Organisations can protect information assets using the ISO 27000 series of standards. Furthermore, it helps organisations better manage the security of assets like financial data, intellectual property, and employee information. The most well-known standard in this family is ISO/IEC 27001 for Information Security Management System (ISMS), also connected to ISO 27002 Certification.
What is ISO/IEC 27001:2022 Certification?
The certification promotes a comprehensive approach to information security, encompassing the scrutiny of personnel, policies, and technological infrastructures. Implementing an information security management system with ISO/IEC 27001 not only serves as a pivotal tool for risk management but also fosters cyber resilience and operational excellence within the organisation.
What is ISO/IEC 27002 Certification?
ISO/IEC 27002 is a complementary standard focusing on the information security controls that organisations must deploy. These controls are part of Annex A of ISO/IEC 27001, a reference frequently cited by information security professionals when discussing such measures. However, while Annex A security controls provide concise descriptions of each control in a sentence or two, ISO/IEC 27002 offers a more comprehensive exploration by allocating approximately one page per control. This depth allows the standard to explain the functionality of each control, articulate its objectives, and provide guidance on its implementation.
Is ISO/IEC 27001 the same as ISO/IEC 27002?
ISO 27001 is the primary standard for certifying a business, whereas ISO 27002 is a supplementary standard offering guidance on implementing security controls. An essential distinction is while ISO 27001 certification is attainable for a company, ISO 27002 certification is voluntary.
How is ISO/IEC 27001 different from ISO/IEC 27002 Certification?
ISO/IEC 27001:2022 certification is achievable, whereas ISO/IEC 27002 certification is not. ISO/IEC 27002 is intended for use by organisations as a reference for control selection that provides guidelines for information security management practices, including security controls implementation and management. ISO/IEC 27001 also documents requirements for setting up, implementing, maintaining, and continuously improving an information security management system. Standards that contain regulations can be certified by organisations, but standards that offer guidance cannot be certified.
Other differences are as follows:
- ISO 27001 offers a concise overview of an Information Security Management System (ISMS), leaving detailed guidance to supplementary standards like ISO 27002. Other standards, such as ISO 27003 and ISO 27004, provide specific advice on ISMS implementation and monitoring.
- An organisation can attain ISO 27001 certification but not ISO 27002 certification. Moreover, this is because ISO 27001 outlines comprehensive compliance requirements as a management standard, while supplementary standards like ISO 27002 focus on specific facets of an Information Security Management System (ISMS).
- Implementing an Information Security Management System (ISMS) is crucial to recognise that not all information security controls are relevant. ISO 27001 underscores this by requiring organisations to conduct a risk assessment to identify and prioritise security threats. However, ISO 27002 lacks directives and is challenging to determine suitable controls.
Latest Revision in ISO/IEC 27001 and ISO/IEC 27002 Certification
ISO/IEC 27001:2013, last updated in 2022, the full title of the new version is ISO/IEC 27001:2022 for Information Security, Cybersecurity and Privacy Protection.
Changes of ISO/IEC 27001:2022 Certification
- Annex A provides references to the controls included in ISO/IEC 27002:2022, encompassing both the control and its title.
- Editorial revisions to the note in Clause 6.1.3 c) include the removal of the “control objectives” and the substitution of “control” for “information security control.”
- Clause 6.1.3 (d) has been reworded to remove ambiguity and increase clarity.
- Scope and Context: It requires an organisation to identify the pertinent requirements of stakeholders and determine which ones need to be incorporated into the ISMS. Moreover, this involves explicitly outlining the necessary processes and their interrelationships within the ISMS framework.
- Planning: The latest updates to information security standards emphasise monitoring information security objectives by mandating an organisation to maintain proper documents. Moreover, a new subclause addresses planning changes to the ISMS without prescribing specific processes. Therefore, organisations must ascertain methods to demonstrate the planning of changes within their ISMS.
- Annex A: The Annex A has undergone revisions to ensure alignment with ISO 27002:2022. The subsequent section delves into a detailed discussion of the controls outlined in Annex A.
Changes in ISO 27002 Certification
- People (8 controls)
- Organisational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
Additionally, several new controls have been introduced, including Threat Intelligence, Information security for the use of Cloud services, ICT readiness for business continuity, Physical security monitoring, Configuration management, Information deletion, Data masking, Data leakage prevention, Monitoring activities, Web filtering, and Secure coding. ISO 27002 controls are further categorised into five attribute types; these are:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identity, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience).
Conclusion ✅
The transition to the updated ISO/IEC 27001 standard should be smooth, with minor adjustments required for compliance. The main standard changes are minimal to facilitate quick updates to documentation and processes. Annex A controls see moderate changes but can be integrated into existing documentation. Expectations for sweeping revisions were high but not realised.