Get in Touch Close Menu

ISO/IEC 27002: Revised Standard

17 February 2022

ISO/IEC 27002: 2022 has been published, and the revised standard is a game-changer for the following ten reasons…  

In November 2021, we published a blog post about the virtues of ISO27001 certification, ‘ISO27001 Certification: Now is the Time to Consider the Benefits’.

Now with the publication of the ISO27002 controls, the changes are a great step forward for many organisations, and the reasons are outlined below:  

1. The standard now encompasses information security, cyber security, and privacy in one place – so depending on who utilises the standard, it appeals to many stakeholders.  

2. The standard is now group based around four simple ‘themes’ (organisational controls; people controls, physical controls and technological controls) which will appeal to more SMEs who will now not be daunted by the control structure and can choose which controls are ‘appropriate’ to their risks and ‘proportionate’ to their environment.  

3. The existing control groupings have been updated, merged with 11 new controls added, so now there are only 93 controls instead of 114, and each has excellent guidance on their application. There is an emphasis on proactive monitoring, which is a significant step forward. 

4. The new controls address technologies like IoT, DLP and threat intelligence, with additional privacy controls to be applauded.  

5. The standard has developed a range of excellent ‘attributes’, so if your organisation wishes to show their stance from information security, cyber security, control types, operational capabilities, or security domains perspectives, Annex A provides you with these mechanisms. This will assist both internal and external stakeholders and regulators in assessing the robustness of your security posture.  

6. The standard changes still allow certified organisations to retain most of their existing policies; some may require updates and new policies defined to be in line with the revised guidance and terminology.  

7. The Annex A of ISO27001 will be updated accordingly (estimated by early summer 2022) to enable external accreditation bodies to certify to the revised ISO27002 arrangements – this means that it will probably be autumn/winter 2022 (at the earliest) that uncertified organisations can be certified to the revised standard – with certified organisations to be given up to two years to transition to the updated arrangements.  

8. Relevant ISO27000 series documents will be updated accordingly from 2022 onwards – this covers risk management, auditing etc., to ensure consistency with the changes made.  

Sapphire has an enviable record of guiding clients through the ISO27001/2 process for over 20 years.  

So what are you waiting for? Start the revision process now.

If you want any guidance or assistance about ISO/IEC 27002,  please get in contact with our experts

Related Articles

Amid CHAOS, There is Also Crypto Mining
30 January 2023

Sapphire’s SOC Team have been tracking a recent Crypto Mining campaign targeting Linux systems, utilising a proof-of-concept (PoC) hack tool hosted on GitHub known as ‘CHAOS’.

Find Out More
9 January 2023

Like all organisations, Sapphire Utility Solutions (SUS) is a target for cybercriminals. This is only exasperated by its rapid growth.

Whilst having extensive security experience within the team, SUS wanted to enhance its cybersecurity capabilities and provide the best resources for its team to take advantage of, so it decided to outsource its cybersecurity via Sapphire’s Managed Security service.

Find Out More
What Does SIEM Stand for?
6 January 2023

SIEM (Security Information and Event Management) is one of many approaches to security management. It combines SIM (Security Information Management) and SEM (Security Event Management) to aggregate data from a variety of sources as well as identify any deviations and act against them.  

Find Out More