In an attempt to modernise the security control framework, the new version of ISO 27002:2022 is out. I wondered if anyone had looked remarkably at the latest version to determine the level of modernising that might have been in implementation.
I’m interested in views of the new format and structure, whether it achieves its aims of modernising the security control framework to meet the challenges of modern architectures?
What is the current version of ISO 27002?
What's new in ISO 27002:2022? ISO 27002:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version contains 93 controls, divided over 4 chapters: 5.
How many controls are there in ISO 27002?
Published in October 2013, the latest version of ISO 27002 covers 14 security controls areas (numbered from 5 to 18), with implementation guidance and requirements for each specific control.
How does the ISO IEC 27001 differ from ISO IEC 27002?
The key difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed to use as a reference for selecting security controls within the process of implementing an Information Security Management System (ISMS) based on ISO 27001. Organisations can achieve certification to ISO 27001 but not ISO 27002.
What is the purpose of ISO 27002?
The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.
What is the ISO 27002 standard?
What is ISO 27002? ISO 27002 is a supplementary standard that focuses on the information security controls that organizations might choose to implement. These controls are listed in Annex A of ISO 27001, which is what you'll often see information security experts refer to when discussing information security controls.
ISO 27001 vs. ISO 27002: What’s the difference?
https://www.itgovernance.co.uk/blo g/understanding-the-differences-between-iso-27001-and-iso-27002
You will benefit from reading: https://ictinstitute.nl/iso270022022-what-is-new/
It means that threat intelligence and data masking stand out in this modernisation of the Controls. In a way, the restructuring of the ISO27002 should be taken as modernising the security framework.
Yes, I have looked at it.
It is an improvement on the 27002:2013 version, in that there is a more logical grouping of controls (less chapters).
There are some new controls, relating to cloud, bmc, physical security, data removal, data masking, preventing data-leakage (those last three are GDPR inspired), web filters, secure coding, configuration management and last but not least, threat-profiling.
So, some old and some new. You asked about architecture - but this is not an architecture document, not in 2013 and not now. It needs applying to your enterprise architecture.
I got more information about the new ISO27002 as follows:
ISO27002 is currently a ‘code of practice’ rather than a standard. This revision will promote it to be a standard in its own right.
It extends the current information security controls into cyber security and privacy.
The revised set of controls is now into 4-themes (Organisational, people, physical and technological).
The new control framework will be incorporated into ISO27001 (replacing the existing Annex-A) at its next revision – later this year.
Certified organisations will need to have incorporated it into their ISMS within the next couple of years.
Things are more transparent and better with this ISO.