Kozue Connor
Kozue Connor Kozue is an expert in the field of Risk, Business Continuity and Cyber Security Management. She has developed management systems for numerous clients

The 2022 update to ISO/IEC 27001/2

The 2022 update to ISO/IEC 27001/2

A new version of the globally accepted set of security control guidelines, ISO/IEC 27002:2022 was published on 15 February 2022. ISO/IEC 27002 is a part of the ISO/IEC 27000 series and a supplemental standard of the main standard ISO/IEC 27001. ISO/IEC 27001 is expected to be revised sometime soon as well.

This article was written with Tom Degol and our Information Security Competence Center.

What is ISO/IEC 27001, ISO/IEC 27002 and what is the difference?

ISO/IEC 27001 is one of the most common frameworks globally used for Information Security Management System (ISMS). Companies can get ISO/IEC 27001 certified and therefore this certification is obtained by many organizations as a competitive advantage or as proof of trust towards 3rd parties.

ISO/IEC 27001 consists out of two main sections: the management section and the control section Annex A. The management part defines the requirements for the management system itself (based on a Plan-Do-Check-Act cycle) and contains key elements such as governance, resources, operation including risk management and performance evaluation. The Annex A is a reference set of information security controls and indicates what is expected by the standard to be implemented/present. Not all of these controls are mandatory in order to get ISO/IEC 27001 certified. ISO/IEC 27002 is the implementation guidance of the controls listed in ISO/IEC 27001 Annex A.

What are the major changes?

The main part of ISO/IEC 27001 will not be changed, only the Annex A will be updated and thus ISO/IEC 27002:2022 as well. The biggest change is the number of control domains; controls were divided into 14 domains in version 2013, but now they are divided into 4 big domains in version 2022. Total number of controls was reduced from 114 to 93 even though new controls were added since many controls were removed/merged.

Version 2013 Version 2022
Number of control domains

14 domains

e.g., Access control, Cryptography

4 domains

  1. Organizational controls

  2. People controls

  3. Physical controls

  4. Technological controls

Number of controls 114 controls

93 controls

a) 37 controls, b) 8, c) 14, d) 34

Controls

What is the impact on your company?

If your company maintains ISO/IEC 27001 certification or is working towards ISO/IEC 27001 certification, it is required to review your ISMS. ISO/IEC 27001:2013 and ISO/IEC 27002:2013 were published more than 8 years ago and the IT landscape together with its technologies and threats have been changed a lot in the meantime. Cloud service is an example; lots of companies have been migrating their IT systems from its own premises/data center to cloud services and therefore a new control “information security for use of cloud service” was newly added to the Annex A.

Nevertheless, ISO foresees a 3-year transition period when they revise a standard. That means your certification will not expire when new ISO/IEC 27001 standard will be published, but only at the end of the 3-year transition period. ISO/IEC 27001 certification expires after 3 years anyway. In practice, you have to update your ISMS by the next certification audit, if necessary.

However, as mentioned above, the changes are only related to the Annex A of ISO/IEC 27001, the reference set of controls. In most cases, drastic changes to the ISMS management part are not required but some additional controls may need to be implemented based on your current IT environment. At least the Statement of Applicability (SoA) must be updated to align with the new control list.

If you need any assistance by reviewing/implementing (new) controls or have any questions about your ISMS or cybersecurity in general, feel free to contact us.


References

ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements