The information security management standard ISO 27001 and its guidance standard document ISO 27002 were last updated in 2013. This whitepaper covers new changes in ISO 27002.
However, a new revision of ISO 27002 was published earlier in Feb 2022, and a revised version of ISO 27001 is likely to be published in later this year.
The ISO 27002:2022 is an international standard designed for organizations to use as a reference for implementing and managing information security controls. ISO 27002:2022 was established by the International Organization for Standardization. The standard is intended to be used with ISO 27001, which provides guidance for establishing and maintaining information security management system.
Selectable and Searchable attributes: Control Type, Information Security Property, Cybersecurity Concepts, Operational Capabilities. Organisation can also develop their own control attributes, if required
The standards are being updated in line with digital transformation and an evolving cyber threat landscape. Controls are revised on risk-based approach that organization possesses.
Previous version has 114 controls and New Version has 93 controls.
The ISO 27001 & ISO 27002 controls are the practices to be implemented to reduce risks to acceptable levels.
New version has reduced the number of controls from 114 to 93. Technological innovations, and an improvement in the perception of how to apply security practices, are the reasons for the change in the number of controls.
Every control in the new version of ISO 27002 has two new elements in its structure:
The change that brings the added value for this new version of the standard, as it provides a uniform way to sort controls against different criteria.
Attributes for every control are as follows:
These attributes will help to make it easier and understand which controls are applicable according to criteria relevant to the business (i.e., not related only to information security management system of the organization), as well as the integration of ISO 27002 controls to other similar security frameworks, like NIST Risk Management Framework.
An information security management system (ISMS) defines policies and procedures to comply, manage, control, and continuously improve information security of the organization. Systematic approach of ISMS including processes, technology people and premises helps you protect and manage business information of the organization.
Following are the details of the newly added 11 controls and 23 controls that have been renamed:
These changes that are listed above will help keep the focus on information security aspects of processes and activities, reducing the effort for implementing and maintaining the Information Security Management System.Given below are the next steps for the organizations to address newly introduced controls.
Coforge supports organizations in effectively implementing and assessing the readiness of ISO 27001 / ISO 27002 compliance, risk assessment through an end-to-end lifecycle. Our approach allows organizations to manage information security risks in their organization and whilst enabling them to achieve their business objectives in a controlled and secure way. We help organizations to develop and implement best practice policies and procedures through our tailored evidenced based approach.
Information risk governance gives you the assurance that risk-based decisions are logical and valid and made in a timely manner.
Information risk management enables organizations to balance unacceptable business exposure to risk with the implementation of restricted controls which may prevent the business.
Our consultants provide practical information risk management and governance capability. They consider a range of risk and governance options to ensure the most suitable approach is provided to fit your organization’s needs
We follow three step methodology that helps us decide the most suitable approach:
Step 1 - review all relevant governance factors of your organization and providing readiness or compliance report based on the scope, objective, criteria, and the context:
Step 2 – Utilizing the identified internal and external governance details and recommendations of the assessments, we help your organization to define and deliver a structure for information risk governance, including:
Step 3 – Coforge consultants provide ongoing support throughout the governance process, including creating, reviewing, or improving the risk directive committee and structures, reporting lines and communications required for effective information risk governance and ensuring that risk is being managed in line with the agreed criteria with the organization.
Coforge offers industry recognized and effective tools to achieve intended outcome. The tools which can provide you proven outcome to support standard compliances but not limited to SIMP (Security Incident Management Platform), iDART (Intelligent Detection & Response of Threats) and MASTER (Managed Automated Security Testing & Enhanced Remediation)