Publication: ISO/IEC 27002:2022

Bulletin date:
Bulletin number:
2022-26

Action required

Take note that ISO/IEC 27002:2022 Information Security, cybersecurity and privacy protection – Information security controls is published. 


Affected customers

All SCC Accredited CyberSecure and Information Security Management System Certification Bodies, applicants, assessors and other relevant stakeholders.

 

Background

ISO/IEC 27002:2022 Information Security, cybersecurity and privacy protection – Information security controls was updated and published on February 9, 2022, and Annex A of ISO/IEC 27001 aligns with these changes. 


Transition details are included in ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Please refer to Bulletin 2022-25 for more information and important dates related to this document.


What has changed in ISO/IEC 27002:2022?

  • The main part of ISO/IEC 27001 did not change.
  • Only the security controls listed in ISO/IEC 27001 Annex A are required to be adapted to ISO/IEC 27002:2022.
    • Controls are reduced from 114 to 93: there are 11 new controls, 24 merged controls, and 58 updated controls.
    • Controls are organized in four sections instead of 14.
    • Each control in ISO/IEC 27002:2022 is associated with a matrix of five attributes with corresponding attribute values:
      • Control types (Preventive; Detective; Corrective)
      • Information security properties(Confidentiality; Integrity; Availability)
      • Cybersecurity concepts (Identify; Protect; Detect; Respond; Recover)
      • Operational capabilities (Governance; Asset_management; Information_protection; Human_resource_security; Physical_security; System_and_network_security; Application_security; Secure_configuration; Identity_and_access_management; Threat_and_vulnerability_management; Continuity; Supplier_relationships_security; Legal_and_compliance; Information_security_event_management;  Information_security_assurance) 
      • Security domains (Governance_and_Ecosystem, Protection, Defence and Resilience)

 

The 3rd Edition includes the introduction of attributes and the use of purpose for each control instead of objective for a group of controls.

 

New requirements

  • This notification is informative to allow accredited certification bodies to prepare audit processes, provide guidance and information to their clients.
  • Accredited certification bodies will be required to verify that their Information Security Management System clients adapt Annex A, their documentation, processes and procedures with ISO/IEC 27002:2022 within the prescribed transition period.

  • There is no requirement to schedule new audits as the transition period will allow sufficient time to verify updates in Annex A controls during the transition period.

     

How does this affect the role of our ISMS Lead Auditors?
The main portions of ISO/IEC 27001 did not change therefore no additional training is required. Accredited certification bodies may choose to provide training on Annex A as it aligns with ISO/IEC 27002:2002.


Deadline

None.


Questions?

Please contact Abdel Kassou, Manager, Compliance and Assessment Services, at abdel.kassou@scc-ccn.ca or +1 613 238 3222 for more information.