The currently valid international standard ISO/IEC 27002 was issued in 2013. A new version will soon replace it. The new structure introduces a breakdown of information security controls according to categories and several other attributes. The latest version of the standard defines new controls, changes the original controls and combines some controls. This article briefly describes the main changes.
Structure of the standard
ISO/IEC 27002:2013 specifies a total of 114 information security controls in 35 categories in 14 chapters. Each of the categories contains the objective to be achieved and one or more controls.
The newly prepared standard ISO/IEC 27002: 202x (probably 2021) will contain four main chapters and two informative annexes. Chapters 5 to 8 divide 93 information security controls into four categories (see below). Informative Annex A is dedicated to the attributes of information security controls, and informative Annex B maps the new and previous structure of the standard (both directions).
Categories and other attributes of security controls
The standard applies the main categories of controls and based on them, the security controls are grouped in the new version of the standard. The controls are categorised as organisational controls (Chapter 5), people controls (Chapter 6), physical measures (Chapter 7) and technological controls (Chapter 8).
The standard introduces five additional attributes of controls that allow controls to be further grouped and classified.
- Types of controls: preventive, detective and corrective
- Information security properties: confidentiality, integrity and availability
- Cyber security concepts: identification, protection, detection, response and recovery
- Operational capabilities: governance, asset management, information protection, human resource security, physical security, systems and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance
- Security domains: governance and ecosystem, protection, defence and resilience
It is a fact that one control can have more attributes assigned from the same group. For example, malware protection is a preventive, detective and corrective control. The organisation can choose other attributes that will allow better management of security controls. An example is the control’s maturity level, the status of implementation, the priority of the control, etc.
New controls, as well as combining the original controls
The total number of controls introduced in ISO/IEC 27002:2013 has been reduced from 114 controls to 93 controls in the new ISO/IEC 27002:202x. This is because some controls are combined. For example, the existing controls 8.1.1 – Inventory of assets and 8.1.2. – Ownership of assets is combined into one control
- 5.09 – Inventory of information and other associated assets. There are also 12 completely new controls in the standard:
- 5.07 – Threat intelligence
- 5.23 – Information security for use of cloud services
- 5.30 – ICT readiness for business continuity
- 7.04 – Physical security monitoring
- 8.09 – Configuration management
- 8.10 – Information deletion
- 8.11 – Data masking
- 8.12 – Data leakage prevention
- 8.16 – Monitoring activities
- 8.23 – Web filtering
- 8.28 – Secure coding
Conclusion
The update of the ISO/IEC 27002 standard brings a positive change. The new controls reflect current information security challenges. The newly introduced categories and attributes will allow a unique view on controls and contribute to their better management, impacting a higher level of protection. We also perceive the grouping of related controls positively and thus generally fewer controls.
It can be expected that the publication of the new ISO/IEC 27002 standard will also be associated with the update of the ISO/IEC 27001 standard, or Appendix A, which is linked to ISO/IEC 27002. An update of Article 7 of ISO/IEC 27701 can also be expected, which complements the information security controls of ISO/IEC 27002 with privacy-related controls.
Organisations that have implemented an information security management system according to ISO/IEC 27001 will have to modify their Statements of Applicability and their thematically specific policies and other ISMS documentation if they wish to keep up with new versions.