Veriscan Security | Box 4082 | 654 04 Karlstad | Tel. 054 85 66 20

www.veriscan.se

New revision of

ISO/IEC 27002 Comparison with ISO/IEC 27002:2013 Anna Andersson

New revision of ISO/IEC 27002 Comparison with ISO/IEC 27002:2013

Anna Andersson

Veriscan Security

Date: 2022-02-23

Editor: Anna Andersson

Document type: Report

Approved by: JB

Version 1.0

Confidentiality: Open

Revision history

Nr Description Date Performed

by

1.0 1st issue 2022-02-18 AA

Contents

REVISION HISTORY 3

CONTENTS 4

1 INTRODUCTION 5

1.1 New revision 5

1.2 Purpose of this document 5

1.3 Background 5

1.4 Veriscan’s involvement in the new versions 7

2 CHANGES TO ISO/IEC 27002 7

2.1 General 7

2.2 The four main clauses 8

2.3 The attributes 8

2.4 The new controls 9

2.5 Deleted and split controls 10

2.6 Merged controls 10

3 NEXT STEPS 12

3.1 Publishing and translations 12

4 REFERENCES 12

1 Introduction

1.1 NEW REVISION

ISO (International Organization for Standardization) and IEC (International

Electrotechnical Commission) have been working on revising the international

standard ISO/IEC 27002 since 2018. The purpose of the new revision has been to

modernize the contents, but also to provide a more open document structure, thereby

increasing the flexibility for organizations using the standard.

The new version was published as an international standard on February 15, 2022.

The new revision is the 3rd edition since the first issue in 2000 – this time with a new

title: Information security, cybersecurity and privacy protection – Information

security controls.

1.2 PURPOSE OF THIS DOCUMENT

The purpose of this document is to inform anyone interested in or working with

information security about the changes in the new revision of ISO/IEC 27002. Many

organizations have an ISMS (Information Security Management System) in place,

which is either certified against ISO/IEC 27001 or at least tries to comply with it.

For such organizations, it may be of use to get a notion of the possible extent of

changes needed in order to also comply with the new revision of IEC/27002, as this

will have implications also on ISO/IEC 27001 and its Annex A.

Of course, for organizations that are about to implement an ISMS, it may be a good

idea to consider reviewing ongoing documents towards the coming version, to avoid

having to redo the work.

Others that may be interested are auditors and information security consultants.

Please note that this document does not strive to capture all the changes between

existing and new versions. It merely points out some of the key differences and

movements of information.

1.3 BACKGROUND

ISO/IEC 27002 originates from a British standard (BS 7799, part I) and was

published as an ISO/IEC standard for the first time in the year 2000 (ISO/IEC

17799). It was later renumbered into ISO/IEC 27002, and revisions have been made

in 2005 (1st edition) and 2013 (2nd edition).

ISO/IEC 27002 is one of the most used and acknowledged standards for information

security controls in the world. It is connected with ISO/IEC 27001 in such a way,

that it provides guidance on the implementation of the controls listed in ISO/IEC

27001 Annex A.

There is a requirement in ISO/IEC 27001 (6.1.3 c) for organizations to produce a

Statement of Applicability (SoA), listing the controls applicable for the organization,

with a motivation for inclusion or exclusion to their Information Management

System (ISMS) scope, based on identified information security risks. If included in

the scope, a control from Annex A is also a certification requirement, while the

corresponding guidance in ISO/IEC 27002 can be viewed as a recommendation on

how the control should be implemented, along with the considerations to take.

Many organizations find the guidance in 27002 valuable and follow all or most of

the recommendations. The original 27002 document was produced before the

requirement standard (27001), and efforts have been made to preserve its usability as

a standard of its own right, which is why there are still overlaps between the two

documents. However, it should be pointed out that by choosing only to follow

ISO/IEC 27002, important consideration to the organization’s specific needs based

on factors such as information security risks may be omitted or forgotten.

Many of the controls of Annex A and 27002 are further explained in more detailed

guidance standards, which is why the new revision will have implications on many

other standards, and a major revision program is now being produced. To start with,

Annex A will be published as a new amendment to the existing ISO/IEC

27001:2013, along with a minor text change with regards to control objectives (see

explanation in this document).

1.4 VERISCAN’S INVOLVEMENT IN THE NEW VERSIONS

Veriscan Security are active participants in the ISO standardization work for

information security since 19991. We have contributed to the contents of ISO/IEC

27001 and 27002, both the existing versions as well as the upcoming versions.

Alongside this work, we are also involved in other documents included in the ISO

27000 series.

2 Changes to ISO/IEC 27002

2.1 GENERAL

There have been several objectives with the new revision; the most important ones

being to:

• Modernize controls and definitions, which is of course a constant need due

to the fast technical development

• Avoid overlap between controls – which is hard to achieve totally, but to a

large extent this has succeeded

• Increase flexibility by:

o Restructuring the controls under four clauses instead of the original

14

o Changing the control structure, introducing attributes which can be

used by organizations for creating their own sorting, or views.

Connected to this, the objective for a group of controls have been

replaced by a purpose for each individual control.

In this revision, the number of controls has been reduced from today’s 114 to 93. In

many cases, two existing controls have been merged in the efforts of avoiding

overlap. This means that some controls are extensive, and to help readability, such

controls have been provided with subheadings. There are also cases where text from

controls have been split into two controls, or where parts of text have been moved.

Due to these changes, several controls have had a title change.

In addition to the existing, but many times merged and revised, controls, 11 new

controls have been added (included in the 93).

There are two informative annexes:

• Annex A – Using attributes

• Annex B – Correspondence with ISO/IEC 27002:2013

1 Versican Security has participated in SIS TK 318 since 1999 and in ISO/IEC JTC001/SE27

since 2005.

