ISO/IEC 27002: 2022 has been published, and the revised standard is a game-changer for the following ten reasons…
In November 2021, we published a blog post about the virtues of ISO27001 certification, ‘ISO27001 Certification: Now is the Time to Consider the Benefits’.
Now with the publication of the ISO27002 controls, the changes are a great step forward for many organisations, and the reasons are outlined below:
1. The standard now encompasses information security, cyber security, and privacy in one place – so depending on who utilises the standard, it appeals to many stakeholders.
2. The standard is now group based around four simple ‘themes’ (organisational controls; people controls, physical controls and technological controls) which will appeal to more SMEs who will now not be daunted by the control structure and can choose which controls are ‘appropriate’ to their risks and ‘proportionate’ to their environment.
3. The existing control groupings have been updated, merged with 11 new controls added, so now there are only 93 controls instead of 114, and each has excellent guidance on their application. There is an emphasis on proactive monitoring, which is a significant step forward.
4. The new controls address technologies like IoT, DLP and threat intelligence, with additional privacy controls to be applauded.
5. The standard has developed a range of excellent ‘attributes’, so if your organisation wishes to show their stance from information security, cyber security, control types, operational capabilities, or security domains perspectives, Annex A provides you with these mechanisms. This will assist both internal and external stakeholders and regulators in assessing the robustness of your security posture.
6. The standard changes still allow certified organisations to retain most of their existing policies; some may require updates and new policies defined to be in line with the revised guidance and terminology.
7. The Annex A of ISO27001 will be updated accordingly (estimated by early summer 2022) to enable external accreditation bodies to certify to the revised ISO27002 arrangements – this means that it will probably be autumn/winter 2022 (at the earliest) that uncertified organisations can be certified to the revised standard – with certified organisations to be given up to two years to transition to the updated arrangements.
8. Relevant ISO27000 series documents will be updated accordingly from 2022 onwards – this covers risk management, auditing etc., to ensure consistency with the changes made.
Sapphire has an enviable record of guiding clients through the ISO27001/2 process for over 20 years.
So what are you waiting for? Start the revision process now.
If you want any guidance or assistance about ISO/IEC 27002, please get in contact with our experts.