On the 15th of February, 2022, the International Organization for Standardization (ISO) announced that the ISO/IEC 27002:2022 standard would go into publication. The ISO/IEC 27002:2022 also became available on the ISO standards store on that day. This document aims to provide controls for information security, cybersecurity, as well as privacy protection. These controls function to provide a clear structure that can be used throughout an organisation and to manage a broader risk profile. This risk profile can include information security, cybersecurity, and even the human elements which accompany privacy protection. To fully utilise this new standard, you would need to know what has been updated and how it will impact your organisation.
What has been updated and changed?
ISO/IEC 27002:2022 boasts a new title which is “Information security, cybersecurity and privacy protection — Information security controls”. This change has positioned ISO/IEC 27002:2022 to be a set of controls that is also able to form as part of an ISO/IEC 27001:2013 ISMS.
ISO/IEC 27002:2022 also has new control categories. The ISO/IEC 27002:2022 document explains a control to be “a measure that modifies or maintains risk” within an organisation. The different controls categories that this document handles are organisational controls, people controls, physical controls, and technological controls.
To enhance risk assessment and the treatment approach, the new standard has been updated to have attributes to each control. This new concept allows you to customize the standard and direct controls to the desired audience.
ISO/IEC 27002:2022 is also accompanied by two annexes, which are Annex A and Annex B. These annexes function to assist you in adapting from the 2013 standard to help you understand the new standard and to provide clarity on the new application of controls in the ISO/IEC 27002:2022 standard.
What is the transition process between standards?
For organisations that are certified to ISO/IEC 27001:2013, there should be a three-year transition process when transitioning to ISO/IEC 27002:2022. This amount of time will allow organisations to make all the changes that are needed.
The costs of transitioning, consulting, implementation and certification
To purchase this standard, you can pay a once-off fee of CHF 198. Converted to rand, this comes close to R3, 300.
WWISE provides a transitional process for an organisation certified to ISO/IEC 27001:2013 that are looking to adapt to the new ISO/IEC 27002:2022 controls the process is:
Depending on the Size, Scope, Gap Assessment/Maturity and Complexity of the Organisation’s processes the transition can cost from R150 000 to R10 million. The cost may be higher if the tools, applications and infrastructure are not aligned to the requirements of the standard.
Implementing ISO/IEC 27002:2022
After purchasing the standard, you will gain access to a reference set of generic information security controls as well as implementation guidance. Organisations will then be able to use the document in an information security management system (ISMS) which is based on ISO/IEC 27001:2013. The standard also highlights how to implement security controls that are based on internationally recognized best practices.
Steps to transition to ISO/IEC 27002:2022
To start the transition process, you should purchase the new standard and be informed about the transition process of your Certification Body. Each Certification Body has its own transition arrangements which makes it important to consult your Certification Body before starting the transition process. Once this has been done, you should conduct a gap analysis on the existing ISMS you use and the ISO/IEC 27002:2022. This will uncover which tasks you will have to complete during the transition process.
Await the Certification Body to declare the extension to ISO/IEC 27002:2022 and ensure they have Competent Auditors to audit against ISO/IEC 27001:2022 when it’s released. The ISO/IEC 27001:2022 has not been officially released, but forums suggest June 2022.
The mandatory documents needed for ISO/IEC 27002:2022
With the release of the new standard, many people have been unsure of which documents are necessary to conform to with ISO 27002:2022. This is still not clear, but when ISO/IEC 27001:2013 was published, the mandatory documents needed were: