Get in Touch Close Menu

ISO/IEC 27002: Revised Standard

17 February 2022

ISO/IEC 27002: 2022 has been published, and the revised standard is a game-changer for the following ten reasons…  

In November 2021, we published a blog post about the virtues of ISO27001 certification, ‘ISO27001 Certification: Now is the Time to Consider the Benefits’.

Now with the publication of the ISO27002 controls, the changes are a great step forward for many organisations, and the reasons are outlined below:  

1. The standard now encompasses information security, cyber security, and privacy in one place – so depending on who utilises the standard, it appeals to many stakeholders.  

2. The standard is now group based around four simple ‘themes’ (organisational controls; people controls, physical controls and technological controls) which will appeal to more SMEs who will now not be daunted by the control structure and can choose which controls are ‘appropriate’ to their risks and ‘proportionate’ to their environment.  

3. The existing control groupings have been updated, merged with 11 new controls added, so now there are only 93 controls instead of 114, and each has excellent guidance on their application. There is an emphasis on proactive monitoring, which is a significant step forward. 

4. The new controls address technologies like IoT, DLP and threat intelligence, with additional privacy controls to be applauded.  

5. The standard has developed a range of excellent ‘attributes’, so if your organisation wishes to show their stance from information security, cyber security, control types, operational capabilities, or security domains perspectives, Annex A provides you with these mechanisms. This will assist both internal and external stakeholders and regulators in assessing the robustness of your security posture.  

6. The standard changes still allow certified organisations to retain most of their existing policies; some may require updates and new policies defined to be in line with the revised guidance and terminology.  

7. The Annex A of ISO27001 will be updated accordingly (estimated by early summer 2022) to enable external accreditation bodies to certify to the revised ISO27002 arrangements – this means that it will probably be autumn/winter 2022 (at the earliest) that uncertified organisations can be certified to the revised standard – with certified organisations to be given up to two years to transition to the updated arrangements.  

8. Relevant ISO27000 series documents will be updated accordingly from 2022 onwards – this covers risk management, auditing etc., to ensure consistency with the changes made.  

Sapphire has an enviable record of guiding clients through the ISO27001/2 process for over 20 years.  

So what are you waiting for? Start the revision process now.

If you want any guidance or assistance about ISO/IEC 27002,  please get in contact with our experts

Related Articles

Sapphire Acquires Awen to Expand IT/OT Services Portfolio
27 September 2023

Appointment of new CEO, Ian Thomas, and acquisition signals next phase of growth for wholly UK-based Sapphire Darlington, UK – 27th September 2023 – Sapphire, the UK based pure-play cyber security solutions provider, today announced the acquisition of Awen Collective, a cyber security software company dedicated to reducing the risks of cyberattacks to Operational Technology (OT). The acquisition […]

Find Out More
Data Breach Reporting: How Quickly Should It Be Done?
20 September 2023

Organisations must protect data and respond quickly and transparently during a data breach. However, despite their relentless efforts, data breaches remain a persistent and formidable threat. But, the good thing is that data breach reporting plays a crucial role in data protection. How quickly should a data breach be reported when it occurs? A slow […]

Find Out More
Authentication vs Authorisation: Understanding the Difference
15 September 2023

In today’s digital age, where information is a valuable asset and data breaches are a constant threat, ensuring the security of systems and sensitive information is paramount. Two fundamental concepts are pivotal in safeguarding digital assets: authentication vs authorisation. While often used interchangeably, these terms have distinct roles in information security. We will delve deep […]

Find Out More