ISO 27002 offers a comprehensive set of cybersecurity controls, encompassing information security and privacy protection. These controls are aligned with global best practices and provide guidance on implementing an ISO 27001 Information Security Management System (ISMS). This guide will explore the significance of ISO 27002 and its relevance to your organisation.
Table of contents
What is ISO 27002?
ISO/IEC 27002:2022, developed by the International Organization for Standardisation (ISO) and the International Electrotechnical Commission (IEC), is a globally recognised standard for information security best practices.
It provides a reference set of information security controls along with implementation guidance based on internationally recognised best practices.
What does ISO 27002 cover?
This standard provides a detailed set of controls and guidelines for managing information security risks across your organisation including controls focussed on:
- Information security: Protecting sensitive data from unauthorised access, use, disclosure, disruption, modification, or destruction.
- Cybersecurity: Mitigating cyber threats such as malware, phishing, and ransomware.
- Privacy protection: Ensuring compliance with data privacy regulations (e.g., GDPR, CCPA).
- Physical security: Safeguarding physical assets that house and support information systems.
ISO 27002 is a comprehensive information security guidance framework.
Why is ISO 27002 important?
In today’s digital world, organisations of all sizes face constant threats to their data. Whether you collect, use, or process information, safeguarding it is paramount.
To mitigate these risks and threats you should have and Information Security Management System (ISMS).
An Information Security Management System (ISMS) is a framework designed to protect the confidentiality, integrity, and availability of all your organisation’s information and assets.
Many organisations struggle to implement and maintain an effective ISMS due to its broad scope. It can be overwhelming to determine where to start.
A valuable starting point for any organisation, regardless of size or industry, is to implement the controls outlined in ISO/IEC 27002. This internationally recognised standard provides a comprehensive set of best practices for managing information security risks.
Key Benefits of Implementing ISO 27002
By implementing the controls of ISO 27002 an organisation can benefit from global best practice on protecting against information security risks and threats whilst meeting the requirements of ISO 27001. Additional benefits include:
- Enhanced security posture: Strengthen your organisation’s defences against cyberattacks and data breaches.
- Improved data protection: Safeguard sensitive information and build trust with customers and stakeholders.
- Regulatory compliance: Demonstrate compliance with relevant data protection regulations.
- Competitive advantage: Gain a competitive edge by showcasing a strong commitment to information security.
- Reduced risk: Minimise the impact of security incidents on your business operations
- Increased efficiency: Streamline security processes and improve operational efficiency.
How does ISO 27002 relate to ISO 27001?
While ISO 27002 itself is not certifiable, it provides the practical guidance for implementing an Information Security Management System (ISMS) based on the requirements of ISO 27001.
ISO 27002:2022
The International Organization for Standardisation (ISO) and the International Electrotechnical Commission (IEC) released the updated version of ISO/IEC 27002 on February 15, 2022. This revised standard incorporates the latest advancements in information security practices across various industries and government sectors.
Key Updates in ISO 27002:2022
The summary of the key updates to ISO 27002:2022 are:
- Enhanced relevance: The 2022 edition reflects the evolving threat landscape and incorporates new and emerging security risks.
- Improved clarity: The controls have been restructured and clarified for easier implementation and understanding.
- Increased focus on:
- Technological advancements: Addresses the impact of cloud computing, big data, artificial intelligence, and other emerging technologies.
- Cybersecurity threats: Provides guidance on mitigating threats such as ransomware, phishing, and social engineering attacks.
- Data privacy: Aligns with evolving data privacy regulations like GDPR and CCPA.
How has ISO 27002:2022 Changed?
From “Code of Practice” to Standalone Controls:
A significant shift is the transition from a “Code of Practice” to a set of standalone information security controls. This provides greater flexibility and applicability across various organisational contexts.
Simplified Structure:
The revised standard offers a more streamlined structure, making it easier to implement and apply throughout the organisation.
Expanded Scope:
ISO 27002:2022 now encompasses a broader range of security concerns, including:
- Information security: Protecting sensitive data from unauthorised access, use, disclosure, disruption, modification, or destruction.
- Physical security: Safeguarding physical assets and environments related to information systems.
- Cybersecurity: Mitigating cyber threats such as malware, phishing, and ransomware.
- Asset management: Ensuring the proper inventory, control, and protection of all organisational assets.
- Human resource security: Addressing security risks associated with personnel, including recruitment, training, and access control.
- Privacy protection: Implementing measures to comply with data privacy regulations and protect individual rights.
This expanded scope allows organisations to address a wider range of security risks and build a more comprehensive and robust security posture.
Why has it changed?
The 2022 revision of ISO 27002 was a necessary response to the evolving threat landscape and regulatory environment. Factors like the increasing prevalence of regulations like GDPR, POPIA, and APPS, coupled with the growing complexity of business continuity and cyber risk management, necessitated a broader scope for information security controls.
The primary objective of this revision was to enhance the standard’s applicability and effectiveness. By transitioning from a general “Code of Practice” to a set of specific control objectives, ISO 27002:2022 empowers organisations to:
- Tailor controls: More effectively tailor information security measures to their specific context, risk profile, and industry.
- Improve risk management: Enhance their ability to identify, assess, and mitigate a wider range of information security, privacy, and cyber security risks.
- Strengthen compliance: Demonstrate compliance with relevant regulations and industry standards.
This shift in focus underscores the importance of a proactive and risk-based approach to information security.
How has it improved?
Key improvements in this version include are its increased relevance, clarity and ability to address emerging and new technological changes and cyber security threats.
How have the controls changed?
The 2022 revision of ISO 27002 streamlines the number of security controls, reducing them from 114 in the 2013 version to 93. This more concise framework enhances clarity and improves ease of implementation.
Furthermore, the 2022 edition introduces a new organisational structure. Instead of 14 clauses, the controls are now categorised into four distinct “themes”:
- People
- Organisational
- Technological
- Physical
This thematic approach provides a more intuitive and user-friendly framework for understanding and applying the controls within an organisation’s specific context.
This revised structure aims to make ISO 27002 more accessible and easier to implement for organisations of all sizes and across various industries.
The new controls
Control 5.7 Threat intelligence
Control 5.23 Information security for the use of cloud services
Control 5.30 ICT Readiness for Business Continuity
Control 7.4 Physical security monitoring
Control 8.9 Configuration management
Control 8.10 Information deletion
Control 8.11 Data masking
Control 8.12 Data leakage prevention
Control 8.16 Monitoring activities
Control 8.23 Web filtering
Control 8.28 Secure coding
ISO 27001 vs ISO 27002
When exploring Information Security Management Systems (ISMS), organisations often encounter both ISO 27001 and ISO 27002.
ISO 27001: The Information Security Management System
ISO 27001 serves as the primary standard within the 27000 family. It outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. Organisations can achieve certification against ISO 27001, demonstrating their commitment to information security best practices.
ISO 27002: The Security Controls Guidance
ISO 27002 plays a crucial supporting role. It provides a comprehensive set of practical controls and guidance for implementing the requirements outlined in ISO 27001. While ISO 27002 itself is not certifiable, adhering to its guidelines significantly strengthens an organisation’s ISMS.
A Complementary Relationship
ISO 27001 Annex A: This annex provides a list of security controls, but it does not offer specific implementation guidance. Instead, it directs organisations to ISO 27002 for practical advice.
ISO 27002 Guidance: Organisations are not obligated to implement all controls. They can select and adapt the controls that are most relevant to their specific needs, risk profile, and industry. In addition they can implement them based on risk and business need and therefore ISO 27002 provides implementation guidance for the security controls in ISO 27001 Annex A.