2.2 THE FOUR MAIN CLAUSES

The first four chapters are 1 Scope, 2 Normative references, 3 Terms, definitions and

abbreviated terms and 4 Structure of this document.

The main contents, the controls, are categorized under the following four themes,

equaling clauses 5-8:

• Clause 5 Organizational controls (37 controls)

• Clause 6 People controls (8 controls)

• Clause 7 Physical controls (14 controls)

• Clause 8 Technological controls (34 controls)

Some controls still contain elements of e.g., both technical and organizational

measures, so the principal has been to categorize the controls based on the main

parts of the contents.

The People category may need an explanation; here, controls are listed, which

concern individual people. This limitation has meant that only eight controls are

included in clause 6.

The category Organizational controls has been used wherever it has not been evident

that the control should be categorized under any of the other three.

2.3 THE ATTRIBUTES

The attributes have been introduced to help organizations to sort, filter, or present

controls in different views, whatever the reason. Generic attributes have been used

of various kinds, and if the ones provided in the standard do not fulfil the need,

organizations are also encouraged to use whichever attributes they choose. Today,

many organizations will create a mapping between the controls of Annex A/27002

and other standards or framework, so this is a way of acknowledging the need.

The attributes provided have been evaluated as being so generic that they may be

used by most organizations using 27002.

To enable a search function in the document, each attribute is preceded by the sign #

in the standard.

The following groups of attributes have been introduced:

• Control types – to show when and how the control modifies an information

security risk: Preventive, Detective and Corrective.

• Information security properties – to show which of the main information

security properties or aspects will be protected by use of the control:

Confidentiality, Integrity and Availability.

• Cybersecurity concepts – to connect controls to concepts defined in the

cybersecurity framework of ISO/IEC TS 27110: Identify, Protect, Detect,

Respond and Recover.

• Operational capabilities – these are similar to the former clauses of ISO/IEC

27002 and are used to view controls from the practitioner’s perspective:

Governance, Asset management, Information protection, Human resource

security, Physical security, System and network security, Application

security, Secure configuration, Identity and access management, Threat and

vulnerability management, Continuity, Supplier relationships security,

Legal and compliance, Information security event management and

Information security assurance2.

• Security domains – to view controls from the perspective of information

security domains, expertise, services and products: Governance and

ecosystem, Protection, Defence and Resilience.

The attributes are provided at the top of each control, as well as listed in Annex A.

2.4 THE NEW CONTROLS

The following 11 new controls have been added in the new revision:

• 5.7 Threat intelligence

• 5.23 Information security for cloud services

• 5.30 ICT readiness for business continuity

• 7.4 Physical security monitoring

• 8.9 Configuration management

• 8.10 Information deletion

• 8.11 Data masking

• 8.12 Data leakage prevention

• 8.16 Monitoring activities

• 8.22 Web filtering

• 8.28 Secure coding

2 In the standard, wherever an attribute consists of several words, and underscore is used

between them to enable the search function (e.g. Asset_management). For readability, this

has been omitted in this document.

2.5 DELETED AND SPLIT CONTROLS

• The main parts of the existing physical control 11.2.5 Removal of assets has

been removed, but some parts have been added to the control 7.1 Storage

media.

• The existing control 18.2.3 Technical compliance review has been split into

the new controls 5.3.6 Compliance with policies and standards for

information security and 8.8 Management of technical vulnerabilities – but

at the same time these have also been merged with other controls.

2.6 MERGED CONTROLS

Control number in 2022

revision

Control number in 2013

revision

New control title

5.1 5.1.1, 5.1.2 Policies for information

security

5.8 6.1.5, 14.1.1 Information in project

management

5.9 8.1.1, 8.1.2 Inventory of information

and other associated

assets

5.10 8.1.3, 8.2.3 Acceptable use of

information and

associated assets

5.14 13.2.1, 13.2.2, 13.2.3 Information transfer

5.15 9.1.1, 9.1.2 Access control

5.17 9.2.4, 9.3.1, 9.4.3 Authentication

information

5.18 9.2.2, 9.2.5, 9.2.6 Access rights

5.22 15.2.1, 15.2.2 Monitoring, review and

change management of

supplier services

5.29 17.1.1, 17.1.2, 17.1.3 Information security

during disruption

Control number in 2022

revision

Control number in 2013

revision

New control title

5.31 18.1.1, 18.1.5 Identification of legal,

statutory, regulatory and

contractual requirements

5.36 18.2.2, 18.2.3 Compliance with policies

and standards for

information security

6.8 16.1.2, 16.1.3 Information security

event reporting

7.2 11.1.2, 11.1.6 Physical entry controls

7.10 8.3.1, 8.3.2, 8.3.3 Storage media

8.1 6.2.1, 11.2.8 User endpoint devices

8.8 12.6.1, 18.2.3 Management of technical

vulnerabilities

8.15 12.4.1, 12.4.2, 12.4.3 Logging

8.19 12.5.1, 12.6.2 Installation of software

on operational systems

8.24 10.1.1, 10.1.2 Use of cryptography

8.26 14.1.2, 14.1.3 Application security

requirements

8.29 14.2.8, 14.2.9 Security testing in

development and

acceptance

8.31 12.1.4, 14.2.6 Separation of

development, test and

production environments

8.32 12.1.2, 14.2.2, 14.2.3,

14.2.4

Change management

3 Next steps

3.1 PUBLISHING AND TRANSLATIONS

The new version has been published on February 15, 2022. Translation work to

various languages has now started. The amendment to ISO/IEC 27001 will be

published very close to the publishment of ISO/IEC 27002:2022.

4 References

ISO/IEC 27001:2013

ISO/IEC 27002:2013

ISO/IEC 27002:2022