ISO 27002:2022 has been renewed

ISO 27002 provides a reference set of information security controls, including guidelines for implementation. This document is intended for organizations in the context of information security management systems (ISMS), based on ISO/IEC 27001:2017.

How does it affect your organization?

You will probably wonder how the new version of ISO 27002 impacts your management system and how we, as a Certification Body, handle the modifications during the audit.

Briefly put, nothing changes at first. You have implemented a management system based on ISO 27001, and we will conduct the audit in line with ISO 27001. As long as this standard is not being modified, it is not necessary to alter your management system for the certification.

However, ISO 27001 requires you to apply risk management, taking into account the context of your organization. Since the new ISO 27002 contains the latest reference set of information security controls, it may be used as a source for your risk management controls.

Since discrepancy has arisen between the controls in ISO 27002 and those in Annex A of ISO 27001, we will explain two situations that may occur in practice. The update of the current ISO 27001 will remove the discrepancy in the future. We expect that the update will be published this year.

Possible situations

  1. An organization has implemented ISO 27001:2017 Annex A.

In this case, nothing will change. We will execute the audit as you are used to. We expect an update of ISO 27001:2017 later this year, introducing the reference set of controls from the new ISO 27002:2022. Once the standard has been updated, we will inform you about the transitional period.

  1. An organization has implemented the controls of ISO 27002:2022.

ISO 27001:2017 stipulates that the controls that have been adopted must be compared with those of Annex A to verify that no necessary controls have been omitted (source: section 6.1.3). For each control in ISO 27001 Annex A, you will have to check how this is included in your risk management. Below are some examples of how to tackle this.

Examples

If an organization has implemented controls other than those in Annex A and demonstrably wants to fulfil the requirements of ISO 27001:

  1. You can draw up a statement of applicability based on your own controls. For each control identify how it relates to ISO 27001 Annex A. The list must be completed with the specific ISO 27001 Annex A controls the organization decided to exclude.
  2. You can draw up a statement of applicability based on ISO 27002:2022. For each control identify how it relates to ISO 27001 Annex A. The list must be completed with the specific ISO 27001 Annex A controls the organization decided to exclude.

Please note that several controls in ISO 27001 Annex A have been included in the new ISO 27002 as guidelines for implementation. Therefore, although you may have followed the cross-reference in ISO 27002 Table B, you have not automatically implemented all controls in ISO 27001 Annex A.

NEN 7510

No information is yet available on when NEN 7510 (and the other related standards) will be updated.

Conclusion

No matter which option your organization chooses, you must be able to demonstrate for every control in ISO 27001:2017 Annex A, NEN 7510 and the other related standards which ones you included in your risk management or are justifiably excluded.