ISO 27002:2022 Streamlines Information Security Controls
The ISO 27001 standard was developed to assist any size and type of organization in securely managing digital information. Complementing this standard in 2022, ISO 27002:2022 streamlines security controls, merging some and adding others, and makes them easier to navigate and use.
In addition to ISO 27001, there are other widely accepted information security frameworks available to organizations seeking proven guidance in protecting their digital assets.
The ISO/IEC Family of Documents
This newest document, ISO 27002:2022, is part of the ISO/IEC family of more than a dozen information security standards, which specifically protect information assets ranging from intellectual property and financial information to personnel and payroll data, and more. The standards are promulgated and maintained by the International Standards Organization (ISO) and are published by the ISO and the International Electrotechnical Commission (IEC).
Other documents in the ISO/IEC 27000 family provide supplementary and complementary guidance and requirements that pertain to other aspects of information security management.
Following are several examples. For purposes of this blog, we simply refer to ISO and omit the reference to IEC.
- ISO 27000 - Glossary defines most of the terms used throughout the ISO 27000 family of documents and describes the scope and objectives for each member of the family.
- ISO 27001 – Managing digital information with an Information Security Management Systems (ISMS).
- ISO 27011 – Information security standards for Telecommunication organizations.
- ISO 27017 – Information security standards for Cloud services.
- ISO 27019 – Information security standards for Energy organizations.
- ISO 27701 – Privacy standards.
- ISO 27799 – Information security standards for Healthcare organizations.
How 27002:2022 Relates to ISO 27001
The universal standard known as ISO 27001 was published in 2005 to delineate the requirements of an effective Information Security Management System (ISMS). This standard continues to apply and is accepted globally throughout the information security industry. It provides a recommended list of controls that can help any organization confirm that all necessary risk mitigation measures are in place, whether for legislative, business, contractual, or regulatory purposes.
The new 27002:2022, which updates the 10-year-old version 27002:2013, supports the implementation of an ISMS based on the requirements of ISO 27001, and in other ways complements and augments the ISO 27001 standard.
What’s New in ISO 27002:2022
In comparing v2022 to v2013, there seems to be a stronger focus on information security controls, including the determination of which controls are applicable to a given organization, as well as guidance for assessing their business value and for implementing the controls.
Specifically, the 27002:2022 document presents important structural changes from its predecessor. These are outlined below.
- The document title has been modified to Information Security, Cybersecurity and Privacy Protection — Information Security Controls. (The previous version referred to Code of Practice rather than Information Security Controls.)
- The structure of the document has been streamlined. Where the previous version delineated 114 controls, the new 2022 version has reduced that to 93 controls by merging some, deleting others, and adding new controls.
- Rather than 14 categories, the new controls are organized in a simpler fashion according to four themes. The four themes pertain to Organizational controls, Technological controls, Physical controls, and Personnel controls.
- The controls have now been assigned one of five attributes to make them even easier to use. No doubt you will recognize many of these attributes as prevailing security concepts. The five attributes are:
- Control Type (Preventive, detective, and corrective)
- Information Security Properties (Data confidentiality, integrity, and availability)
- Cybersecurity Concepts (Identify, protect, detect, respond, and recover)
- Operational Capabilities (such as governance and asset management)
- Security Domains (Governance, ecosystem, protection, defense, and resilience)
The new 27002:2022 document is available for purchase through the ANSI Webstore for approximately $250 USD. It can also be purchased directly from the ISO. The ANSI Webstore offers a redlined edition that compares the new 2022 controls with the previous 2013 version to aid users in identifying new content.
How ISO Has Positioned 27002:2022
Technologies continue to evolve. New tools arise. The information takes different forms. And regulatory requirements are amended and expanded. These are among the reasons for the latest update to the information security controls. The ISO recognizes the importance of keeping the information security standards current and relevant, as evidenced by the 2022 update.
Noted in bold type below are some additions to the Background section of 27002:2022, which are new from the previous (2013) version.
