Blog

IRM360 B.V. Marcel Lavalette 31 March 2022

New ISO 27002:2022

What does this mean for the CyberManager and ISO 27001?

Since February, there has been a new ISO/IEC 27002:2022 developed. Our customers in the Netherlands ask us several questions regarding the new ISO. In this blog we discuss:

  1. New ISO/IEC 27002:2022 standard
  2. ISO 27001 is not the same as ISO 27002
  3. ISO 27001 audit and certificate, the Annex A and SOA
  4. How does the new ISO 27002:2022 differ from the previous one?
  5. What does the new ISO 27002 have to do with my ISO 27001 certification?
  6. Will there be any changes to CyberManager in terms of content and functionality?

1) New ISO/IEC 27002:2022 standard

ISO/IEC 27002:2022 is the successor to ISO/IEC 27002:2013. There is quite some confusion about this, because in the Netherlands it is available as NEN-EN-ISO/IEC 27002:2017. What is the reason for this difference in designation and year?

The International Organisation for Standardisation (ISO) draws up standards. The organisation is a partnership of national standardisation organisations in 163 countries, just like the NEN in the Netherlands. On an international level, the ISO works together with the IEC; the International Electrotechnical Commission, which is why some standards have the ISO/IEC designation. NEN stands for the Netherlands Standardization Institute that is responsible for registering standards. The EN designation stands for the European Standardisation Organisation and applies to the whole of Europe. The national standardisation institutes such as NEN then publish these in their own countries. A NEN-EN ISO/IEC standard therefore means that it concerns an international standard that has also been accepted in Europe and also in the Netherlands by the NEN. Often there is an addition such as NL to indicate that it is also available in the Dutch language.

Because there may be time between the translation and/or the harmonisation of an international standard with local legislation, there may be a difference in content (minimal) and publication. But in principle, the "national" NEN-EN-ISO/IEC 27002:2017 standard is the same as the ISO/IEC 27002:2013.

 

2) ISO 27001 is not the same as ISO 27002

ISO 27001 is a globally recognised standard in the field of information security. The so-called Information Security Management System, (ISMS) describes the implementation of the process to control information security risks. It is currently only possible to certify according to the ISO 27001 standard.
The current current versions are:

  • ISO/IEC 27001:2013 (international) and in fact still the current standard
  • NEN-EN-ISO/IEC 27001:2017

3) ISO 27001 audit and certificate, the Annex A and the SOA

An ISO 27001 audit focuses mainly on the process assurance, the ISMS, but during the audit, the control measures described in the Annex A of the ISO 27001 standard document are tested as well. Annex A is a list of control measures and these are taken from the ISO 27002, including numbering, chapters and sections, but they are not the same.  

The ISO 27002 standard goes further than just this list of control measures and provides for each control measure a more in-depth analysis in the form of "Best Practices" (possibly techniques to be applied, work methods, etc.) to give substance to the control measure.

You are free to apply other control measures (your own or from other standards such as CIS, NIST-CSF, etc.) as long as you demonstrably comply with the control measures in the Annex A.

For each control measure, you must indicate whether or not it is applicable and whether or not it has been implemented. You declare this in the so-called Statement of applicability (SOA). This SOA contains the reference to the version used during the ISO 27001 audit, e.g. EN-EN-ISO/IEC 27001:2017 +A11:2020.

Hey, another indication "+A11:2020"? This "+A11" refers to the changes made by the NEN and the ":2020" to the year in which the change was made. The NEN uses its own numbering for the same standard in the Netherlands, which may be confusing. Other countries may also use their "own" different numbering.
I hope you still understand......?

 

4) How does the new ISO 27002:2022 differ from the previous one?

We will not go into all the changes in this blog, as we already know a lot about them, but we will mainly explain the issues that our users will have to deal with. 

In the old ISO/IEC 27002:2013, each control measure (Best Practice) consisted of one:

  • Control description
  • Implementation Guidance (Best practice)

The new ISO/IEC 27002:2022 no longer mentions "best practices" but only controls and these now consist of :

  • Control (controlmeasure)
  • Purpose
  • Guidance

Also, for each control, an attribute table is displayed (see example below) that can help to select (filter) control measures on various issues.

Three types of control to select from in terms of when and how to act in the event of an information security incident.

Preventief; the control must prevent an information security incident from occurring,

Detectief; the control occurs when an information security incident occurs,

Correctief; the control occurs after an information security incident has occurred.

 

Three Information Security properties: to select control measures from the point of view of information characteristics such as: Confidentiality, Integrity and/or Availability.

Cybersecurity concepts is an attribute to select control measures from the perspective of cybersecurity concepts defined in the ISO/IEC TS 27110 cybersecurity framework and in the NIST CSF model: Identify, Protect, Detect, Respond and Recover.

Operational capabilities is an attribute to select management measures from the perspective of the owner or manager of a given area. The attribute values consist of: Governance, Asset Management, Information Security, HR, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity & Access Management, Vulnerability & Threat Management, Continuity, Vendor Management, Compliance, Information Security Incident Management and Assurance.

