Changes in the upcoming version of ISO 27001 and 27002

A company that is not certified and is preparing for certification or has plans to do so in the near future will probably want to go directly to the 2022 version. A company that is certified may stay under the original version for some time and probably should make a plan to transition to the new version of the standard. The transition period to the new version of the ISO standard from a certification perspective is accepted to be 2 years after the launch - publication of this one (during this there will be no obligation - but from an efficiency perspective it is advisable to go straight to the ISO27k 2022 version). Further, the language versions that organisations are certified to also need to be considered. The language versions will naturally come out later. For example, the Slovak translation will only be released by the SUTN once the translation has been created, approved and included in the SUTN repository.

The advantage of implementing security measures in the new version is that since they are now identifiable by attributes, it will be easier to focus on a specific selection of security measures. This could reduce the compliance burden and/or help to identify how to better integrate the security processes in question, making the ISMS easier to implement and to maintain and manage.

The main aspects that organizations certified to ISO 27001 will need to consider when migrating to the new version are:

  • The risk management process also reflects Annex A with security measures, so security measures should, but do not necessarily have to, change and adapt to the new ones. It is not mandatory, we can have security measures to reduce risks to (below) an acceptable residual risk value from anywhere (risk catalogue). In terms of consultants' work, we are working with an (extended) version that contains all the original ISO27k Annex A measures (due to the declaration of the purity of the customer's compliance before the certification authority (audit)) and we will have to adapt both the asset catalogue and the risk management and risk analysis methodology.
  • The applicability assessment (Statement of Applicability) will have to be changed to reflect the new measures in Annex A (detto consulting activities and e.g. GAP analysis for ISO 27k at the customer).
  • Adjusting metrics to measure new and existing change measures.
  • Intervention in the composition (composition) of policies and guidelines (as part of the ISMS), as these reflect (usually differently for each case in a given organisation) on the defined measures.
  • Interference with third party management.
  • Intervention in the internal audit plan which should reflect the current set of measures.
  • Modification of audit checklists and compliance checklists for GAP analyses, internal audits, etc.

Date and status of changes in standards:

Main changes to ISO 27002:

  • The term "Code of Practice" has been removed
  • The structure of the document has changed
  • Some security measures (controls) have been merged, some have been removed and some new measures have been introduced.
  • Security measures are now structured into 4 domains:
    • Organisational measures (37 measures)
    • People measures (8 measures)
    • Physical security measures (14 measures)
    • Technological measures (34 measures)

There are now 5 management attributes (also called hashtags (#)) for each security measure: 

  1. Categorization - preventive, detective, corrective 
  2. Information security properties - confidentiality, integrity, availability 
  3. Cybersecurity Concepts - Identify, Protect, Detect, Respond, Recover (link to NIST Cybersecurity Framework and NIST 800-171)
  4. Operational capabilities - compliance management, asset management, information protection, human resource security, physical security, information systems and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity management, vendor relationship security, legal and compliance, security incident management, information security insurance (security assurance)
  5. Security domains - compliance management and ecosystem, protection, defence, resilience 

In the new version of ISO/IEC 27002, 17 (some sources - e.g. the above ANSI blog - list 12 (association)) new security measures have been introduced:  

  • Intelligence, threat management 
  • Identity management
  • Authentication information 
  • Information security management in ICT supply chains 
  • Information security when using cloud services 
  • ICT readiness for business continuity management 
  • Physical security monitoring 
  • Remote working 
  • Storage media
  • Configuration and management of user end devices
  • Secure deletion of information 
  • Data masking 
  • Data leak prevention 
  • Web filtering 
  • Application security requirements 
  • Safe system architecture and engineering principles
  • Safe programming 

Sixteen measures were deleted due to duplication or better alignment with other measures: 

  • Review of information security principles 
  • Mobile Device Policy 
  • Ownership of assets
  • Handling of assets 
  • Password management system 
  • Facilities for loading and unloading
  • Removal of assets 
  • Unattended user equipment 
  • Protection of log records 
  • Software installation restrictions 
  • Electronic messaging 
  • Providing application services in public networks 
  • Protecting application service transactions 
  • Testing and acceptance of systems 
  • Security vulnerability reporting
  • Technical compliance check

We can give a few examples of the above: 

  1. "Inventory of assets" is modified as "Inventory of information and other related assets". 
  2. "Acceptable Use of Assets" has been changed to "Acceptable Use of Information and Other Related Assets". 
  3. The policy for cryptographic controls and key management, etc. has changed to "Use of Cryptographic Controls". 
  4. Event logging has been renamed to "Logging". 
  5. The Administrator and Operator logs have been changed to "Monitoring Activities". 
  6. Information transfer policies and procedures, information transfer agreement, etc. are combined as the main measure in the "Information Transfer" section.

