Veriscan Security | Box 4082 | 654 04 Karlstad | Tel. 054 85 66 20
www.veriscan.se
New revision of
ISO/IEC 27002 Comparison with ISO/IEC 27002:2013 Anna Andersson
New revision of ISO/IEC 27002 Comparison with ISO/IEC 27002:2013
Anna Andersson
Veriscan Security
Date: 2022-02-23
Editor: Anna Andersson
Document type: Report
Approved by: JB
Version 1.0
Confidentiality: Open
Contents
REVISION HISTORY 3
CONTENTS 4
1 INTRODUCTION 5
1.1 New revision 5
1.2 Purpose of this document 5
1.3 Background 5
1.4 Veriscan’s involvement in the new versions 7
2 CHANGES TO ISO/IEC 27002 7
2.1 General 7
2.2 The four main clauses 8
2.3 The attributes 8
2.4 The new controls 9
2.5 Deleted and split controls 10
2.6 Merged controls 10
3 NEXT STEPS 12
3.1 Publishing and translations 12
4 REFERENCES 12
1 Introduction
1.1 NEW REVISION
ISO (International Organization for Standardization) and IEC (International
Electrotechnical Commission) have been working on revising the international
standard ISO/IEC 27002 since 2018. The purpose of the new revision has been to
modernize the contents, but also to provide a more open document structure, thereby
increasing the flexibility for organizations using the standard.
The new version was published as an international standard on February 15, 2022.
The new revision is the 3rd edition since the first issue in 2000 – this time with a new
title: Information security, cybersecurity and privacy protection – Information
security controls.
1.2 PURPOSE OF THIS DOCUMENT
The purpose of this document is to inform anyone interested in or working with
information security about the changes in the new revision of ISO/IEC 27002. Many
organizations have an ISMS (Information Security Management System) in place,
which is either certified against ISO/IEC 27001 or at least tries to comply with it.
For such organizations, it may be of use to get a notion of the possible extent of
changes needed in order to also comply with the new revision of IEC/27002, as this
will have implications also on ISO/IEC 27001 and its Annex A.
Of course, for organizations that are about to implement an ISMS, it may be a good
idea to consider reviewing ongoing documents towards the coming version, to avoid
having to redo the work.
Others that may be interested are auditors and information security consultants.
Please note that this document does not strive to capture all the changes between
existing and new versions. It merely points out some of the key differences and
movements of information.
1.3 BACKGROUND
ISO/IEC 27002 originates from a British standard (BS 7799, part I) and was
published as an ISO/IEC standard for the first time in the year 2000 (ISO/IEC
17799). It was later renumbered into ISO/IEC 27002, and revisions have been made
in 2005 (1st edition) and 2013 (2nd edition).
ISO/IEC 27002 is one of the most used and acknowledged standards for information
security controls in the world. It is connected with ISO/IEC 27001 in such a way,
that it provides guidance on the implementation of the controls listed in ISO/IEC
27001 Annex A.
There is a requirement in ISO/IEC 27001 (6.1.3 c) for organizations to produce a
Statement of Applicability (SoA), listing the controls applicable for the organization,
with a motivation for inclusion or exclusion to their Information Management
System (ISMS) scope, based on identified information security risks. If included in
the scope, a control from Annex A is also a certification requirement, while the
corresponding guidance in ISO/IEC 27002 can be viewed as a recommendation on
how the control should be implemented, along with the considerations to take.
Many organizations find the guidance in 27002 valuable and follow all or most of
the recommendations. The original 27002 document was produced before the
requirement standard (27001), and efforts have been made to preserve its usability as
a standard of its own right, which is why there are still overlaps between the two
documents. However, it should be pointed out that by choosing only to follow
ISO/IEC 27002, important consideration to the organization’s specific needs based
on factors such as information security risks may be omitted or forgotten.
Many of the controls of Annex A and 27002 are further explained in more detailed
guidance standards, which is why the new revision will have implications on many
other standards, and a major revision program is now being produced. To start with,
Annex A will be published as a new amendment to the existing ISO/IEC
27001:2013, along with a minor text change with regards to control objectives (see
explanation in this document).
1.4 VERISCAN’S INVOLVEMENT IN THE NEW VERSIONS
Veriscan Security are active participants in the ISO standardization work for
information security since 19991. We have contributed to the contents of ISO/IEC
27001 and 27002, both the existing versions as well as the upcoming versions.
Alongside this work, we are also involved in other documents included in the ISO
27000 series.
2 Changes to ISO/IEC 27002
2.1 GENERAL
There have been several objectives with the new revision; the most important ones
being to:
• Modernize controls and definitions, which is of course a constant need due
to the fast technical development
• Avoid overlap between controls – which is hard to achieve totally, but to a
large extent this has succeeded
• Increase flexibility by:
o Restructuring the controls under four clauses instead of the original
14
o Changing the control structure, introducing attributes which can be
used by organizations for creating their own sorting, or views.
Connected to this, the objective for a group of controls have been
replaced by a purpose for each individual control.
In this revision, the number of controls has been reduced from today’s 114 to 93. In
many cases, two existing controls have been merged in the efforts of avoiding
overlap. This means that some controls are extensive, and to help readability, such
controls have been provided with subheadings. There are also cases where text from
controls have been split into two controls, or where parts of text have been moved.
Due to these changes, several controls have had a title change.
In addition to the existing, but many times merged and revised, controls, 11 new
controls have been added (included in the 93).
There are two informative annexes:
• Annex A – Using attributes
• Annex B – Correspondence with ISO/IEC 27002:2013
1 Versican Security has participated in SIS TK 318 since 1999 and in ISO/IEC JTC001/SE27
since 2005.
