The only constant is change. Even for ISO standards.
The original version of ISO 27001 was published in 2005, with minor updates in 2013 and now finally a moderately sized update in 2022. That’s about one update per decade! In a fast-changing industry like cyber and information security that could be seen as a bad thing. But ISO 27001 like ISO itself is a steady ship in a fast-changing environment. This differs from say the Australian Government Information Security Manual (ISM), which was being updated monthly to keep pace with changes to the environment but has now slowed to quarterly updates. The unintended consequence of too frequent change is a paralysis by analysis loop that if not broken represents a missed opportunity for achieving tangible improvement.
In this article, we are going to explore what has changed in ISO 27002:2022 including control additions, the reasons behind those additions and reductions (or rather merged or simmered controls). In a follow-up article, we will perform a deep dive analysis into the characteristics of controls found in ISO 27002:2022 versus the 2013 version, and versus the NIST Cyber Security Framework.
We will use this analysis to highlight the strengths and weaknesses of ISO/IEC 27002:2022 and how you can utilize the new version. Keep in mind, that we're actually talking about the guidelines found in ISO 27002 and not the certification requirements found in ISO 27001. But it won't be long until the certification requirements are updated.
So Roughly What Has Changed?
The biggest change is attributes
Perhaps the biggest change introduced by ISO 27002:2022 is not those within the controls but the control metadata. ISO 27002:2022 introduces the concept of attributes including control type, information security properties, cybersecurity concepts, operational capabilities, and security domains. This is generally a good concept because it provides informative characteristics for the risk treatment planner or security architect to consider when developing a purposeful and diversified control environment (i.e., to avoid being overly dependent on a particular control type). There are limitations to the control type definitions adopted in ISO/IEC 27002:2022 that could have the opposite effect and weaken security programs, but of course, ISO/IEC 27002:2022 is a guideline only and should be adapted and enhanced by an organization for best affect.
The following list summarizes the new controls introduced in ISO/IEC 27002:2022. These controls reflect key trends or drivers in the environment including the increased adoption of cloud services (tagged #Cloud by the author), use of mobile devices (tagged #Mobility by the author), the importance of secure code/software (tagged #Code by the author), privacy (tagged #Privacy by the author) and need eternal vigilance (tagged #Visibility by the author).
5.7 Threat intelligence | #Visibility
5.23 Information security for use of cloud services | #Cloud
5.30 ICT readiness for business continuity | #BCP
7.4 Physical security monitoring | #Cloud
8.9 Configuration management | #Cloud#Code
8.10 Information deletion | #Privacy
8.11 Data masking | #Privacy
8.12 Data leakage prevention | #Visibility#Privacy
8.16 Monitoring activities | #Visibility
8.23 Web filtering | #Visibility
8.28 Secure coding | #Code
Let's unpack those key drivers a bit more. Firstly, #Cloud controls are necessary in response to the continued rise of cloud computing, the dominance of global hyperscale cloud service providers, the occasional service failure or vulnerability that have an unprecedented impact, and contractual or data sovereignty issues. A renewed focus on #BCP is relevant in response to the Covid pandemic, but also the disruption caused by ransomware and natural disasters. #Mobilityenables working from home, a wider trend towards flexible/remote work, and potentially a return to travel both business and leisure (hopefully!). Secure #Code and technology supply chains is another area of focus following Solarwinds, Log4j/log4shell and so on and so on. #Privacy continues to dominate headlines following the continued loss of personal information and the rise of privacy legislation such as, e.g., GDPR (EU), CCPA (US), and NDBS (Australia). Finally, cooperation of government and industry is maturing to achieve #Visibility of threats.
There are a lot of controls from ISO/IEC 27002:2013 that have been merged in ISO/IEC 27002:2022. Specifically, 56 controls from the older version have been merged down to 24 controls in the new version. The merged controls were largely duplicative in the prior version and their merger makes way for the important new controls without merely adding more controls and making the baseline controls unnecessarily unwieldy. This was really quite pleasing to see in the new version. The two most pertinent examples are electronic media security (4 controls merged into 1) having receded in preference to cloud storage and logging controls (3 controls merged into 1) still important for visibility but not needing to be represented as 3 controls. Quite often regulators can get caught in the vicious ivory tower trap of adding without removing which makes the requirements ever more onerous and complex tending increasingly towards becoming unachievable. Luckily we have fewer minimum - more dense - controls in 2022.
There was only one split of a single control in ISO/IEC 27002:2013 into two controls in ISO/IEC 27002:2022 and --drum roll-- it was... A.18.2.3 Technical compliance review. In practice this control had a large degree overlap with A.12.6.1 Management of technical vulnerabilities (e.g. hardening, patching etc.) now 8.8 and A.18.2.2 Compliance with security policies and standards (and internal audits) now 5.36. In tallying the numbers, if you've tried to add the additions and remove the merged controls, you shouldn't add one for this split, since both 5.36 and 8.8 are also counted as merged controls. The exact formula as we count it is:
114 controls in ISO/IEC 27002:2013+11 additions -56 merged +24 condensed (+1 split -1 already merged) = 93controls in ISO/IEC 27002:2022
How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.
All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!