The ISO 27001 standard was developed to assist any size and type of organization in securely managing digital information. Complementing this standard in 2022, ISO 27002:2022 streamlines security controls, merging some and adding others, and makes them easier to navigate and use.
In addition to ISO 27001, there are other widely accepted information security frameworks available to organizations seeking proven guidance in protecting their digital assets.
This newest document, ISO 27002:2022, is part of the ISO/IEC family of more than a dozen information security standards, which specifically protect information assets ranging from intellectual property and financial information to personnel and payroll data, and more. The standards are promulgated and maintained by the International Standards Organization (ISO) and are published by the ISO and the International Electrotechnical Commission (IEC).
Other documents in the ISO/IEC 27000 family provide supplementary and complementary guidance and requirements that pertain to other aspects of information security management.
Following are several examples. For purposes of this blog, we simply refer to ISO and omit the reference to IEC.
The universal standard known as ISO 27001 was published in 2005 to delineate the requirements of an effective Information Security Management System (ISMS). This standard continues to apply and is accepted globally throughout the information security industry. It provides a recommended list of controls that can help any organization confirm that all necessary risk mitigation measures are in place, whether for legislative, business, contractual, or regulatory purposes.
The new 27002:2022, which updates the 10-year-old version 27002:2013, supports the implementation of an ISMS based on the requirements of ISO 27001, and in other ways complements and augments the ISO 27001 standard.
In comparing v2022 to v2013, there seems to be a stronger focus on information security controls, including the determination of which controls are applicable to a given organization, as well as guidance for assessing their business value and for implementing the controls.
Specifically, the 27002:2022 document presents important structural changes from its predecessor. These are outlined below.
The new 27002:2022 document is available for purchase through the ANSI Webstore for approximately $250 USD. It can also be purchased directly from the ISO. The ANSI Webstore offers a redlined edition that compares the new 2022 controls with the previous 2013 version to aid users in identifying new content.
Technologies continue to evolve. New tools arise. The information takes different forms. And regulatory requirements are amended and expanded. These are among the reasons for the latest update to the information security controls. The ISO recognizes the importance of keeping the information security standards current and relevant, as evidenced by the 2022 update.
“Organizations of all types and sizes (including public and private sector, commercial and non-profit) create, collect, process, store, transmit and dispose of information in many forms, including electronic, physical and verbal (e.g., conversations and presentations).” (Note the addition of accountability for data creation and disposition, for a more thorough life-cycle approach to security.)
“The value of information goes beyond written words, numbers, and images. Knowledge, concepts, ideas, and brands are examples of intangible forms of information. In an interconnected world, information and other associated assets deserve or require protection against various risk sources, whether natural, accidental or deliberate.” (Previously, the other associated assets were specifically identified as ‘related processes, systems, networks and personnel involved in their operation, handling and protection.’)
“Information security is achieved by implementing a suitable set of controls, including policies, rules, processes, procedures, organizational structures, and software and hardware functions. To meet its specific security and business objectives, an organization should define, implement, monitor, review and improve these controls where necessary.” (Responsibility is placed clearly on the individual organization in the 2022 version, where it was not clear in 2013.)
“An ISMS such as that specified in ISO/IEC 27001 takes a holistic, coordinated view of the organization’s information security risks in order to determine and implement a comprehensive suite of information security controls within the overall framework of a coherent management system.” (Responsibility for deciding which controls apply is placed on the individual organization in the 2022 version.)
The Information Security Requirements section offers updates to the three primary sources of security requirements for organizations, first by making it very clear the subject is not simply security, as before, but now ‘information security.’ New additions are noted in bold.
It is essential that an organization determines its information security requirements. There are three main sources of information security requirements:
“The organization can design controls as required or identify them from any source. In specifying such controls, the organization should consider the resources and investment needed to implement and operate a control against the business value realized. See ISO/IEC TR 27016 for guidance on decisions regarding the investment in an ISMS and the economic consequences of these decisions in the context of competing requirements for resources.”
“There should be a balance between the resources deployed for implementing controls and the potential business impact from security incidents in the absence of those controls. The results of a risk assessment should help guide and determine the appropriate management action, priorities for managing information security risks, and for implementing controls determined necessary to protect against these risks.”
This guidance is consistent with the rest in recommending organizations consider an ISMS in the larger context of managing the business and reinforces the use of a security risk assessment as a basis for making informed decisions.
The updates shared here today represent much of the new content in the 27002:2022 document. However, the streamlined controls themselves, and the themes and attributes that are brand-new to the information security controls structure, are not available without purchasing the document. Documents are available for purchase from the ANSI Webstore or from the International Standards Organization.
Alternatively, an organization interested in improving information security, or in implementing an effective information security management system, can work with a professional ISO consultant who has experience with the ISO 27001 standard and access to the complete 27002:2022 document.
Many organizations have chosen to implement the ISO 27001 standard in order to ensure robust, comprehensive information security. This standard may be applied in conjunction with other regulatory requirements, such as the HIPAA Security Rule, the healthcare ONC and CMS Rules, the Gramm-Leach-Bliley Act, FFIEC, and other regulations with provisions for information and data security.
While becoming officially certified to the ISO 27001 standard is optional, some organizations decide to take this additional step in order to reassure stakeholders that the standard has been properly implemented to protect their assets.
The ISO 27001 standard for an Information Security Management System is as valid today as ever in enabling an organization to detect, resolve, and survive a data security breach. For organizations just beginning the ISMS implementation journey, reference to the streamlined information security controls structure in 27002:2022 is highly recommended.
For information on preparing to implement ISO 27001, please contact a cybersecurity expert for a free consultation.