The accelerated digital transformation that organizations have undergone in recent years has naturally had an impact on the risk scenario they must manage, with a significant growth in cyber risk.

This context has meant that for the purposes of protecting information assets, cybersecurity measures have come to carry significantly more weight than others within the information security universe.

ISO/IEC 27001, the worldwide reference standard for the security management of organizations of all types, regardless of size or sector, takes ISO/IEC 27002 as a reference for its recommended controls, referencing these controls in Annex A.

ISO/IEC 27002 is a detailed reference base for implementing these controls, but not a reference of requirements for ISMS certification.

Both current standards have their last publication date in 2013, although they have continued to be revised periodically, keeping the initial standard unchanged.

However, ISO/IEC 27002 has long been perceived as stagnant and not adjusted to the new scenario faced by organizations.

Therefore, a new version of ISO/IEC 27002 is expected in 2021, or possibly early 2022.

Many organizations have been expanding their framework of controls for years or adding other standards or frameworks to enhance the aspects of cybersecurity that Annex A of ISO/IEC 27001 and ISO/IEC 27002 did not clearly or directly address. This is an important element of ISO/IEC 27001, which always allowed expanding the base of controls established by Annex A, which is a base list that should be considered, but always expandable to the reality and context of each organization.

Thus, this new version of ISO/IEC 27002 is relevant and welcome and will naturally lead to a revision of ISO/IEC 27001, mainly its Annex A, and thus the list of minimum controls that every organization must consider to adequately manage its information security.

As ISO/IEC 27002 and ISO/IEC 27001 have been the reference standards for several regulations and standards at the international level, it is natural to expect that in the coming years several updates will be initiated in this regard.


What would be changing in the new ISO/IEC 27002?

The main difference between the Draft International Standard (DIS) and the 2013 version is the structure of the set of controls. Most of the ISO 27002 controls remain unchanged but have now been regrouped from the existing 14 domains to 4 major "Topics", depending on what the control refers to.


The established themes are: 


In turn, four attributes have been associated to each control, which can be used to apply different grouping or filtering criteria and generate different "views" of the controls.

The attributes defined are:

a) Types of control (#Preventive, #Detective, #Corrective).

b) Information Security Properties (#Confidentiality, #Integrity, #Availability)

c) Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Recover).

d) Operational Capabilities. The attribute values consist of #Manage, #Asset_Management, #Information_Protection, #Human_Resource_Security, #Physical_Security, #System_and_Network_Security, #Application_Security, #Secure_Configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Security_of_supplier_relationships, #Legal_compliance, #Information_security_event_management, and #Information_security_assurance. Security domains (#Governance_and_Ecosystem, #Protection, #Defense, #Resilience).

These new classification and filtering criteria return to the traditional security control grouping categories we have seen over the decades.

The number of controls has also been reduced from 114 to 93 in the DIS, with the introduction of 11 new controls, the deletion of 1 existing control, the consolidation of 57 previous controls into 24 current ones and the maintenance of 58 with the same designation.

ISO 27002 will include new controls related to threat intelligence, cloud services and secure development to reflect the rapid evolution of technology.

On a broader level, there are changes to regulations related to data protection, especially personally identifiable information at the international level.


The differences are summarized in the following table:


How does the new revision of ISO 27002 affect ISO 27001?

ISO/IEC 27002 has its origin in ISO/IEC 17799, being the first ISO standard of reference of good practices for information security management.

After the 27000 set of controls was renumbered and emerged, ISO/IEC 27002 was taken as the reference for Annex A of ISO/IEC 27001.

Naturally, in this context, an update to ISO 27002 will inevitably affect the set of controls in ISO 27001. It is therefore expected that these changes will be reflected in Annex A of ISO 27001 after the official publication of the updated ISO 27002, to maintain consistency between the two standards.


How does it affect organizations that already have ISO certification?

There is currently no impact on organizations that already maintain a certified ISMS until the new ISO/IEC 27002 has been approved and Annex A has been updated, in a new version of ISO/IEC 27001. Generally, organizations will have a grace period before they are required to adopt the revised ISO 27001 standard and it is likely that organizations will address the changes in conjunction with the next recertification audit cycle once the revised standard is published.

For organizations seeking to certify their ISMS, this should not be an obstacle. Organizations should familiarize themselves with the new set of controls and, with the help of the mapping to the 2013 version, prepare for certification.


This article was done by analyzing the latest draft version published and marketed by ISO.