Colleagues in a high tech office looking at data on a tablet device
Information Security

Key changes to ISO 27001 as at February 2022

Published: February 04, 2022
Colleagues in a high tech office looking at data on a tablet device
Information Security

Please note: an updated version of this article can be found here 

In accordance with ISO’s regular approach to its management system standards, ISO 27002 is under review and is expected to be released in February 2022. This will mean that ISO will also update ISO 27001, which is expected to be released in April 2022. Read on to find out about the key changes to the standard. 

Information included within this article is based on information available at the time of publishing – 4 February 2022.

Key Details

  • ISO 27001 and ISO 27002 will be updated in early 2022.
  • Controls in 27002 have been reorganised into 4 chapters and classified into themes.
  • ISO 27002 will no longer be referred to as a “Code of Practice”.
  • 11 new controls have been added to 27002, with others removed or reorganised to have 93 controls in total.

The main focus of the review and changed control objectives is to reflect the changing technical environment and threats. The updated and new controls thematically relate to:

  • Threat intelligence
  • Identity management
  • Information security for the use of cloud services,
  • ICT readiness for business continuity
  • Physical security monitoring
  • Changing technology utilisation and threats
  • User endpoint devices.

This article provides a summary of the key changes to the standard and their impact. Whilst we refer to the standards as ISO 27001 and ISO 27002 within this article, it should be taken to mean ISO/IEC 27001 and ISO/IEC 27002 respectively.

Structure of controls

In the update, controls will be divided into one of four chapters:

  • Organisational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls).

In addition, each control will be tagged for each of the following attributes:

Control type 

  • Preventive
  • Detective
  • Corrective.

Information security properties 

  • Confidentiality
  • Integrity
  • Availability.

Cybersecurity concepts

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

Security domains*

  • Governance and ecosystem
  • Protection
  • Defence
  • Resilience.

* This attribute may be removed in the final published version of ISO 27002.

Operational capabilities

  • Governance
  • Asset management
  • Information protection
  • Human resource security
  • Physical security
  • System and network security
  • Application security
  • Secure configuration
  • Identity and access management
  • Threat and vulnerability management
  • Continuity
  • Supplier relationships security
  • Legal.

The current structure of ISO 27002 aligns closely with these operational capabilities.

How long do you have?

For organisations that are certified to ISO 27001, once the new standard is released there is typically a 3 year transition period to enable sufficient time for organisations to update their management systems and approach. JAS-ANZ and the International Accreditation Forum (IAF) will typically release guidance relating to this once the standard is released. Liaise with your conformity assessment body to confirm your transition timeframe.

For uncertified organisations that use ISO 27001 as a guide or structure for their management systems, there are no formal external requirements to realign to the new standard, however individual stakeholders may have their own views on transition timeframe.

Impact on ISO 27001

There is expected to be minimal impact on the management system elements of of ISO 27001 itself. The annex to the standard – Reference control objectives and controls – will be updated to align with the changes to ISO 27002.

The primary link between the management system for information security and the specific controls to mitigate information security risks will be the Statement of Applicability (SoA). This SoA is a linking document between the organisation’s risk assessment and the controls of ISO 27002, providing justification for the exclusion of any controls from the organisation’s control environment. As organisations look to transition to the 2022 version of ISO 27001, they may review the existing controls included within their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.

It is worth noting that ISO have updated the High Level Structure that informs management systems standards, adding a standard “Management of change” clause to element 6.3 and changing the way documented information is referenced in the standard (removal of the terms “retain” or “maintain” in favour of “keep”). It is unclear currently if ISO 27001:2022 will follow this amended structure.

Overview of controls

The new standard will include:

  • 11 new controls,
  • Consolidate 19 previously individual controls,
  • 3 controls from the 2013 revision of the standard will be removed,
  • 61 controls will remain unchanged, although restructured.

New controls

The new controls to be included in 27002 are:

Organisational

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity.

People

  • Nil.