2.2 THE FOUR MAIN CLAUSES
The first four chapters are 1 Scope, 2 Normative references, 3 Terms, definitions and
abbreviated terms and 4 Structure of this document.
The main contents, the controls, are categorized under the following four themes,
equaling clauses 5-8:
• Clause 5 Organizational controls (37 controls)
• Clause 6 People controls (8 controls)
• Clause 7 Physical controls (14 controls)
• Clause 8 Technological controls (34 controls)
Some controls still contain elements of e.g., both technical and organizational
measures, so the principal has been to categorize the controls based on the main
parts of the contents.
The People category may need an explanation; here, controls are listed, which
concern individual people. This limitation has meant that only eight controls are
included in clause 6.
The category Organizational controls has been used wherever it has not been evident
that the control should be categorized under any of the other three.
2.3 THE ATTRIBUTES
The attributes have been introduced to help organizations to sort, filter, or present
controls in different views, whatever the reason. Generic attributes have been used
of various kinds, and if the ones provided in the standard do not fulfil the need,
organizations are also encouraged to use whichever attributes they choose. Today,
many organizations will create a mapping between the controls of Annex A/27002
and other standards or framework, so this is a way of acknowledging the need.
The attributes provided have been evaluated as being so generic that they may be
used by most organizations using 27002.
To enable a search function in the document, each attribute is preceded by the sign #
in the standard.
The following groups of attributes have been introduced:
• Control types – to show when and how the control modifies an information
security risk: Preventive, Detective and Corrective.
• Information security properties – to show which of the main information
security properties or aspects will be protected by use of the control:
Confidentiality, Integrity and Availability.
• Cybersecurity concepts – to connect controls to concepts defined in the
cybersecurity framework of ISO/IEC TS 27110: Identify, Protect, Detect,
Respond and Recover.
• Operational capabilities – these are similar to the former clauses of ISO/IEC
27002 and are used to view controls from the practitioner’s perspective:
Governance, Asset management, Information protection, Human resource
security, Physical security, System and network security, Application
security, Secure configuration, Identity and access management, Threat and
vulnerability management, Continuity, Supplier relationships security,
Legal and compliance, Information security event management and
Information security assurance2.
• Security domains – to view controls from the perspective of information
security domains, expertise, services and products: Governance and
ecosystem, Protection, Defence and Resilience.
The attributes are provided at the top of each control, as well as listed in Annex A.
2.4 THE NEW CONTROLS
The following 11 new controls have been added in the new revision:
• 5.7 Threat intelligence
• 5.23 Information security for cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.22 Web filtering
• 8.28 Secure coding
2 In the standard, wherever an attribute consists of several words, and underscore is used
between them to enable the search function (e.g. Asset_management). For readability, this
has been omitted in this document.
2.5 DELETED AND SPLIT CONTROLS
• The main parts of the existing physical control 11.2.5 Removal of assets has
been removed, but some parts have been added to the control 7.1 Storage
media.
• The existing control 18.2.3 Technical compliance review has been split into
the new controls 5.3.6 Compliance with policies and standards for
information security and 8.8 Management of technical vulnerabilities – but
at the same time these have also been merged with other controls.
2.6 MERGED CONTROLS
Control number in 2022
revision
Control number in 2013
revision
New control title
5.1 5.1.1, 5.1.2 Policies for information
security
5.8 6.1.5, 14.1.1 Information in project
management
5.9 8.1.1, 8.1.2 Inventory of information
and other associated
assets
5.10 8.1.3, 8.2.3 Acceptable use of
information and
associated assets
5.14 13.2.1, 13.2.2, 13.2.3 Information transfer
5.15 9.1.1, 9.1.2 Access control
5.17 9.2.4, 9.3.1, 9.4.3 Authentication
information
5.18 9.2.2, 9.2.5, 9.2.6 Access rights
5.22 15.2.1, 15.2.2 Monitoring, review and
change management of
supplier services
5.29 17.1.1, 17.1.2, 17.1.3 Information security
during disruption
Control number in 2022
revision
Control number in 2013
revision
New control title
5.31 18.1.1, 18.1.5 Identification of legal,
statutory, regulatory and
contractual requirements
5.36 18.2.2, 18.2.3 Compliance with policies
and standards for
information security
6.8 16.1.2, 16.1.3 Information security
event reporting
7.2 11.1.2, 11.1.6 Physical entry controls
7.10 8.3.1, 8.3.2, 8.3.3 Storage media
8.1 6.2.1, 11.2.8 User endpoint devices
8.8 12.6.1, 18.2.3 Management of technical
vulnerabilities
8.15 12.4.1, 12.4.2, 12.4.3 Logging
8.19 12.5.1, 12.6.2 Installation of software
on operational systems
8.24 10.1.1, 10.1.2 Use of cryptography
8.26 14.1.2, 14.1.3 Application security
requirements
8.29 14.2.8, 14.2.9 Security testing in
development and
acceptance
8.31 12.1.4, 14.2.6 Separation of
development, test and
production environments
8.32 12.1.2, 14.2.2, 14.2.3,
14.2.4
Change management
3 Next steps
3.1 PUBLISHING AND TRANSLATIONS
The new version has been published on February 15, 2022. Translation work to
various languages has now started. The amendment to ISO/IEC 27001 will be
published very close to the publishment of ISO/IEC 27002:2022.
4 References
ISO/IEC 27001:2013
ISO/IEC 27002:2013
ISO/IEC 27002:2022
Top Related