ISO/IEC 27002 is a guidance standard related to the international information security management standard ISO/IEC 27001. The standard is aimed at all types and sizes of organizations, private as well as public, looking for a systematic approach to work with information security. ISO/IEC 27002 provides guidance to organizations on selecting controls for implementing an information security management system (ISMS).
An organization implementing an ISMS selects, based on its risk profile, the controls in Annex A of ISO/IEC 27001 that are relevant to achieve an appropriate level of security. It is precisely these controls that are covered by ISO/IEC 27002 in order to render the organization capable of qualifying and identifying actions that are deemed necessary. ISO/IEC 27002 covers a total of 93 controls, including recommendations for policies, processes, procedures, organizational structures, and software and hardware functions.
The new edition of ISO/IEC 27002 was published in February 2022. In the new edition, the number of controls has been considerably reduced (from 114 to 93), and the standard now has a new structure that is based on four themes: organizational, technological, physical and behavioral controls. The standard’s new structure and content provide enhanced ease of use, e.g. by applying a number of new perspectives to clarify the different characteristics of the controls. The people behind the revised standard are experts from all over the world, who have engaged in thorough discussions in order to land on this new and improved version.
Danish Standards has prepared a white paper in Danish dealing with the changes in the new version of the standard.
We expect to publish the Danish translation of ISO/IEC 27002 in the autumn of 2022.
Danish Standards has already started working on translating the standard. However, all European countries will have to wait to publish the standard in their native language until the international standard has been adopted as a European standard. This process has also been initiated.
The revision of ISO/IEC 27002 renders the reference to the previous edition of ISO/IEC 27002 in ISO/IEC 27001, Annex A obsolete. Consequently, a review of ISO/IEC 27001 has begun in order to ensure alignment between the two standards. A revised version of ISO/IEC 27001 will be available in October 2022. The revised version will solely contain changes to Annex A, which covers justifications for the selection and deselection of controls and the "Statement of Applicability" (SoA document).
If you are currently certified to the applicable version (from 2017) of ISO/IEC 27001, your certification will remain unchanged after May 2022, however only for a limited period of time. After a transition period of three years from the date of publication, certification to the former version becomes officially obsolete. This means that companies certified to the 2017 edition will have to be re-certified to the new ISO/IEC 27001:2022 by October 2025 at the latest.
ISO/IEC 27002 can act as a source of inspiration in identifying and establishing the controls appropriate to the organization. It can be used as a risk management tool in conjunction with the risk management standard ISO/IEC 27005. To get an overview of the interaction between requirements and guidance standards in the ISO/IEC 27000 family of standards and the connection to privacy information management standards, please refer to https://www.ds.dk/da/om-standarder/cyber-og-informationssikkerhedsstandarder (in Danish)
The publication of the new version of ISO/IEC 27002 impacts other standards in the ISO/IEC 27000 series, as reference is made to ISO/IEC 27002 or because this particular standard is used as the underlying structure. As a result, the following standards will be revised in the years to come: ISO/IEC 27001 (see above), ISO/IEC 27003, ISO/IEC 27004, ISO/IEC 27008, ISO/IEC 27009, ISO/IEC 27010, ISO/IEC 27011, ISO/IEC 27017, and ISO/IEC 27019.
Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.
In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.
The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.