Changes to ISO 27001 and ISO 27002 – What You Need to Know

Share this story

Written by: alcumus
13th April

If you’re already ISO 27001 certified, working toward it or just thinking about it, changes are being introduced that will impact your ISO 27001 Information Security Management System (ISMS) or the way you approach its implementation.

You need to learn what this means for you as you’ll eventually need to make changes to your management system - but there will be plenty of time so don’t worry, if you’re already certified, you don’t necessarily need to do anything right now.

Current ISO 27001 certification is based on the 2013 version of the standard (ISO/IEC 27001:2013) and this standard continues to be relevant. One of the requirements of the standard is that you implement a set of controls which are detailed within the standard itself and also within the document called “ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls” (or just ISO 27002, as it’s commonly known).

ISO 27002 has now been updated. It was released in February 2022 and it’s now called “ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls".

Remember that organisations only get certified to ISO 27001, not to ISO 27002. Therefore the new version of ISO 27002 will not be audited as part of your current certification. The controls listed in ISO/IEC 27001:2013 (annex A) will continue to be the ones you are audited against, for now.

Will ISO 27001 be updated?

Because of the changes to ISO 27002, ISO 27001 will need to be revised since Annex A of the document contains references to the older version of ISO 27002. Publication of the new version is imminent - we expect it to be launched by October 2022 at the latest.

What do we need to do right now?

If you’re already certified to ISO 27001:2013, you’ll eventually have to update your ISMS. However, you’re normally given three years to transition to a new version of an ISO standard, and since it hasn’t even been released yet (as of April 2022), you’ll have plenty of time.

Nevertheless, you won’t want to leave it to the last minute. So, you can be getting on with understanding what the changes to ISO 27002 will mean for your business and planning to implement those changes at a later date.

What’s new in ISO 27002

Amongst the most significant changes in this new version of ISO 27002 is an updated list of controls. In the old version there were 114 controls in 14 categories (known as ‘domains’). In the new version, there are 93 controls in four domains. Eleven of these controls are entirely new, with others having been merged and many updated. Some have been deleted due to duplication or better alignment under other controls.

Just to give you a flavour of the changes, the eleven new controls are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

To summarise, if you’re already certified, our advice is that you should not make any changes to your management system until the new version of ISO 27001 is published and you’ve liaised with your certification body. If you aren’t certified yet, then the approach you take will be determined by the date you need your certification by - so take advice.

Please contact us if you have any questions. In the meantime, download our free ISO 27001 Gap Analysis, which serves as an ideal checklist for your system and a useful aid if you’re thinking of implementing ISO 27001.