New ISO 27002:2022. The Swiss Army Knife of Security

They have kept us in suspense for a long time, but they finally published it in February of this year. The new version of the ISO 27002 international standard represents a long-awaited review by professionals and companies that have implemented an Information Security Management System (ISMS) based on ISO 27001. The last major version dates back to 2013 and, as we can imagine, information security, cybersecurity and the privacy of personal data have undergone great changes and have introduced new concepts in our daily lives.

Let us remember that ISO 27002 is a code of practice for security controls proposed by the ISO 27001 standard itself. When implementing the ISMS, we must apply the necessary controls to deal with the risks assessed in the organization, and this code operates there to guide us in its implementation, management and verification of its suitability. To date, ISO 27002 was made up of a total of 114 controls, grouped into what we call control domains or areas of action (access control, human resources, development, etc.). Some controls have lost a lot of weight, such as controls on media (we hardly use CDs or tapes, to mention a few), and other controls have a structure that is inconsistent with reality, as is the case of those dedicated to application development.

  • And what does the new version of ISO 27002 offer us? Let’s summarize the main changes:
  • The total number of controls has been reduced to 93.
  • Domains, as we know them from the previous version, have been removed. Controls are now organized into four sections: organizational, people, physical, and technological controls.
  • Controls now have attributes. What are they for? Depending on the perspective from which we need to classify or view the controls, the attributes allow us to filter them. Thus, each control has the following characteristics:

– Type of control, which can be preventive, detective or corrective.

– Security property of the information it affects: confidentiality, availability and integrity.

– Concept of cybersecurity to which it applies: identify, protect, detect, respond or recover.

– Operational capabilities. This attribute of the control is the most extensive and useful from the perspective of the person applying the control. Very similar to the domains of the previous version, the controls are grouped, among others, in governance, physical security, threat and vulnerability control, human resources or asset management.

– Finally, there is the attribute of security domains, which are grouped into four: Government and ecosystem, protection, defense and resilience.

If we analyze the new controls in detail, we can see that they adapt much better to an environment such as cybersecurity. We were missing a new approach to controls towards a specific area of ​​information security that has become so relevant, such as cybersecurity. Companies have embarked on a digitization process for years, with greater or lesser speed, but inevitable in any case. This digitization was not supported by a more rational list of security measures with the capacity to adapt to the company, whatever its size or complexity. Likewise, the ability to be able to classify controls based on different needs (cybersecurity implementation, security governance, implementation of controls or area where they are applied), finally makes it possible to give more meaning to their application.

It should be noted that the standard must be implemented in all organizations that have the ISO 27001 standard certified, within a period of two to three years. Years of work are ahead of us, applying new controls, updating policies and procedures, reviewing their compliance and, above all, learning to secure company information.