Publication: ISO/IEC 27002:2022
Action required
Take note that ISO/IEC 27002:2022 Information Security, cybersecurity and privacy protection – Information security controls is published.
Affected customers
All SCC Accredited CyberSecure and Information Security Management System Certification Bodies, applicants, assessors and other relevant stakeholders.
Background
ISO/IEC 27002:2022 Information Security, cybersecurity and privacy protection – Information security controls was updated and published on February 9, 2022, and Annex A of ISO/IEC 27001 aligns with these changes.
Transition details are included in ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Please refer to Bulletin 2022-25 for more information and important dates related to this document.
What has changed in ISO/IEC 27002:2022?
- The main part of ISO/IEC 27001 did not change.
- Only the security controls listed in ISO/IEC 27001 Annex A are required to be adapted to ISO/IEC 27002:2022.
- Controls are reduced from 114 to 93: there are 11 new controls, 24 merged controls, and 58 updated controls.
- Controls are organized in four sections instead of 14.
- Each control in ISO/IEC 27002:2022 is associated with a matrix of five attributes with corresponding attribute values:
- Control types (Preventive; Detective; Corrective)
- Information security properties(Confidentiality; Integrity; Availability)
- Cybersecurity concepts (Identify; Protect; Detect; Respond; Recover)
- Operational capabilities (Governance; Asset_management; Information_protection; Human_resource_security; Physical_security; System_and_network_security; Application_security; Secure_configuration; Identity_and_access_management; Threat_and_vulnerability_management; Continuity; Supplier_relationships_security; Legal_and_compliance; Information_security_event_management; Information_security_assurance)
- Security domains (Governance_and_Ecosystem, Protection, Defence and Resilience)
The 3rd Edition includes the introduction of attributes and the use of purpose for each control instead of objective for a group of controls.
New requirements
- This notification is informative to allow accredited certification bodies to prepare audit processes, provide guidance and information to their clients.
- Accredited certification bodies will be required to verify that their Information Security Management System clients adapt Annex A, their documentation, processes and procedures with ISO/IEC 27002:2022 within the prescribed transition period.
There is no requirement to schedule new audits as the transition period will allow sufficient time to verify updates in Annex A controls during the transition period.
How does this affect the role of our ISMS Lead Auditors?
The main portions of ISO/IEC 27001 did not change therefore no additional training is required. Accredited certification bodies may choose to provide training on Annex A as it aligns with ISO/IEC 27002:2002.
Deadline
None.
Questions?
Please contact Abdel Kassou, Manager, Compliance and Assessment Services, at abdel.kassou@scc-ccn.ca or +1 613 238 3222 for more information.