Photo by Stephanie McCabe on Unsplash

A New Milestone for the Industry

The new version of ISO 27002 is now published

By Jason Chavarría | March 4, 2022 | Category: Politics

The ISO/IEC 27002 got its long-overdue revamp and now it's got a structure you need to know about. If you're not familiar with this name, don't worry too much! The ISO/IEC 27002 is a standard that is part of the ISO/IEC 27000 family. These are developed by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission). As such, ISO/IEC 27002 is an information security standard that provides a recognized framework for information security management best practices. The last time the industry had seen an update on this standard was back in 2013, when the second version came out. This year, in February, the third version was published and everyone who cares about cybersecurity is super excited to know what's new there. Here, we'll give you a short summary.

What's new

Let's start with the title. It reads Information security, cybersecurity and privacy protection. So this new iteration not only deals with information security, like the previous one, but also cybersecurity and privacy, and that's clear from the very beginning. This interest in these two concepts reveals what (at least part of) the rationale is for issuing this third version. Namely, ISO/IEC 27002 is catching up to NIST's Framework for Improving Critical Infrastructure Cybersecurity, as well as the growing attention to privacy protection. Indeed, we have mentioned elsewhere that the increasing prioritization of privacy is pushing more organizations to comply with modern privacy laws, such as the LGPD and the CCPA. Ultimately, something the new iteration of ISO/IEC 27002 offers is the possibility of navigating more easily between various other frameworks and standards.

Now we can move on to the structure. The past edition grouped security controls into 14 clauses, whereas the new edition groups them into four themes: organizational, people, physical and technological controls. The previous version's clauses and this new version's themes are listed in Figure 1. These themes' names are interestingly reminiscent of the four entities (or parties) that NIST mentions in some of its documents. In fact, it has been suggested that impact on these entities is to be taken into consideration when conducting risk assessments. This could facilitate finding common ground between ISO and NIST. However, a case could be made that the organizational theme is a "catch-all group" that houses controls that don't fit too well in the remaining themes. In that sense, maybe the intention is good but the reference between themes and entities is not as perfect as one would probably wish.

Comparison between the 2013 and 2022 version

Figure 1. ISO/IEC 27002's 2013 version clauses and 2022 version themes.

Remarkably, the 2013 version's 114 security controls went through merging and updating processes to create this year's version. Now we've got 93 security controls, of which 82 come from the previous version —58 updated, and 24 merged— and 11 are new. The following are the new ones:

  • Threat intelligence

  • Information security for use of cloud services

  • ICT [information and communications technology] readiness for business continuity

  • Physical security monitoring

  • Configuration management

  • Information deletion

  • Data masking

  • Data leakage prevention

  • Monitoring activities

  • Web filtering

  • Secure coding

As could be easily guessed, the first three belong to the organizational theme; the fourth, to the physical theme; and the rest, to the technological theme. Let us just say that one of the most interesting controls in this list is the second one, referring to cloud computing. Indeed, this control reminds us just how badly the ISO/IEC 27002 needed an update. We have stated elsewhere that cloud adoption grew last year, and this is expected to go on this year. Moving down the list to the technological-themed controls, we can see that some of them suit privacy regulation requirements, again, showcasing privacy protection as a priority.

Another helpful addition of this iteration is that each control is characterized by values of a set of attributes:

  • Control type (preventive, detective and/or corrective)

  • Information security properties (confidentiality, integrity and availability)

  • Cybersecurity concepts (identify, protect, detect, respond and recover)

  • Operational capabilities (e.g., governance, asset management, information protection)

  • Security domains (governance and ecosystem, protection, defense, and resilience)

What catches the eye immediately are the cybersecurity concepts, whose values refer to the functions taken into account by the NIST cybersecurity standard. As stated by this standard, these functions, considered together, "provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk." The attributes we see in this new version inform about the applications of controls, reflecting their complexities more vividly. However, it has been suggested that the assignment of some of these attributes could be arbitrary and, if done more accurately, "the standard would become unwieldy."

Finally, the previous version mentioned objectives that each control would help to achieve. So, if an objective is accepted by an organization, they could refer to controls related to that objective and implement them to mitigate risk. In this year's version, objectives transformed into purposes. The idea is pretty much the same, although there is criticism that purposes don't reference the organization's information risks the controls aim to mitigate as clearly as objectives did.

How does the new version affect organizations?

Organizations around the world seek to be certified as compliant with security standards. When it comes to the ISO/IEC 27000 family, the standard that can be used worldwide "as the basis for formal compliance assessment by accredited certification auditors" is the ISO/IEC 27001:2013.

In turn, what the ISO/IEC 27002 does is provide information about the security controls that organizations can implement according to their needs and the risks they have identified. In short, the new version shouldn't impact auditing and the fact it's now published doesn't mean ISO/IEC 27001-certified organizations are getting their certification revoked. What it does mean for organizations is an opportunity to update their security controls and find out what new controls they should be implementing.

At Fluid Attacks, we use the ISO/IEC 27001:2013 and the ISO/IEC 27002:2022 as a reference for our assessments of organizations systems' security vulnerabilities. Contact us!

Caution: Many major details from the new standard are missing in this blog post. Having read this post in no way substitutes for careful reading of the ISO/IEC 27002:2022. For your purposes other than personal, we recommend that you purchase and read the full text.