The ISO 27002 document – a guidance document to assist with the implementation of the security controls that are used for the ISO 27001 information security management system – has been updated and approved and this new edition is expected to be published in March 2022.
ISO 27002 is important for organisations that intend to select controls within the process of implementing and maintaining compliance of an Information Security Management System based on ISO/IEC 27001 and who want to implement commonly accepted information security controls and develop their own information security management guidelines.
The updated document is titled ‘ISO/IEC 27002 information security, cybersecurity and privacy protection – Information security controls’ and has several changes to the previous edition.
11 new controls have been added as per below:
|Organisational Controls||Physical Controls||Technological Controls|
|Information security for use of|
|Physical security monitoring||Configuration Management|
|ICT readiness for business continuity||Information deletion|
|Threat Intelligence||Data masking|
|Data leakage prevention|
Many of the existing controls have also been amended, and around half of the old controls have now been combined with others where they were inseparable in practice or closely related. As such there are now 24 merged controls and the new standard has 24 controls compared to the previous editions 114. This should allow for easier implementation of the standard.
Each control now has 5 ‘Attributes’ associated with it and each controls attributes have been assigned a particular ‘value’ from a pre-determined selection as shown below.
|Control type||Preventative, detective, corrective|
|Information security properties||Confidentiality, integrity, availability|
|Cybersecurity concept||Identify, protect, detect, respond, recover|
|Operational capabilities||Aligned to clauses in the 2nd edition|
|Security domains||Governance and ecosystem, protection, |
The attributes are simply a guide to help organisations filter and organise controls to suit their requirements, it is not mandatory for them to be used. There will likely be a 2-year transition period following the publication of the new standard.
Contact us now to discuss your Information Security Management requirements.