New version of ISO/IEC 27002 released

The changes to the 2022 version of information security guidance standards primarily relate to controls that help companies address changing security scenarios and related risks.

The latest update to ISO/IEC 27002 was in 2013 with minor edits in 2017. Thus, a revision was long overdue. Today’s information security, cyber security and privacy risks have dramatically changed. The threat to all companies has intensified and managing information security has become a matter of business continuity and resilience. Attacks or breaches can at best be a nuisance, but there are increasingly cases where businesses are severely impacted, production hampered or completely stopped for days and even weeks.

“The topic is very much at the core of most corporate agendas and boards. It seems that everyone is at risk, but many have not implemented a proper and robust system to identify, manage and mitigate their information security risks. The updated standard helps companies address the changing information security scenarios,” says Nanda Kumar Shamanna, ICT business manager of Business Assurance in DNV.

The new version addresses controls related to digital and cloud technologies to incorporating cyber security and privacy threats (such as ransomware and malware). The standard has also been reviewed to address other security perspectives, through the identification of various attributes.

The changes to this guideline standard will impact the certifiable standard ISO/IEC 27001. The revision of ISO/IEC 27001 is expected to be published later this year, possibly in October. The changes are expected to be solely related to the controls (Annex A). The transition timeline will be decided as part of the ISO/IEC 27001:2022 release later this year; however, with the release of ISO/IEC 27002 it is possible to start preparations.

The main benefits of the new version for certified companies:

  • Addresses new scenarios and risks;
  • Helps understand other security perspectives;
  • Includes cybersecurity and privacy aspects;
  • New controls to ensure new scenarios and risks are not missed.
For companies this means primarily reviewing processes and systems related to leadership, corporate security, IT function, delivery (if service provider) and other support functions.