The most noticeable feature is that the structure is very different to previous editions

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

ISO/IEC 27002 — Information security controls

Introduction

The new edition of ISO/IEC 27002 was published on Tuesday 15 February 2022. The previous edition (Edition 2) was published in 2013. Thus, the new edition has been almost nine years in the making. This article looks at the new edition and reflects on the differences between it and the previous edition.

Structure

The most noticeable feature of the new edition is that the structure is very different to that of all previous editions. In ISO/IEC 27002:2013, in common with ISO/IEC 27002:2005 and going right back to BS7799:1995, information security controls were grouped by subject headings, such as “information security policy” and “human resources security”. In the new edition they are grouped by “theme”. There are four themes: organisational, physical, people and technological, being the traditional four pillars of information security. A new feature is that controls are additionally characterised by attributes. Attributes are intended to allow organisations to group controls in ways (called views) to suit their particular needs. The attributes cited in the new edition are examples, and organisations are encouraged to define their own attributes (and there is an annex that explains how to do this). The example attributes are control types, information security properties, cybersecurity concepts and operational capabilities. Each control is presented in a standard way:

  • Control name
  • Example attributes
  • Control text
  • Control purpose
  • Implementation guidance
  • Other information

Controls

The new edition adopts the new ISO 31000 definition of a control, i.e., measure that maintains and/or modifies risk. The previous definition (see ISO/IEC 27000:2020, for example) did not include the ability of a control just to maintain risk. This lead to a criticism of ISO/IEC 27002 in that it contained controls that did not modify risk (e.g., security policy by itself does not modify risk). The new definition thereby removes this criticism. Moreover, it also removes the criticism that some controls are duplicates of other controls, being the same generic control expressed in a different risk context. This makes ISO/IEC 27002 into a more powerful application of the Alternative Ideas List concept.

Mergers, deletions and new controls

Annex B of the new edition, shows the correspondence between the controls in the new edition and those in ISO/IEC 27002:2013. It shows that 54 Edition-2 controls have been split/combined to make 23 Edition-3 controls, one Edition-2 control has been deleted, and 11 completely new controls have been created. Thus, there are 114 - 54 + 23 - 1 + 11 = 93 controls in the new edition.

Impact on ISO/IEC 27001

The publication of the third edition of ISO/IEC 27002 is now refected in the third edition of ISO/IEC 27001.