Impact of the Upcoming ISO 27002 Update On Organizations

  1. Home /
    2. Information Security /
  2. Impact of the Upcoming ISO 27002 Update On Organizations
Impact of the Upcoming ISO 27002 Update On Organizations
Information Security ISO

Impact of the Upcoming ISO 27002 Update On Organizations

Pandemic brought almost every brick-and-mortar business online but also exposed them to bad actors. The ever-increasing number of cybercrimes calls for more stringent security standards to protect sensitive data. Keeping this in mind, the International Organization for Standardization recently has announced an update specifically for ISO 27001 and ISO 27002 frameworks. The goal of this revision is to help organizations manage their information assets more diligently.

Before delving upon the updates to the framework, understand the two major program frameworks crucial for an effective information security system.

Connection Between ISO 27001 and ISO 27002

The ISO framework allows the workforce and stakeholders of your company to have a common understanding of information security vulnerabilities.

Falling under the central framework of the ISO 27000 series, the risk-based approach of ISO 27001 enables organizations to identify and mitigate threats by implementing the controls.

On the other hand, ISO 27002 is an extension of the ISO 27000 series that basically advises on the working and implementation of control standards of ISO 27001. Listed in Annex A of ISO 27001, it is a much more detailed ISO standard.

What Has Changed in ISO 27002?

After a long time, the ISO recently announced new updates for its 27002 standards.

With this update to the ISO framework, you will see a restructuring of the current controls. The recognizable 14 control chapters are terminated and replaced with 4 consolidated chapters serving as the base for all framework controls. The broadly consolidated chapters are:

  • Chapter 5 Organizational (37 controls)
  • Chapter 6 People (8 controls)
  • Chapter 7 Physical (14 controls)
  • Chapter 8 Technological (34 controls)

Besides, Annex A controls are reduced from 114 to 93 in the DIS. The below-given controls are expected to be removed in the new update:

  • Electronic messaging
  • Restrictions on software installation
  • Review of the policies for information security
  • Technical compliance review
  • Mobile device policy
  • Password management system
  • Handling of assets
  • Ownership of assets
  • Removal of assets
  • Delivery and loading areas
  • Unattended user equipment
  • Protecting application services transactions
  • Protection of log information
  • Securing application services on public networks
  • System acceptance testing
  • Reporting information security weaknesses

However, 11 new controls are also added in the latest version with Threat Intelligence (TI) as a key feature. This addition underlines the growing significance of TI functions in the organization’s cybersecurity department. Some of the other new controls incorporated are threat intelligence, information security for the use of cloud services, physical security monitoring, ICT readiness for business continuity, secure coding, data masking, data leakage prevention, web filtering, user endpoint devices, and configuration management.

Alongside, the updated ISO standard introduces a set of new controls with a few consolidated or modified. Those are as follows:

  • Information and Other Associated Assets (Modified)
  • Use of Cryptography controls (Modified)
  • Acceptable Use of Information and Other Associated Assets (Modified)
  • Logging (Modified)
  • Monitoring Activities (Consolidated)
  • Information Transfer (Consolidated)

Will Revised ISO 27002 Standard Impact ISO 27001?

As you know, ISO 27002 is a supplementary standard of Annex A of ISO 27001. Thus, to maintain uniformity, the control standards of ISO 27001 will definitely be impacted after the official release of the updated ISO 27002.

How can Organizations Prepare for the Upcoming ISO 27002 Update?

The upcoming revisions to ISO 27002 will probably be released by the end of 2021 or early 2022. However, organizations will generally get a grace period by ISO to effectively implement the revised ISO 27001 framework. There is no need to rush, but preparedness should not be ignored too.

As per new ISO 27002 standards, ISO 27001 may require less implementation. However, it will be a good move for businesses to approach the changes along with the next recertification audit cycle after the official release of the update.

A new criterion for other certifications and regulations is also likely with new ISO standards to mandate TI functions. The Information Security team needs to evaluate all documents to know the key focus areas according to the new ISO 27002 framework.

You will get to perceive a better picture after the latest update is published. National bodies have already reviewed the proposed revisions in the framework, which means any significant changes are unlikely now. Thus, general awareness is crucial among stakeholders and the IT team alike.

The main aim of the updated ISO 27002 framework is to assist companies in conforming to the evolving risk of the current information security ecosystem. So, with the new ISO 27002 framework, you’ll need to adopt a more proactive approach than reactive to secure your organization from lurking vulnerabilities.