ISO 27002
ISO 27002 is the internationally recognized standard for information security. The new edition of ISO/IEC 27002:2022 contains updated security measures and procedures that correspond to the current threats and challenges of the digital world.
How to Protect Your Company From Threats
The standard offers a practice-oriented approach to building an effective information security management system (ISMS), making it an important resource for companies of all sizes and industries. The standard is based on the "Code of Practice for Information Security Management" of the British Standards Institute (BSI) and the "Information Security Management System Standard" of the International Organization for Standardization (ISO).
However, implementing ISO 27002 requires more than just reading the standard and following a few basic rules. Rather, the company must implement a security management system (SMS) that covers all aspects of information security. Key elements of an SMS include a risk analysis, security policies, procedures and controls, and monitoring and testing procedures.
The risk analysis is the basis for all further activities within the framework of ISO 27002. It should be carried out regularly to ensure that the SMS corresponds to the current threats. Based on the risk analysis, security guidelines are developed that describe in detail which measures should be taken to protect data and systems. All employees must comply with these guidelines.
Achieving and Maintaining Compliance
Procedures and controls are technical or organizational measures taken to protect data and systems. For example, they may include encrypting data, using firewalls, or regularly checking access permissions. Monitoring and testing procedures should be performed on a regular basis to ensure that all components of the SMS are working and that there are no vulnerabilities.
Compliance with ISO 27002 is therefore a complex undertaking that requires a high level of commitment and effort. However, organizations should be aware that this is an investment in the future viability of the company that can be very rewarding in the long term.
The main changes to ISO 27002:2022
Apart from changing the title (formerly: "Information technology - Security techniques - Code of practice for Information security controls"), the structure of the controls has been changed by assigning attributes to the controls, among other things. Furthermore, some controls have been merged, the control descriptions have been updated and some controls have been deleted. The above changes will be included in the ISO 27001 update and will be mandatory for future ISO 27001 certifications. The changes relate exclusively to Appendix A of the standard.
Overall, the number of controls was reduced from 114 to 93. This is due to advances in technology and a better understanding of how to implement security measures. The new ISO 27002:2022 includes a total of 93 controls, which are divided into four sections:
- Organizational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
Apart from the changed control number, 35 controls have remained unchanged. In addition, eleven new controls have been added and 23 controls have been renamed for better understanding.
The scope of ISO/IEC 27007:2022 now includes the following eleven new controls:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Transition from ISO 27001
Although the additional eleven measures increase the implementation effort for a company, the new points are important. It is particularly noteworthy that, in contrast to the 2013 version, the new standard also takes cloud use into account. While the topic of cloud use was still marginal ten years ago, the cloud is now an indispensable part of everyday business for most companies.
The disadvantage of combining controls, however, is that it becomes more difficult for companies to rule out measures as inapplicable if they do not fit the company's field of activity.
Companies whose information security management systems have already been implemented according to ISO 27001 have nothing to fear for the time being, because regardless of the changes caused by ISO 27002, a transition period of two years applies to certified companies, starting with the official update of the ISO 27001 to ensure compliance with the new controls.
Concrete Need for Action
The wait for the new standard was worth it. Apart from the fact that information security is now seen in a global context, efforts are being made to take into account new and, above all, modern scenarios and risks with regard to cybersecurity. In addition, data protection is of greater importance. Even if companies that have already implemented an information security management system according to ISO 27001 do not have to arrange anything else for the time being, it is advisable to familiarize themselves with the new and, in some cases, extended requirements of ISO/IEC 27002 as soon as possible, as well as the corresponding processes and adapt systems appropriately.
Do you have questions about ISO 27002?
Our range of ISO 27002:2022 audit and training services is suitable for companies and organizations of all sizes. Do you have questions about ISO 27002?
