An important information security standard has been revised

Continuous Control: Newly launched guidance on information security management controls

A newly revised international cybersecurity standard is helping information security professionals consider and implement information security controls to address the latest information security risks. This blog post describes what the revised standard offers, and the benefits businesses will gain from using it.

In a world where data security is essential for every organization and given the rate of change in technology and cyber security risks, keeping systems and processes up to date with the changing information security landscape needs to be a priority. 

ISO/IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection – Information Security Controls is the newly-revised international standard providing guidance on the selection and implementation of security controls for use within an Information Security Management System (ISMS) based the requirements in BS EN ISO/IEC 27001.

The revision of this standard brings a modern approach to managing security controls with attributes. It includes the introduction of themes and attributes, as well as updating the candidate controls to reflect current information security concerns and practices. ISO/IEC 27002:2022 aims to provide businesses, of every size and sector, with a new generation of security control guidance, with the aim of making the guidance modernised, simplified and versatile to granting organisations the autonomy to select and scope security controls as deemed fit.

How do standards ISO/IEC 27002 and BS EN ISO/IEC 27001 work together?

BS EN ISO/IEC 27001 provides the essential components and structure for your organization to achieve effective information security management.  One of these essential components is the deployment of appropriate information security controls. These controls need to be carefully assessed and considered based on your organization’s risk profile and needs, with the new ISO/IEC 27002 providing the most appropriate control set to consider.

ISO/IEC 27002, on information security controls, serves as a guidance document to help organizations determine and implement recognized information security controls within their information security management system. The guidance within this standard was developed by a committee of international and UK industry experts, based on international consensus on what constitutes best practices.

So what has changed?

Though ISO/IEC 27002:2022 is no longer self-described as a “code of practice”, its intended purpose has not changed. It continues to be a “reference handbook”, providing a referenceable set of information security controls by achieving a comprehensive coverage of the ways in which information security controls can be described.

The newly revised standard aims to ensure that no necessary control has been overlooked and that the guidance is consolidated into four key areas, making it easier for businesses to adopt. These four pillars of control are: Organizational, People, Physical, Technological.

As a result, within the revised standard, users will find that there has been a re-structure of the existing controls and the number of security control listed has decreased from 114 to 93, with some controls being removed as they no longer reflect best practices.

11 new controls have been introduced, 24 controls have been merged and 58 control were updated in the latest version of the ISO/IEC 27002 standard. These reflect the evolvement in technologies and industrial practices including threat intelligence, information security for use of cloud services and data leakage prevention. This will ensure that businesses are able to maintain continuous control over their information security, despite the nature of cyberattacks changing.

Steve Watkins, Chair of IST 33, says “The welcome update of ISO/IEC 27002 brings the control options and descriptions up to date and introduces the concepts of themes and attributes to assist organisations in their selection and deployment of them to manage cyber security risks.”

To help users of the previous version of BS EN ISO/IEC 27002:2013 know how to apply the updated 2022 guidance, a new 27002 Annex A demonstrates the use of attributes as a way of creating different views of the controls. Additionally, a new Annex B includes references to the 2013 edition control identifiers to provide backwards compatibility.

Why should businesses adopt these changes?

Due to the COVID-19 pandemic, most businesses have been forced to accelerate their digital transformation and rely more on their cloud infrastructure, as many of their employees continue to adapt and move towards a hybrid work model.

Whilst organizations were finding their feet amongst these rapid changes, cybercriminals were finding ways to exploit vulnerabilities within these new systems with ever more sophisticated technology.

Given how many workplaces and day-to-day business operations have digitalized over the pandemic, how does ISO/IEC 27002:2022 support organizations to achieve effective information security management in today’s high-risk environment?

Importantly, this standard assists organisations with the identification, implementation and management of up-to-date information security controls in the current environment. These controls will include policies, rules, processes, procedures, organizational structures, and software and hardware solutions.

This helps businesses identify suitable and proportionate controls that are sustainable and that work to increase the overall appropriateness of their information security management systems.

In order to reap the full benefits of this revised standard, each organization should review and consider the new candidate control set specified in ISO/IEC 27002:2022 as appropriate to their businesses changing needs.