New version of ISO/IEC 27002

In February 2022, following several years of revisions, the new ISO/IEC 27002:2022-02 was published, replacing the former ISO/IEC 27002:2013 as well as the German version DIN EN ISO/IEC 27002:2017. ISO/IEC 27002 is the second most important standard after ISO/IEC 27001 when it comes to structured information security and the rollout of an ISMS at a company.

ISO/IEC 27002 is not normative, meaning that it is not part of the auditing process of a certificate audit. It is given great weight since it offers implementation recommendations for the controls set forth in ISO/IEC 27001 – Annex A. These controls describe technical and organisational measures that counteract existing threats to and potential vulnerabilities in information security at companies.

The new version of the ISO/IEC 27001:2013 certification standard is set for release in Q4 2022, which also marks the start of the transition phase. From the date of publication, companies have 24 months to successfully complete the audit according to the new standard.

In addition to modifications to the document structure, the changes in ISO/IEC 27002:2022 include significantly expanded and more detailed specifications regarding implementation of the applicable controls. The following items are of particular interest:

Threat intelligence (5.7)

• With respect to its IT landscape, the organisation must proactively take steps to understand potential hackers and the methods they employ.

Information security for use of cloud services (5.23)

• The organisation needs to consider its cloud activities over the entire lifecycle (launch, operation, exit strategy).

ICT readiness for business continuity (5.30)

• The requirements of the IT landscape in terms of business continuity must be assessed, for example within the scope of a business impact analysis (BIA).

Physical security monitoring (7.4)

• The monitoring and prevention of unauthorised, physical access by means of alarm and surveillance systems are given greater priority.

Configuration management (8.9)

• The focus is increasing turning to hardening and secure IT system configuration.

Information deletion and data masking (8.10 and 8.11)

• The data protection requirements have been revised. This includes requirements in the area of secure data deletion, compliance with external requirements and data masking by means of anonymisation and pseudonymisation methods.

Data leakage prevention (8.12)

• Unauthorised data leaks are to be avoided by means of data leakage prevention (DLP).

Physical security monitoring (8.16)

• Anomalies are to be detected by monitoring networks and application behaviour. The main objective is to ensure the use of intrusion detection and prevention systems (IDS, IPS).

Web filtering (8.23)

• Web filtering methods are designed to prevent the infiltration of malicious code when accessing external websites.

Secure coding (8.28)

• Secure coding should be supported through the use of tools, the monitoring of libraries and repositories and avoiding non-secure coding methods, among other things.

In general, it is clear to see that expenses relating to implementation, operation and certification will increase markedly.

These new requirements also have a direct impact on the required processes set forth in Sections 4 to 10 of ISO/IEC 27001. Examples include:

• Questions regarding
• adequate staffing of roles and responsibilities (5.3)
• sufficient dimensioning of resources (7.1)
• appropriate skills and expertise (7.2)
• adequate training or instruction (7.3)
• Changes to internal and external communications (7.4)
• Identification and assessment of risks (6 and 8)
• Changes to the audit programme and internal audits (9.2)
• Changes to the SoA (Statement of Applicability) to come in line with the new Annex A (6).

It remains to be seen what specific changes will result from the revisions to ISO/IEC 27001.

To obtain certification under the new standard or renew an existing certification, fulfilment of the new or revised requirements must be verifiably demonstrated during the transition phase. To do so, your company must identify existing gaps, close them and demonstrate the effectiveness of the revised technical and organisational measures. The latter generally takes the form of an internal audit.

Are you aware of the new and revised requirements and do you know an effective and appropriate way to meet them in the future? Do you have a project plan in place for how you will implement these requirements by the end of the transition periods in order to maintain certification? Do you have the necessary professional, HR and technical resources available to you?