Physical

  • 7.4 Physical security monitoring.

Technological

  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring services
  • 8.22 Web filtering
  • 8.28 Secure coding.

Consolidated controls

Included below are the new clauses which consolidate existing controls included within ISO 27002:2013. Clause numbers from ISO 27002:2013 have been included in brackets.

  • 5.1 Policies for information (5.1.1, 5.1.2)
  • 5.9 Inventory of information and other associated assets (8.1.1, 8.1.2)
  • 5.14 Information transfer (13.2.1, 13.2.2, 13.2.3)
  • 5.15 Access control (9.1.1, 9.1.2
  • 5.16 Identity management (9.2.1, 9.4.3
  • 5.17 Authentication information (9.2.4, 9.3.1)
  • 5.18 Access rights (9.2.2, 9.2.5, 9.2.6)
  • 5.22 Monitoring, review and change management of supplier services (15.2.1, 15.2.2)
  • 5.29 Information security during disruption (17.1.1, 17.1.2, 17.1.3)
  • 7.10 Storage media (8.3.1, 8.3.2, 8.3.3)
  • 8.1 User endpoint devices (6.2.1, 11.2.8)
  • 8.8 Management of technical vulnerabilities (12.6.1, 18.2.3)
  • 8.15 Logging (12.4.1, 12.4.2, 12.4.3)
  • 8.24 Use of cryptography (10.1.1, 10.1.2, 18.1.5)
  • 8.25 Secure development lifecycle (14.1.1, 14.2.1)
  • 8.26 Application security requirements (14.1.2, 14.1.3)
  • 8.29 Security testing in development and acceptance (14.2.8, 14.2.9)
  • 8.31 Separation of development, test and production environments (12.1.4, 14.2.6)
  • 8.32 Change management (12.1.2, 14.2.2, 14.2.3, 14.2.4).

Removed controls

The following controls from ISO 27002:2015 have been removed in the draft 2022 revision:

  • 8.2.3 Handling of assets
  • 11.2.5 Removal of assets
  • 16.1.3 Reporting information security weaknesses.

Whilst these have been removed from the standard, each organisation should undertake a risk assessment of its information security environment, including threats, vulnerabilities, and control effectiveness and co-dependencies prior to removing controls.

Where to from here

The path forward for the release of the new standard varies depending on organisational and individual needs.

  • Currently certified organisations, determine a transition timeframe in consultation with your conformity assessment body/certification body. The expected maximum time frame is 3 years from release of the new standard.
  • Uncertified organisations, consult with your stakeholders to determine an appropriate transition timeframe.
  • Auditors, complete accredited update training or an appropriate bridging course to become familiar with the new requirements.
  • Other practitioners, complete appropriate update training or bridging courses for the new standard and stay on top of information published from reputable sources about the new standard, such as direct from ISO and the information security, cybersecurity and privacy protection technical committee, ISO/IEC JTC 1/SC 27.

Information included within this article is based on information available at the time of publishing – 4 February 2022.

RTP will offer a bridging course to get you qualified to the latest version of the standard. Stay tuned for further information. 

Back to Insights

“The virtual classroom coupled with an enthusiastic trainer made the course easy to run through and as good as any face to face courses I have ever attended.”

It was evident that the trainer had significant industry related experience in auditing. They were able to reinforce learnings and keep us interested by integrating their experiences into the course with relevant and engaging real world examples.

Course was enjoyable and I like the fact that we’re given a copy of the each of the Standards!

Honestly thought it was gonna be boring. I was very wrong! Very engaging and informative. Loved all 5 days and will be back for more courses!

Really enjoyed the training. What could be a very stale topic was delivered in a very engaging and detailed way. I particularly enjoyed the conversational delivery of the content and the practical activities were challenging and well presented. The catering was great too.

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.

Talk to a training expert

Get 10% off the standard price of our virtually-delivered courses. Download your 2024/25 calendar here.
×
Menu