The most noticeable feature is that the structure is very different to previous editions

  
  Master ISO/IEC 27001 risk assessment and the Statement of Applicability with IMS-Smart Assistant
 

ISO/IEC 27002 — Information security controls

Introduction

The new edition of ISO/IEC 27002 was published on Tuesday 15 February. The previous edition (Edition 2) was published in 2013. Thus, the new edition has been almost nine years in the making. This article looks at the new edition and reflects on the differences between it and the previous edition.

Structure

The most noticeable feature of the new edition is that the structure is very different to that of all previous editions. In ISO/IEC 27002:2013, in common with ISO/IEC 27002:2005 and going right back to BS7799:1995, information security controls were grouped by subject headings, such as “information security policy” and “human resources security”. In the new edition they are grouped by “theme”. There are four themes: organisational, physical, people and technological, being the traditional four pillars of information security. A new feature is that controls are additionally characterised by attributes. Attributes are intended to allow organisations to group controls in ways (called views) to suit their particular needs. The attributes cited in the new edition are examples, and organisations are encouraged to define their own attributes (and there is an annex that explains how to do this). The example attributes are control types, information security properties, cybersecurity concepts and operational capabilities. Each control is presented in a standard way:

  • Control name
  • Example attributes
  • Control text
  • Control purpose
  • Implementation guidance
  • Other information

Controls

The new edition adopts the new ISO 31000 definition of a control, i.e., measure that maintains and/or modifies risk. The previous definition (see ISO/IEC 27000:2020, for example) did not include the ability of a control just to maintain risk. This lead to a criticism of ISO/IEC 27002 in that it contained controls that did not modify risk (e.g., security policy by itself does not modify risk). The new definition thereby removes this criticism. Moreover, it also removes the criticism that some controls are duplicates of other controls, being the same generic control expressed in a different risk context. This makes ISO/IEC 27002 into a more powerful application of the Alternative Ideas List concept.

Mergers, deletions and new controls

Annex B of the new edition, shows the correspondence between the controls in the new edition and those in ISO/IEC 27002:2013. It shows that 54 Edition-2 controls have been split/combined to make 23 Edition-3 controls, one Edition-2 control has been deleted, and 11 completely new controls have been created. Thus, there are 114 - 54 + 23 - 1 + 11 = 93 controls in the new edition.

Impact on ISO/IEC 27001

The publication of the third edition of ISO/IEC 27002 forces a revision of ISO/IEC 27001. This is because the reference to ISO/IEC 27002 in ISO/IEC 27001, Annex A is a dated reference. It says “…controls listed…are directly derived from…ISO/IEC 27002:2013…”. This means now that the new edition of ISO/IEC 27002 has been published, the previous edition (ISO/IEC 27002:2013) no longer exists and therefore the current edition of ISO/IEC 27001 is referring to a non-existent standard. It must therefore be replaced.

There is another compelling reason for updating ISO/IEC 27001, and that is replace the Annex A reference controls with the up-to-date set of reference controls aligned to those in the new edition of ISO/IEC 27002. As explained in BS 7799-3:2017, if an organisation has overlooked a necessary control that is not in ISO/IEC 27001, Annex A, then the SOA cross-checking process will not find it. This is why it is important to keep ISO/IEC 27001, Annex A up-to-date.

As a full revision of ISO/IEC 27001 is likely to take some time, the first course of action is to issue an amendment, causing just the replacement of Annex A with the controls in new edition of ISO/IEC 27002 (and a few minor word changes in the notes in Clause 6.1.3 d)This ISO/IEC 27001 clause requires organisations to compare the necessary controls they determined through the process of risk treatment with those in Annex A. The notes will now refer to Annex A as containing “a list of possible information security controls…”.).