and described in such a way as to avoid duplicating information contained within the document. For this reason, the number of recommended security measures has decreased from 114 (as described in ISO/IEC 27002:2013) to 93. This does not mean that 21 have been removed. Some of them have been reworded and consolidated with others. Eleven new ones have been added, and only one has been removed. The newly described security measures primarily concern cloud data security and privacy protection.

The previous 14 chapters of ISO/IEC 27002 have been replaced by 4, covering the following areas:

• organisational security,
• human resources security,
• technological security,
• physical security.

Indicating which security measures are helpful in specific risk areas facilitates the practical application of ISO/IEC 27002:2022. The same purpose is served by assigning attributes to individual security measures (the concept of an attribute is also new in the text of ISO/IEC 27002), such as:

• types of controls,
• data protection properties,
• cybersecurity concepts,
• operational capabilities,
• domains of protection.

Recommended mechanisms of action have also been categorised within each attribute. This classification allows for the rapid selection of security measures appropriate to the standards of a given industry. In summary, the update to the ISO/IEC 27002 standard will not introduce many substantive changes, but the structure of the document will change significantly. This is intended to help organisations efficiently implement security measures in line with the best, globally recognised practices.