4 Things To Know About the ISO 27002:2022 Updates
ISO 27002:2022 brings significant changes to the way organizations manage their information security. As these changes are critical for companies to remain compliant and maintain strong security measures, staying informed and prepared to adapt accordingly is essential. We will explore key things to know about the ISO 27002:2022 updates. We’ll also discuss the implications of these changes for businesses and provide insights on how to navigate them.
Control Layout Changes
One of the most noticeable differences in the ISO 27002:2022 update is a significant change in the control layout. The new control layout provides organizations with a more concise, logical framework for managing their information security controls. This new structure makes it easier for organizations to identify and implement the most relevant controls to their specific needs and risks. Some changes to look out for include the following:
Streamlining of existing controls to eliminate redundancy
Consolidation of related controls for greater clarity
Improved guidance on the selection and implementation of controls
Further, Section 3 of ISO 27002: 2022 includes a robust terms and definitions content with 38 items that supplements ISO 27000: 2019.
Control Additions
With the ISO 27002:2022 update also comes the addition of 11 NEW controls, expanding the scope of the standard and addressing emerging threats and vulnerabilities. These new controls are particularly relevant in a world where technology and business processes are continually evolving. Some of the key control additions include the following:
Enhanced focus on supply chain security to address third-party risks
Inclusion of controls to tackle cloud security challenges
Expanded guidance on incident management and response
Noteworthy, IAF MD26:2023 Transition Requirements for ISO/IEC 27001:2022 (Version 1, Issue 2: 15 Feb 2023) requires Certification Bodies to audit the “Gap Analysis” done by the firm who is registered to ISO 27001: 2013 on their way to ISO 27001: 2022.
New Document Structure
Another significant thing to know about the ISO 27002:2022 update is the introduction of a completely new document structure. This new format aims to make the standard more accessible and user-friendly, enabling organizations to navigate and implement the guidance more efficiently. Some highlights of the new document structure include the following:
A shift from a clause-based structure to a more intuitive, topic-based format
Simplified language to improve clarity and ease of understanding
Adoption of a consistent structure across all control sections, making it easier to compare and evaluate controls
This Annex A includes a new section called “Themes and Attributes.” Each control is associated with 5 attributes. They include Control type, Information security properties, Cybersecurity concepts, Operational capabilities and Security domains. This allows practitioners to sort the controls by an attribute when looking for remediation options post-risk assessment.
Threat Intelligence
One of these 11 NEW controls is Threat Intelligence. In recognition of the growing importance of threat intelligence for managing information security, ISO 27002:2022 introduces a new control on threat intelligence. This control concerns the need for organizations to develop and maintain an ongoing understanding of the threat landscape, allowing them to better anticipate and respond to emerging risks. These are some key aspects of this control:
Establishing a threat intelligence program
Integrating threat intelligence into existing risk management activities
Developing and maintaining a comprehensive understanding of relevant threats, actors, and vulnerabilities
As ISO 27002:2022 updates, businesses must stay informed about the changes and prepare to adapt their information security programs accordingly. This is where we at Precision Execution can help. We provide detailed ISO training courses that cover all you need to know and more about cyber security standards. Understanding the updates to control layouts, new control additions, the revised document structure, and the increased focus on threat intelligence is key to maintaining compliance and managing information security risks.