Day: Tue 17 Jan 2023

There is nothing new in the 2022 version of ISO27001 and ISO27002. [aka: How to match 2022 with 2013 version and easily fix your Statement of applicability (SoA).]

Introduction

Early last year ISO updated the ISO27002 to version 2022, putting the previous version to rest after almost 10 years.

The ISO27002:2022, “Information security, cybersecurity and privacy protection — Information security controls”; This document provides a set of guidelines for generic information security controls.
And in fact, it’s the foundation of the ISO27001 Annex (remember the annex is derived from the ISO27002).

The ISO27001:2022, published in october 2022, is a new land mark for information security and governance best practices and basics.

With the launch, there has been a lot of articles explaining what changed.

In numbers we went from 114 controls to 93, which looks like a compression but there are also 11 new controls added.

I explained this situation in an article I wrote early last year in #PECB Insights Magazine: here is the link

How Does the New Revision of ISO/IEC 27002 Affect ISO/IEC 27001 (PECB Insights Magazine, 25 mar 2022)

Most important : section “New controls in ISO/IEC 27002:2022”:

New as in, new named controls in ISO27002 version 2022… with explicit requirements.
But if you look into them, you’ll discover you can perfectly fit them in the existing ISO27001:2013 version to protect your environment.

And you should have them implemented already a long time ago.

They are not new to protect your current environment against the current cyber threats.

But how do you map these new ISO27002/ISO27001:2022 controls in the existing 2013 implementation?

The quick and dirty overview

A bit more details

A bit more explanation needed, check this XLS Spread Sheet.

Extra reading material

The various controls and clauses in the new ISO27002 provide some interesting references to other standards, you could check:

  • Additional information relating to cloud services to be found in
    • ISO/IEC 17788,
    • ISO/IEC 17789 and
    • ISO/IEC 22123-1.
  • Cloud portability support and exit strategies
    • ISO/IEC 19941.
  • information security and public cloud services
    • ISO/IEC 27017.
  • PII protection in public clouds
    • ISO/IEC 27018.
  • Supplier relationships for cloud services
    • ISO/IEC 27036-4 and
  • cloudservice agreements
    • ISO/IEC 19086 series,
  • security and privacy specifically covered by
    • ISO/IEC 19086-4
  • guidance on ICT readiness for business continuity :
    • ISO/IEC 27031.
  • guidance on business continuity management systems
    • ISO 22301 and
    • ISO 22313.
  • guidance on BIA
    • ISO/TS 22317.
  • information on ICT security evaluation
    • ISO/IEC 15408 series.

Some free stuff: https://ffwd2.me/FreeISO

So, what IS new then??

For the hardcore perfectionistas: yes, the ISO27002 does update and change some the security controls, to be more modern.

Also the structural approach in the ISO27002 is now PPT, correction PPPT: Physical, People, Process and Technology (logical security tools).

But more important, major changes are actually present in the ISO27001 management clauses, not really in the ISO27002 (considering a reshuffle).
The most important update on the level of governance, compliance and audit DOES contain some important updates.

And it will be more result based, related to risk.

Do you want to know what has changed significantly, in de management processes, have a look at the presentation I hosted with PECB:

https://youtu.be/Vm8d-vIBNvo

You can download the presentation from slideshare:

ISO/IEC 27001:2022 – What are the changes? from PECB (at SlideShare)

And there is more interesting stuff as extra, on this LinkedIN article:

Background info

Conclusion

So, there is some work to do, moving from ISO27001:2013 to ISO27001:2022…

But make your life easy, fix the ISMS implementation now, update your SoA using the ISO27002 translation tables.
Watch out for the extra requirements in ISO27001 (As Koenraad Béroudiaux rightfully mentions on LinkedIn: check clause 4.4 and 8.1).

More info in the webinar.

Get ready!

It’s not perfect, send your feedback.

If you got improvement suggestions, let me know.

We can always make it better, together.

I’ll update the blog post and files with constructive suggestions.

Need more?

If you are curious about the topics below, let me know.

  • personal use spreadsheet for SoA mapping 2022 and 2013 version
  • personal use spreadsheet ISO27002:2022 categories to keep using the ISO27001, the same way you did before (organizing your ISMS with 14 business functions like management, HR, CISO, dev, legal, operations, …)

You know were to find me here on LinkedIn, here on Twitter, by mail, or direct messaging via Signal and other.