What is ISO 27002:2022 and why is it Important?
ISO 27002 is a supporting document to provide further detail, clarification, and guidance on Annex A in ISO 27001:2022. It should be noted that ISO 27002 is not a certification or a quality mark - it is simply a guideline for how your organisation can implement Information Security best practices.
Many clients have asked us how they can prepare and transition to the latest version of ISO 27001. We know that many companies will be taking a phased approach to implementation, so we have produced a series of articles explaining how specific controls work and guidance on how they should be implemented.
What are the changes appearing on the new ISO 27001:2022
The new ISO 27001:2022 now only has 93 controls instead of 114; they have been grouped into four categories: People (8 controls), Organisational (37 controls), Technological (34 controls), and Physical (14 controls). Many of the previous 114 controls have been merged with 11 new controls added.
What does this mean for your organisation?
In general, you can expect a more streamlined approach to implementing your information security policies and procedures.
What are the new controls in ISO 27001:2022 Annex A?
- Information security for the use of cloud services
- Data masking
- Information and Communication Technology readiness for business continuity
- Physical security monitoring
- Data leakage prevention
- Configuration management
- Information deletion
- Threat intelligence
- Monitoring activities
- Secure coding
- Web filtering
Each control is associated with attributes to help filter, sort, and present the controls in different views for different audiences. These attributes are provided in a table right before the statement of each control. Attributes are:
Information security properties
- Physical security and so forth… (complete list available on AvISO IMS toolbox – a link to be provided that explains about AvISO IMS toolbox)
- Governance and ecosystem
Our consultants thoughts on the update
The changes that have been made as part of the new ISO27001:2022 version of the information security standard are somewhat moderate. Whilst the initial format, structure, and feel for the Annex A controls look to be substantially different, on deeper analysis, it becomes evident that the changes introduced have not been very significant. Inmost cases controls have stayed as they were previously (35 controls); have been renamed (23 controls) and a large section have been merged (57 controls). Whilst the number of controls and how they are structured has changed, the fundamental requirements of the standard itself and the control areas focused on remain largely consistent with the old version we are familiar with. Overall, the changes bring about a new, improved, better structured, and streamlined version of Annex A and some small changes to Clauses 4-10.