The most noticeable feature is that the structure is very different to previous editions

  
  Need help with implementing ISO/IEC 27001 or want to improve your ISMS? — contact IMS-Smart today for a consultancy quotation
 

ISO/IEC 27002 — Information security controls

Introduction

The new edition of ISO/IEC 27002 is now a draft international standard (DIS). This means that it is in its final stages of being prepared for publication. The current edition (Edition 2) was published in 2013. Thus, the new edition has been almost nine years in the making. This article looks at the published draft and reflects on the changes that have been made.

Structure

The most noticeable feature of the DIS is that the structure is very different to that of all previous editions. In ISO/IEC 27002:2013, in common with ISO/IEC 27002:2005 and going right back to BS7799:1995, information security controls were grouped by subject headings, such as “information security policy” and “human resources security”. In the DIS they are grouped by “theme”. There are four themes: organisational, physical, people and technological, being the traditional four pillars of information security. A new feature is that controls are additionally characterised by attributes. Attributes are intended to allow organisations to group controls in ways (called views) to suit their particular needs. The attributes cited in the DIS are examples, and organisations are encouraged to define their own attributes (and there is an annex that explains how to do this). The example attributes used in the DIS are control types, information security properties, cybersecurity concepts and operational capabilities. Each control is presented in a standard way:

  • Control name
  • Example attributes
  • Control description
  • Control purpose
  • Implementation guidance
  • Other information

Controls

The DIS adopts the new ISO 31000 definition of a control, i.e., measure that maintains and/or modifies risk. The previous definition (see ISO/IEC 27000:2020, for example) did not include the ability of a control just to maintain risk. This lead to a criticism of ISO/IEC 27002 in that it contained controls that did not modify risk (e.g., security policy by itself does not modify risk). The new definition thereby removes this criticism. Moreover, it also removes the criticism that some controls are duplicates of other controls, being the same generic control expressed in a different risk context. This makes ISO/IEC 27002 into a more powerful application of the Alternative Ideas List concept.

Mergers, deletions and new controls

Annex B of the DIS, shows the correspondence between the controls in the DIS and those in ISO/IEC 27002:2013. It shows that 54 Edition-2 controls have been split/combined to make 23 Edition-3 controls, one Edition-2 control has been deleted, and 11 completely new controls have been created. Thus, there are 114 - 54 + 23 - 1 + 11 = 93 controls in the DIS.

Impact on ISO/IEC 27001

The publication of the third edition of ISO/IEC 27002 will force a revision of ISO/IEC 27001 because the reference to ISO/IEC 27002 in ISO/IEC 27001, Annex A is a dated reference. It says “…controls listed…are directly derived from…ISO/IEC 27002:2013…”. This means that when the new edition of ISO/IEC 27002 is published, the previous edition (ISO/IEC 27002:2013) will no longer exist and therefore the current edition of ISO/IEC 27001 will be referring to a non-existent standard and will have to be replaced.

There is another compelling reason for updating ISO/IEC 27001, and that is replace the Annex A reference controls with the up-to-date set of reference controls aligned to those in the new edition of ISO/IEC 27002. As explained in BS 7799-3:2017, if an organisation has overlooked a necessary control that is not in ISO/IEC 27001, Annex A, then the SOA cross-checking process will not find it. This is why it is important to keep ISO/IEC 27001, Annex A up-to-date.

As a full revision of ISO/IEC 27001 is likely to take some time, the most likely course of action will be to issue an amendment, causing just the replacement of Annex A with the controls in new edition of ISO/IEC 27002 (and a few minor word changes in the notes in Clause 6.1.3 d)This ISO/IEC 27001 clause requires organisations to compare the necessary controls they determined through the process of risk treatment with those in Annex A. The notes refer to “control objectives and controls”, but the term “control objectives” has been replaced by the term “control purposes”).

The future

However, whilst it is interesting to speculate on the future of ISO/IEC 27001, the first task is to further progress the DIS towards becoming an international standard. In the UK, the public commenting period closed on 22 March, and the National Body ballots have closed. All the comments have been collated, analysed and their dispositions agreed by the international committee. In accordance with ISO rules, the criteria for progression having been met, the document will be released as a final draft international standard (FDIS). At that stage, further technical changes are not possible and, following proof reading and editorial corrections, the document will be published as the third edition of ISO/IEC 27002.