Are you ready for the ISO 27002 changes?

The International Organisation for Standardisation (ISO) has made changes to the ISO 27002 control framework.

For the first time in 20 years, ISO 27002 has changed its structure considerably. These changes are significant, and your organisation needs to be prepared.

Here’s what we know:

  • Currently, the only known change to ISO 27001 is an update to the Annex A Controls to align with the new version of ISO 27002
  • The International Accreditation Forum and accreditation bodies is expected to confirm the length of the fixed transition period. It is thought that it will be either 12 or 24 months. If the transition period is granted at 12 months, any ISO 27001 certification or surveillance audit after March 2023 will need to use the new framework

What are the main changes to ISO 27002? 

Both the controls and their classifications have changed for ISO 27002.

From the previous 114 controls categorised by Information Security Domains, there are now 93 controls across 4 clauses, categorised by themes:

  • Organisational controls
  • People controls
  • Physical controls
  • Technological controls

Among the 94 controls, there are 12 new controls that reflect the changing technical and threat landscapes:

  • Threat intelligence
  • Identity management
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Secure coding

ISO 27002’s latest revision also features 24 merged controls and 58 updated controls, aligned accordingly.

ISO27002 Attributes 

Changes to ISO27002 have introduced ‘Attributes’ allowing your organisation to create different views, which are different categorisations on controls, as seen from different perspectives to the themes.

These attributes can be used to filter, sort, or present controls in various views for different audiences and purposes. However, the use of attributes is not mandatory.

For public sector organisations within education, healthcare, government, charities, and housing, creating attributes and values that apply specifically to your sector may be a possibility and Phoenix is available to support you with this.

How do the ISO 27002 changes impact you?

A change of this nature and magnitude will circulate through your ISO 27001 ISMS, so we recommend setting aside some time and resource to action anything relevant from the updates between your next certification and the one following that.

These are the most significant actions to expect:

  • Assessing the gap between your current controls against the new ISO 27002 standard: a cost-effective way to do this is to include this in your next ISO 27001 ISMS internal audit
  • Revisiting your context: this should be actioned at least once a year and the changes provide the perfect opportunity for this
  • Updating your risk assessment: the controls you use to mitigate risks have been updated, therefore you should also update how you assess any risks
  • Rebuilding your Statement of Applicability (SOA): the risk assessment updates, plus the changes in the new Annex A will require an update to your SOA
  • Evaluating which of your policies, standards, and procedures need updating to reflect the changes and implementing new versions of those that require it
  • Upgrading key tools within your environment, such as your governance, risk, and compliance (GRC) platform, or SIEM reporting: this will ensure that items used to demonstrate compliance are aligned with the new requirements
  • Updating your Security Metrics to reflect your risk assessment and Annex A changes and your ISMS Internal Audit Program to mirror changes to your ISMS

The benefits of the ISO 27002 changes

  • The new controls align well with new risks, and when successfully implemented, they will better protect your organisation
  • The new controls align with NIST’s cyber security framework and its ‘five functions’ (identify, protect, detect, respond, and recover) making maintaining an environment aligned with both ISO 27001 and NIST guidance more simple.
  • The attributes within ISO 27002 provide additional taxonomy that make security documentation much easier to work with


Support your organisation with the ISO 27002 changes

We’re here to help keep things simple and compliant. If you’re unsure which of the ISO 27002 changes are relevant to your organisation or you’d like support reviewing, writing, auditing, or commissioning a gap between the old and the new, speak to our governance, risk, and compliance team. Our ISO accredited auditors are aligned to certified auditors, who work alongside leading certification bodies.

Book your free, one-to-one consultation below.

Book now

Tracey Hannan-Jones

Guest Author