List of security measures according to ISO 27002:2022: 

  • ISO 27002 5 Organisational measures
  • ISO 27002 5.1 Security policies
  • ISO 27002 5.2 Roles and responsibilities in information security 
  • ISO 27002 5.3 Segregation of duties
  • ISO 27002 5.4 Managerial responsibilities
  • ISO 27002 5.5 Contact with authorities (authorities and state power)
  • ISO 27002 5.6 Contact with special interest groups
  • ISO 27002 5.7 Intelligence, threat management (threat intelligence) - new
  • ISO 27002 5.8 Information security in project management
  • ISO 27002 5.9 Inventory of information and other related assets - change
  • ISO 27002 5.10 Acceptable use of information and other related assets - change
  • ISO 27002 5.11 Return of assets
  • ISO 27002 5.12 Classification of information
  • ISO 27002 5.13 Marking of information
  • ISO 27002 5.14 Transfer of information
  • ISO 27002 5.15 Access control
  • ISO 27002 5.16 Identity management - new
  • ISO 27002 5.17 Authentication information - new
  • ISO 27002 5.18 Access rights - change
  • ISO 27002 5.19 Information security in supplier relationships
  • ISO 27002 5.20 Addressing information security in supply contracts
  • ISO 27002 5.21 Information security management in ICT supply chains - new
  • ISO 27002 5.22 Monitoring, control and change management of supplier services - change
  • ISO 27002 5.23 Information security when using cloud services - new
  • ISO 27002 5.24 Security incident management planning and preparation - change
  • ISO 27002 5.25 Assessing and deciding on security incidents
  • ISO 27002 5.26 Responding to security incidents
  • ISO 27002 5.27 Learning from security incidents
  • ISO 27002 5.28 Collection of evidence
  • ISO 27002 5.29 Information security for business continuity management (BCM) service interruptions - change
  • ISO 27002 5.30 ICT readiness for business continuity management (BCM) - new
  • ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
  • ISO 27002 5.32 Intellectual property protection
  • ISO 27002 5.33 Protection of Records
  • ISO 27002 5.34 Privacy and data protection
  • ISO 27002 5.35 Independent review of information security
  • ISO 27002 5.36 Compliance with information security principles and standards
  • ISO 27002 5.37 Documented operating procedures

ISO 27002 6 Measures concerning people

  • ISO 27002 6.1 Screening
  • ISO 27002 6.2 Conditions of employment
  • ISO 27002 6.3 Security awareness, education and training
  • ISO 27002 6.4 Disciplinary process
  • ISO 27002 6.5 Responsibilities upon termination or change of employment
  • ISO 27002 6.6 Non-disclosure or confidentiality agreements
  • ISO 27002 6.7 Working remotely - new
  • ISO 27002 6.8 Reporting security events

ISO 27002 7 Physical security measures

  • ISO 27002 7.1 Perimeter from a physical security perspective
  • ISO 27002 7.2 Security measures to secure entrances
  • ISO 27002 7.3 Security of offices, rooms and objects
  • ISO 27002 7.4 Physical security monitoring - new
  • ISO 27002 7.5 Protection against physical and environmental threats
  • ISO 27002 7.6 Work in secure premises
  • ISO 27002 7.7 Clean desk and clean screen principle
  • ISO 27002 7.8 Security within the location and protection of equipment
  • ISO 27002 7.9 Security of off-premises assets
  • ISO 27002 7.10 Memory media - new
  • ISO 27002 7.11 Security of supporting utilities
  • ISO 27002 7.12 Cabling safety
  • ISO 27002 7.13 Equipment maintenance
  • ISO 27002 7.14 Safe disposal or reuse of equipment

ISO 27002 8 Technological measures

  • ISO 27002 8.1 Configuring and managing user end devices - new
  • ISO 27002 8.2 Privileged access rights
  • ISO 27002 8.3 Restriction of access to information
  • ISO 27002 8.4 Access to source code
  • ISO 27002 8.5 Secure authentication
  • ISO 27002 8.6 Capacity management
  • ISO 27002 8.7 Protection against malware
  • ISO 27002 8.8 Managing technical vulnerabilities
  • ISO 27002 8.9 Configuration management
  • ISO 27002 8.10 Secure deletion of information - new
  • ISO 27002 8.11 Data masking - new
  • ISO 27002 8.12 Data Leakage Prevention (DLP) - new
  • ISO 27002 8.13 Backing up information
  • ISO 27002 8.14 Redundancy of information processing equipment
  • ISO 27002 8.15 Logging in
  • ISO 27002 8.16 Monitoring of activities
  • ISO 27002 8.17 Time synchronisation
  • ISO 27002 8.18 Using privileged utilities
  • ISO 27002 8.19 Installing software in operating systems
  • ISO 27002 8.20 Network security
  • ISO 27002 8.21 Security of network services
  • ISO 27002 8.22 Web filtering - new
  • ISO 27002 8.23 Segregation of networks
  • ISO 27002 8.24 Use of cryptographic measures
  • ISO 27002 8.25 Secure Development Life Cycle (SDLC/SSDLC)
  • ISO 27002 8.26 Application security requirements - new
  • ISO 27002 8.27 Safe System Architecture and Engineering Principles - new
  • ISO 27002 8.28 Safe Programming - new
  • ISO 27002 8.29 Security testing in the development and acceptance of information systems and services
  • ISO 27002 8.30 Outsourced development
  • ISO 27002 8.31 Development, test and production environment department
  • ISO 27002 8.32 Change management
  • ISO 27002 8.33 Testing information
  • ISO 27002 8.34 Protection of information systems during audit and testing - new

Sources:  

  1. https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:dis:ed-3:v1:en
  2. https://www.iso.org/standard/75652.html
  3. https://blog.ansi.org/?p=168607
  4. https://blog.ansi.org/anab/changes-new-iso-iec-27001-iso-iec-27002/
  5. https://hightable.io/the-ultimate-guide-to-iso-27002-changes-2022/#iso-27002-6-people-controls
  6. https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:dis:ed-3:v1:en
  7. https://www.iso.org/standard/75652.html
  8. https://www.iso.org/standard/75652.html