Security domains is an attribute to select management measures from the perspective of four information security domains: Governance and Ecosystem, Protection, Defence and Resilience.

All of the attributes described above from ISO 27002 are generic and organisations may choose to disregard one or more of the attributes or create their own.

5) What does the new ISO 27002 have to do with my ISO 27001 certification?

At the moment, nothing; there is no new ISO 27001 standard yet, and thus no new Annex A. Of course, there will be one, and then the Annex A will be in line with each other in terms of format and enumeration of the description of the control measures. The NEN organisation expects an updated Annex A for the existing ISO/IEC 27001:2013 in May, possibly with a designation such as +A1:2022? After all, it will then be the first "amendment" to the new Annex from 2022. Many will wait for the Dutch amended NEN-EN ISO/IEC 27001:2017 +A1:2022. This is expected at the end of 2022.

If you already have a certificate, you do not have to do anything immediately. There is a transition period of 2 years applicable as soon as the new ISO27001 standard is available with the updated Annex A. If you are working on a certification project, then it depends on when you are going to carry out the audit whether you can best focus on the new ISO 27001 and Annex A. Discuss this with your certification body or implementation partner, for example!

 6) Will anything change in CyberManager in terms of content and functionality?

The structure of the new Annex A will most likely not be very different from the current Annex A. So also a listing of the management measures but:

  • The format will be based on the new Annex A based on the ISO 27002:2022
    1. Old: 14 chapters and 114 control measures
    2. New: 4 chapters (Human, Technique, Physical & Organisation)
  • 93 management measures instead of 114, so less work? There are 11 new ones, but they are included in the total of 93. But how? In the new 27002, 114 control measures that already belonged together a lot have been merged, some have remained the same and one measure has been split up to arrive at 82 measures. The complete list of differences between ISO 27002:2013 and ISO 27002:2022 can be found in the Annex B of ISO 27002:2022.

It will be familiar to CyberManager users who used the CyberManager measure set. Instead of the 4 new chapters and 82 merged management measures, the CyberManager measure set was already based on 7 paragraphs and 71 merged measures.

So we understand this new ISO 27002:2022, but only went a little further. By the way, this CyberManager measure set can still be used in the new setup.

As soon as the new Annex A is in place, the following will be processed:

6.1) Addition of the ISO/IEC ISO27001:2017 +A1:2022 if you have a licence.

6.2) We provide a different measure classification

Replace measures in the correct chapter, some mergers and add/integrate the new 11 measures.

All existing links with controls to other standards such as ISAE 3402, SOC 2, etc. will continue to exist. In fact, nothing changes with respect to the existing and merged measures.  

New templates for the new measures: In the new ISO 27002, new control measures have been added, which therefore also need to be added to or integrated into the measure set:

- Threat intelligence (cl. 5.7)

- Information security for use of cloud services (cl. 5.23)

- ICT readiness for business continuity (cl. 5.30)

- Physical security monitoring (cl. 7.4) Configuration management (cl. 8.9)  

- Information deletion (cl. 8.10) 

- Data masking (cl. 8.11) 

- Data leakage prevention (cl. 8.12) 

- Monitoring activities (cl. 8.16) 

- Web filtering (cl. 8.23) 

- Secure coding (cl. 8.28)

You must implement these new control measures regardless of whether you are using the "old" ISO 27002:2017, the CyberManager measure set or another set like the old ISO 27002.

A catch?

ISO 27002:2022 includes a reference table to follow the "old" control measures to the new ones. The text of some of the control measures has been amended, partly due to the merger (in which case there is not much change as regards content), but the text may also be amended. In the case of some of the control measures for which the best practices have now been included as implementation guidelines, the content of the control measure has also been amended and, consequently, also the Annex A.

We will of course point this out to you in due course, but you will have to check whether your current measures still fit.

6.3) And in terms of functionality?

The measure selection process for generating measure proposals (baseline) in CyberManager is already largely compatible with the use of these attributes. 

The system already offers possibilities to work with selections (attributes) such as Control types, but a detectable type has not yet been applied.

Information Security features have already been implemented.

Cyber security concepts and security domains are already applied as security level attributes for the cyber security concepts for the CIS control and the NIST CSF.

The attribute "Operational capabilities" in CyberManager is partly covered by process/organisation and/or resource types.

The new ISO 27002:2022 does not bring any major changes, but where necessary, we will supplement it so that the alignment with ISO27002:2020 is as optimal as possible for customers who wish to use it.

 

For the convenience of this Blog, a number of issues have been translated from the ISO/IEC 27002:2022
but we advise you to wait for the official Dutch translation of the new standards.
Sources:
Information made available by the NEN during the February webinar,
the ISO/IEC 27002:2022 standard, the NEN website, the ISO.org website and our certification body. 

Questions?

We can imagine that you might have some questions or would like to coordinate matters with us in advance regarding this ISO 27002:2022, then we are of course happy to help.

Want to know more about ISO 27001 or other certifications that may be of interest to your organisation, and how the CyberMager can help?

We will be happy to get in touch for opportunities and information!

Mail to: sales@irm360.nl or fill in the contact form here or contact your partner