“Organizations of all types and sizes (including public and private sector, commercial and non-profit) create, collect, process, store, transmit and dispose of information in many forms, including electronic, physical and verbal (e.g., conversations and presentations).” (Note the addition of accountability for data creation and disposition, for a more thorough life-cycle approach to security.)
“The value of information goes beyond written words, numbers, and images. Knowledge, concepts, ideas, and brands are examples of intangible forms of information. In an interconnected world, information and other associated assets deserve or require protection against various risk sources, whether natural, accidental or deliberate.” (Previously, the other associated assets were specifically identified as ‘related processes, systems, networks and personnel involved in their operation, handling and protection.’)
“Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures, and software and hardware functions. To meet its specific security and business objectives, an organization should define, implement, monitor, review and improve these controls where necessary.” (Responsibility is placed clearly on the individual organization in the 2022 version, where it was not clear in 2013.)
“An ISMS such as that specified in ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in order to determine and implement a comprehensive suite of information security controls within the overall framework of a coherent management system.” (Responsibility for deciding which controls apply is placed on the individual organization in the 2022 version.)
Focus on Information Security and Risk Assessment
The Information Security Requirements section offers updates to the three primary sources of security requirements for organizations, first by making it very clear the subject is not simply security, as before, but now ‘information security.’ New additions are noted in bold.
It is essential that an organization determines its information security requirements. There are three main sources of information security requirements:
- The assessment of risks to the organization, taking into account the organization’s overall business strategy and objectives. This can be facilitated or supported through an information security-specific risk assessment. This should result in the determination of the controls necessary to ensure that the residual risk to the organization meets its risk acceptance criteria;
- The legal, statutory, regulatory, and contractual requirements that an organization and its interested parties (trading partners, service providers, etc.) have to comply with and their socio-cultural environment;
- The set of principles, objectives, and business requirements for all the steps of the life cycle of information that an organization has developed to support its operations.
Business Value of Controls in Risk Reduction
As additional examples of updated content, the following paragraphs of guidance are completely new to the 27002:2022 document, in the Determining Controls section:
“The organization can design controls as required or identify them from any source. In specifying such controls, the organization should consider the resources and investment needed to implement and operate a control against the business value realized. See ISO/IEC TR 27016 for guidance on decisions regarding the investment in an ISMS and the economic consequences of these decisions in the context of competing requirements for resources.”
“There should be a balance between the resources deployed for implementing controls and the potential business impact from security incidents in the absence of those controls. The results of a risk assessment should help guide and determine the appropriate management action, priorities for managing information security risks, and for implementing controls determined necessary to protect against these risks.”
This guidance is consistent with the rest in recommending organizations consider an ISMS in the larger context of managing the business and reinforces the use of a security risk assessment as a basis for making informed decisions.
The updates shared here today represent much of the new content in the 27002:2022 document. However, the streamlined controls themselves, and the themes and attributes that are brand-new to the information security controls structure, are not available without purchasing the document. Documents are available for purchase from the ANSI Webstore or from the International Standards Organization.
Alternatively, an organization interested in improving information security, or in implementing an effective information security management system, can work with a professional ISO consultant who has experience with the ISO 27001 standard and access to the complete 27002:2022 document.
Many organizations have chosen to implement the ISO 27001 standard in order to ensure robust, comprehensive information security. This standard may be applied in conjunction with other regulatory requirements, such as the HIPAA Security Rule, the healthcare ONC and CMS Rules, the Gramm-Leach-Bliley Act, FFIEC, and other regulations with provisions for information and data security.
While becoming officially certified to the ISO 27001 standard is optional, some organizations decide to take this additional step in order to reassure stakeholders that the standard has been properly implemented to protect their assets.
The ISO 27001 standard for an Information Security Management System is as valid today as ever in enabling an organization to detect, resolve, and survive a data security breach. For organizations just beginning the ISMS implementation journey, reference to the streamlined information security controls structure in 27002:2022 is highly recommended.
For information on preparing to implement ISO 27001, please contact a cybersecurity expert for a free consultation.