Get in Touch Close Menu

ISO/IEC 27002: Revised Standard

17 February 2022

ISO/IEC 27002: 2022 has been published, and the revised standard is a game-changer for the following ten reasons…  

In November 2021, we published a blog post about the virtues of ISO27001 certification, ‘ISO27001 Certification: Now is the Time to Consider the Benefits’.

Now with the publication of the ISO27002 controls, the changes are a great step forward for many organisations, and the reasons are outlined below:  

1. The standard now encompasses information security, cyber security, and privacy in one place – so depending on who utilises the standard, it appeals to many stakeholders.  

2. The standard is now group based around four simple ‘themes’ (organisational controls; people controls, physical controls and technological controls) which will appeal to more SMEs who will now not be daunted by the control structure and can choose which controls are ‘appropriate’ to their risks and ‘proportionate’ to their environment.  

3. The existing control groupings have been updated, merged with 11 new controls added, so now there are only 93 controls instead of 114, and each has excellent guidance on their application. There is an emphasis on proactive monitoring, which is a significant step forward. 

4. The new controls address technologies like IoT, DLP and threat intelligence, with additional privacy controls to be applauded.  

5. The standard has developed a range of excellent ‘attributes’, so if your organisation wishes to show their stance from information security, cyber security, control types, operational capabilities, or security domains perspectives, Annex A provides you with these mechanisms. This will assist both internal and external stakeholders and regulators in assessing the robustness of your security posture.  

6. The standard changes still allow certified organisations to retain most of their existing policies; some may require updates and new policies defined to be in line with the revised guidance and terminology.  

7. The Annex A of ISO27001 will be updated accordingly (estimated by early summer 2022) to enable external accreditation bodies to certify to the revised ISO27002 arrangements – this means that it will probably be autumn/winter 2022 (at the earliest) that uncertified organisations can be certified to the revised standard – with certified organisations to be given up to two years to transition to the updated arrangements.  

8. Relevant ISO27000 series documents will be updated accordingly from 2022 onwards – this covers risk management, auditing etc., to ensure consistency with the changes made.  

Sapphire has an enviable record of guiding clients through the ISO27001/2 process for over 20 years.  

So what are you waiting for? Start the revision process now.

If you want any guidance or assistance about ISO/IEC 27002,  please get in contact with our experts

Related Articles

AWS Buckets: There’s a Hole in my Bucket – Securing your Data in the Cloud 
6 September 2022

In 2021, AWS S3 accounted for roughly 60% of breaches.  

Like most data breaches, the AWS bucket incident resulted from an incorrectly configured bucket which exposed 36GB of data to the public. The information leaked included mortgage and customer demographics. 

Find Out More
Threat Intelligence on Recent Cyberattack by CL0P Ransomware Group   
24 August 2022

The CL0P ransomware group claimed responsibility for the attack on UK-based utility provider South Staffordshire Water. However, they have said there is no impact on the water supply or drinking water safety. 

On its extortion website, CL0P uploaded a vast collection of stolen papers. These included passport scans, spreadsheets with administrator passwords, drivers’ licences, and, concerningly, screenshots of administration interfaces of wastewater treatment systems.  

Find Out More
Build a Business Case for a MSSP
18 August 2022

There are two options for organisations to manage and protect to their systems from threats.

The first is in-house security management. An in-house option is one where you have a dedicated team or person responsible for managing your cybersecurity. Ordinarily, in-house staff would be led by a Head of IT or Chief Information Security Officer (CISO) (or similar).

The other option is outsourcing your cybersecurity as a managed service. 

Find Out More