UPDATE October 2022: ISO 27001:2022 has been published!

The new version now also breaks down 93 measures into just four areas: Organizational controls, People controls, Physical controls and Technological controls.

When ISO 27002:2022 was published back in February, ISO 27001:2013 still counted 114 measures in 14 different areas. Now the information security management systems requirements of ISO 27001 again match the information security controls of ISO 27002.

You can find the new version at a glance here: https://www.iso.org/standard/82875.html

---

Now it is under discussion - The latest revision of the DIN ISO 27000 series. And it looks different. But the new structure looks familiar, doesn't it? In the course of this article, you will learn which innovations the pre-published ISO 27002:2022 brings with it from a purely operational point of view.

Looking back, the picture that emerges is that ISO standards normally receive a new coat of paint every five to seven years. In the field of information security, for example, DIN EN ISO/IEC 27001:2013 is currently the referenced certification standard. Looking ahead, organisations should accordingly be given a two-year transition period from the official announcements by the International Organisation for Standardisation (ISO) until the certification basis is aligned.

Read on to find out what changes the new revision, the companion standard ISO 27002 will bring and what impact it will have on the requirements of Annex A of ISO 27001.

What is ISO 27002 in the world of infinite ISO standards?

A guideline. This is exactly what ISO 27002 is. In the construct of ISO standards, we speak of certifiable standards, their annexes and accompanying standards that go into greater depth on the implementation of required measures and define best practice approaches and minimum criteria. If one proceeds according to these and strictly adheres to the specifications of ISO 27002, compliance with Annex A of ISO 27001 is ensured. It can be assumed that this will also be revised in a timely manner congruent with this revision.

In general, the best known ISO standards are ISO 9001 for quality management, ISO 14001 for energy management and without doubt the ISO 27000 series of standards for information security management.

What has changed in the new 2022 version of ISO 27002?

The first thing that strikes the reader is that the new version of the standard is indeed longer than its predecessor, and the order of the controls has also changed - controls have been merged, updated and created. However, no controls have been deleted.

• All controls are now assigned to four different groups instead of the former 14:

1. People (8 controls)
2. Organisational (37 controls)
3. Technological (34 controls)
4. Physical (14 controls)

• ISO 27002:2022 now contains 93 controls instead of 112 in the 2013 version.

• The following 11 controls were added to the framework in a thematically meaningful way: 

1. Threat intelligence
2. Information security for use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding 

Possible adaptation of the certification basis ISO 27001:2013

It can be assumed that the structure of ISO 27001, i.e. the structure according to the standard chapters 4-10, will be retained on the whole, but that there will be minor adaptations.

Once the 2022 version of ISO 27001 becomes the reference, it should be assumed that

• existing risk management processes must be adapted to new controls,
• that the 'Applicability Statement' needs to be revised,
• that the policy framework and documentation should be supplemented,
• that new regulations and measures must be communicated throughout the organisation.

According to current information, the new version of ISO 27001 will be published in October of this year. An exact date has not yet been published. 

It should not be overlooked that securing access, handling privileged user rights and dealing with external users remains a focus area of the standard.

In addition, the dedicated monitoring of activities anddata leak preventionare included in the catalogue of requirements.

Implement ISO 27002 requirements ad hoc with VISULOX 

Translated, this means that the control of administrative access and a complete documentation of privileged user access, as well as the control of transferred information, are more and more required. The new versions of the best practice approaches and recommendations in these areas no longer suggest that the corresponding minimum requirements can be dealt with purely organisationally.

According to the new classification of controls into categories supports VISULOX a large number of requirements of ISO 27002:2022 adhoc:

• 20 from 37 in the area of organisational controls, including
  • Access Control
  • Information transfer
  • Information Security in supplier relationships
  • Protection of Records
  • Collecting Evidences
  • ...
    
• 2 from 8 in the area of People Controls
  • Remote working
  • Information Security Event Reporting
    
• 1 from 7 in the area of physical controls
  • Equipment Maintenance
    
• 19 from 34 in the area of Technical Controls
  • Information Access Restrictions
  • Privileged Access Rights
  • Information Deletion
  • Access to source code
  • Change Management
  • ...

Please contact us for a detailed list of all ISO 27001:2022 controls we can support you with the implementation of our PAM-solution VISULOX audit-proof solution. We would also be happy to provide you with a mapping of ISO 27001:2013 to ISO 27001:2022 controls. VISULOX is a holistic PAM solution for the management, control and complete documentation of all critical privileged user activities within your IT and OT infrastructures.

VISULOX has been developed by amitego in Stuttgart since 2003 and is used and continuously developed by medium-sized to Fortune 500 customers worldwide.

Learn more.