New edition 27002





		The most noticeable feature is that the structure is very different to previous editions
		HOME SERVICES Consultancy and training Productised IP-led IMS Service IMS-Smart On-Line Effective ISMS qualities Making the most of your ISMS BOOKS STANDARDS ISO/IEC 27001 ISMS Requirements Statement of Applicabiilty Risks and opportunities Risk treatment plans ISO/IEC 27002 Controls ISO/IEC 27004 Measurements ISO/IEC 27007 Auditing ISO/IEC 27014 Governance PHILOSOPHY Overview Architecture Time theory Opportunity exploitation Risk treatment Taxonomies Alternative ideas lists Effectiveness Continual improvement Auditing Implementation strategies CORPORATE About us IMS-Smart ISMS Customers Papers Enquiries Privacy policy IMS-Smart Suzuki motorcycle ≡
		The new build of IMS-Smart On-Line fully compatible with ISO/IEC 27001:2022 is now available

	ISO/IEC 27002 — Information security controls Introduction The new edition of ISO/IEC 27002 was published on Tuesday 15 February 2022. The previous edition (Edition 2) was published in 2013. Thus, the new edition has been almost nine years in the making. This article looks at the new edition and reflects on the differences between it and the previous edition. Structure The most noticeable feature of the new edition is that the structure is very different to that of all previous editions. In ISO/IEC 27002:2013, in common with ISO/IEC 27002:2005 and going right back to BS7799:1995, information security controls were grouped by subject headings, such as “information security policy” and “human resources security”. In the new edition they are grouped by “theme”. There are four themes: organisational, physical, people and technological, being the traditional four pillars of information security. A new feature is that controls are additionally characterised by attributes. Attributes are intended to allow organisations to group controls in ways (called views) to suit their particular needs. The attributes cited in the new edition are examples, and organisations are encouraged to define their own attributes (and there is an annex that explains how to do this). The example attributes are control types, information security properties, cybersecurity concepts and operational capabilities. Each control is presented in a standard way: Control name Example attributes Control text Control purpose Implementation guidance Other information Controls The new edition adopts the new ISO 31000 definition of a control, i.e., measure that maintains and/or modifies risk. The previous definition (see ISO/IEC 27000:2020, for example) did not include the ability of a control just to maintain risk. This lead to a criticism of ISO/IEC 27002 in that it contained controls that did not modify risk (e.g., security policy by itself does not modify risk). The new definition thereby removes this criticism. Moreover, it also removes the criticism that some controls are duplicates of other controls, being the same generic control expressed in a different risk context. This makes ISO/IEC 27002 into a more powerful application of the Alternative Ideas List concept. Mergers, deletions and new controls Annex B of the new edition, shows the correspondence between the controls in the new edition and those in ISO/IEC 27002:2013. It shows that 54 Edition-2 controls have been split/combined to make 23 Edition-3 controls, one Edition-2 control has been deleted, and 11 completely new controls have been created. Thus, there are 114 - 54 + 23 - 1 + 11 = 93 controls in the new edition. Impact on ISO/IEC 27001 The publication of the third edition of ISO/IEC 27002 is now refected in the third edition of ISO/IEC 27001.





This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2023
Page last updated: August 21, 2023