ISO News – Updates Announced to the ISO/IEC 27002 Code of Practice

A new edition of ISO 27002, the international standard designed to assist organisations consider controls for an ISO 27001-compliant information management system, has been approved by the International Organisation for Standardization.

The third edition, expected to be published either later this month or in early March, is titled ‘ISO/IEC 27002 Information security, cybersecurity and privacy protection – Information security controls’, and includes significant changes to the previous edition.

Clause Changes

The standard has been significantly reorganised, with the 14 clauses in the second edition being reduced to just four:

• Clause 5: Organisational Controls
• Clause 6: People Controls
• Clause 7: Physical Controls
• Clause 8: Technological Controls.

Control Changes

The new standard contains 93 controls, as opposed to the previous edition’s 114, with the aim of this reduction being to simplify implementation. All of the controls have been thoroughly reviewed and updated with up-to-date guidance and best practice.

You will also see the removal of the ‘Objective’ section which, in the old standard, set out the function of a group of controls within a category; instead, each of the third addition controls has been assigned an individual ‘Purpose’ in order to simplify and increase the flexibility of the new standard.

New Controls

The controls themselves have also seen extensive changes, with 11 new controls being introduced to align with current technology and best practice. The new controls are shown below:

Organisational Controls

• 7 Threat intelligence
• 23 Information security for use of cloud services
• 30 ICT readiness for business continuity

Physical Controls

• 4 Physical security monitoring

Technological Controls

• 9 Configuration management
• 10 Information deletion
• 11 Data masking
• 12 Data leakage prevention
• 16 Monitoring activities
• 23 Web filtering
• 28 Secure coding

Merged Controls

Where controls in the previous edition were inseparable in practice or closely related, they have been combined into new ‘merged controls’. For example, the second edition clause 5.1.1 (Policies for information security) and 5.1.2 (Review of the policies for information security) have been merged into a single clause (5.01 Policies for information management). In total there are 27 merged controls, drawn from 58 second edition controls.

Updated Controls

The controls in the second edition that have not been merged have all been retained from the previous edition, but with new clause numbers.

Attributes

Another notable change is the introduction of ‘Attributes’. The use of these attributes is not mandatory, they have been designed as a tool to help organisations filter and organise the controls to suit their particular context.

Each control has five attributes associated with it, and each control’s attributes have been assigned a particular ‘value’ from a predetermined selection, as set out in the table below:

It is also open to organisations or industry associations to create their own attributes and values that are specific to their industry should they wish, in order to drive standardisation and consistency within particular contexts.

Transition

There is likely to be a two year transition period following publication of the new standard, but this has yet to be confirmed, with Annex A of ISO/IEC 27001 being updated to reflect these changes in due course.

While ISO 27002 is not a management standard and therefore cannot be certified against, it is a useful code of practice that can support an ISO 27001-compliant management system. If you are considering ISO 27001 but you’re not sure of the requirements British Assessment Bureau offers a range of training courses covering all levels of expertise. Click here for more information on all of our ISO 27001 training.