Get in Touch Close Menu

ISO/IEC 27002: Revised Standard

17 February 2022

ISO/IEC 27002: 2022 has been published, and the revised standard is a game-changer for the following ten reasons…  

In November 2021, we published a blog post about the virtues of ISO27001 certification, ‘ISO27001 Certification: Now is the Time to Consider the Benefits’.

Now with the publication of the ISO27002 controls, the changes are a great step forward for many organisations, and the reasons are outlined below:  

1. The standard now encompasses information security, cyber security, and privacy in one place – so depending on who utilises the standard, it appeals to many stakeholders.  

2. The standard is now group based around four simple ‘themes’ (organisational controls; people controls, physical controls and technological controls) which will appeal to more SMEs who will now not be daunted by the control structure and can choose which controls are ‘appropriate’ to their risks and ‘proportionate’ to their environment.  

3. The existing control groupings have been updated, merged with 11 new controls added, so now there are only 93 controls instead of 114, and each has excellent guidance on their application. There is an emphasis on proactive monitoring, which is a significant step forward. 

4. The new controls address technologies like IoT, DLP and threat intelligence, with additional privacy controls to be applauded.  

5. The standard has developed a range of excellent ‘attributes’, so if your organisation wishes to show their stance from information security, cyber security, control types, operational capabilities, or security domains perspectives, Annex A provides you with these mechanisms. This will assist both internal and external stakeholders and regulators in assessing the robustness of your security posture.  

6. The standard changes still allow certified organisations to retain most of their existing policies; some may require updates and new policies defined to be in line with the revised guidance and terminology.  

7. The Annex A of ISO27001 will be updated accordingly (estimated by early summer 2022) to enable external accreditation bodies to certify to the revised ISO27002 arrangements – this means that it will probably be autumn/winter 2022 (at the earliest) that uncertified organisations can be certified to the revised standard – with certified organisations to be given up to two years to transition to the updated arrangements.  

8. Relevant ISO27000 series documents will be updated accordingly from 2022 onwards – this covers risk management, auditing etc., to ensure consistency with the changes made.  

Sapphire has an enviable record of guiding clients through the ISO27001/2 process for over 20 years.  

So what are you waiting for? Start the revision process now.

If you want any guidance or assistance about ISO/IEC 27002,  please get in contact with our experts

Related Articles

How Do Managed EDR Solutions Work?
5 May 2022

Increasing the scale of your cybersecurity is not easy. After all, cybersecurity is not just about prevention. With cyber-attacks part of our world, organisations must be prepared to respond effectively to threat actors. One such way of preparing and responding is through endpoint detection and response (EDR) and or Managed EDR solutions. Organisations use EDR […]

Find Out More
What is the SOC (Security Operations Centre) Visibility Triad?
19 April 2022

IT environments are becoming increasingly complex and sophisticated, and security teams are faced with the daunting task of keeping potential attackers from accessing their organisation’s environments. As a result, organisations are adopting increasingly complex cybersecurity solutions to combat this growing concern. One way to do this is by using the SOC visibility triad.

Find Out More
The Future of Ransomware: 2022 & Beyond
11 April 2022

Ransomware remains one of the highest priority challenges for organisations of all sizes and across all sectors in 2022.

“Ransomware is the fastest-growing cybercrime for a reason,” says Steve Morgan, founder at Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “It’s the proverbial get-rich-quick scheme in the minds of hackers.”

Find Out More