Discussions about ISO/IEC 27001 invariably include a reference to ISO/IEC 27002. Both these standards form a part of the expansive ISO/IEC 27000 family of standards, which comprises over a dozen standards addressing best practices in information security, cybersecurity, and data protection. ISO/IEC 27001, a management system standard, outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), and it serves as the benchmark against which organizations are certified. On the other hand, ISO/IEC 27002 operates as a guideline standard that provides guidance on the implementation of information security controls. These controls are concisely referenced in Annex A of ISO/IEC 27001.
The evolution of the Information and Communications Technology (ICT) industry over the years has driven the development of laws, regulations, and standards such as ISO/IEC 27001 (formerly BS 7799-2), ISO/IEC 27002 (formerly BS 7799-1), ISO/IEC 15408 (formerly Common Criteria), PCI DSS, FIPS, NIST SP 800-14, COBIT, and GDPR, among others. As we tread through the fourth decade since the introduction of ISO/IEC 27001 and ISO/IEC 27002, it’s essential to reflect on the major developments and challenges in information security throughout each decade and their influence on the development and revision of these standards.
1990-2000
In the 90s, there was a rapid increase in the use of personal computers and the Internet, driven by the inventions and developments of the previous two decades. Such growth introduced boundless opportunities but also gave rise to new challenges in information security and data protection. The rise in the diversity and complexity of malware, such as viruses, worms, and Trojans, along with an increase in phishing attacks, necessitated the development of robust protective measures. This led to the creation of anti-virus software, firewalls, cryptography systems, and the Secure Socket Layer (SSL) during this period.
The increased threats to information security eventually led to the development of formal standards and regulations. As a result, the first version of ISO/IEC 27002, known as BS 7799-1, was published in 1995 through a collaboration between the Department of Trade and Industry (DTI) and private businesses in the UK. This standard, which was referred to as a code of practice for IT security management, allowed organizations to be independently assessed for conformance, but not for certification. Following a significant review that began in 1998, the revised BS 7799-1 was published in 1999, alongside the new standard, BS 7799-2. Part 1 of the standard, titled Code of Practice for Information Security Management, was designed to offer guidance on information security management. Conversely, Part 2, titled Specification for Information Security Management Systems, was intended for use in assessment and certification.
2000-2010
The first decade of the 21st century was marked by the advent of mobile devices, social media, and cloud computing. Internet accessibility from almost anywhere in the world led to the emergence of new and more sophisticated security threats and scams. In addition to these security challenges, this era also witnessed an increase in data privacy and protection issues due to the expanded use of the internet, social media, and cloud computing.
In response to the escalating security challenges, formal security standards continued to evolve. In 2000, BS 7799-1 underwent minor changes to become an international guidance standard and was retitled as ISO/IEC 17799 – Information Technology – Code of Practice for Information Security Management. BS 7799-2 was updated in 2005 to align with the changes in Part 1 and to ensure harmonization with other international requirement standards, subsequently being retitled ISO/IEC 27001 – Information Technology – Security Techniques – Information Security Management Systems – Requirements. ISO/IEC 17799 received further revisions in 2005 and was once again updated in 2007, when it was retitled as ISO/IEC 27002 – Information Technology – Security Techniques – Code of Practice for Information Security Management.
2010-2020
The period from 2010 to 2020 saw the emergence of internet-connected devices, collectively known as the Internet of Things (IoT), and the advancements in artificial intelligence (AI) and machine learning technologies. While these developments led to significant data breaches and sophisticated cyber-espionage, they also heightened awareness and concerns around information security, cybersecurity, data privacy, and data protection.
In response to these growing concerns and advancements, the new versions of ISO/IEC 27001 and ISO/IEC 27002 were published in 2013. The updated version of ISO/IEC 27001 adopted Annex SL, a high-level structure that is now used by all ISO management system standards. This change introduced a consistent structure, content, terms, and definitions across these standards. Conversely, the updated version of ISO/IEC 27002 included 14 control domains, 35 control objectives, and 114 controls, compared to the previous version, which contained 11 control domains, 39 control objectives, and 133 controls in total. Some controls were consolidated or removed, while four new controls were added in the 2013 version. These new additions included cryptography, operations security, communications security, and supplier relationships.
2020-until today
The period from 2020 to the present has been marked by a surge in cyber threats and attacks, significant advancements in security technologies, and alterations in cybersecurity legislation, largely due to the COVID-19 pandemic. The main types of cyber threats and attacks during this period encompass phishing attacks, ransomware attacks, remote work vulnerabilities, disinformation campaigns (also known as “fake news”), supply chain attacks, and data breaches. Numerous advancements in security technologies have been developed and refined to counter these evolving threats. These technologies include, but are not limited to, artificial intelligence and machine learning, zero trust architecture, Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), Quantum Key Distribution (QKD), Privacy-Enhancing Technologies (PETs), Secure Access Service Edge (SASE), and Cloud Security Posture Management (CSPM).
Over the last three years, privacy laws have become more stringent, and cybersecurity laws have been updated. International organizations like ISO and NIST have updated their frameworks and guidelines to address the changing landscape of cybersecurity threats and the rapid pace of technological evolution. As part of this ongoing process, the updated version of ISO/IEC 27002 was published in March 2022, followed seven months later by the updated version of ISO/IEC 27001.
2022 Changes
The new version of ISO/IEC 27002 compared to the 2013 version has changed in terms of the structure and number of controls. The 2013 version included 14 domains and 114 controls, whereas the 2022 version includes 4 domains and 93 controls. Some controls from the previous version have been renamed, merged, or deleted completely, and they have been re-grouped in larger control categories in the current version including A.5 Organizational Controls, A.6 People Controls, A.7 Physical Controls and A.8 Technological Controls. The 2022 version of the standard incorporates 11 new controls, which are as follows:
5 Organizational Controls
5.7 Threat Intelligence (1)
5.23 Information Security for the Use of Cloud Services (2)
5.30 ICT Readiness for Business Continuity (3)
7 Physical Controls
7.4 Physical Security Monitoring (4)
8 Technological Controls
8.9 Configuration Management (5)
8.10 Information Deletion (6)
8.11 Data Masking (7)
8.12 Data Leakage Prevention (8)
8.16 Monitoring Activities (9)
8.23 Web Filtering (10)
8.28 Secure Coding (11)
The new version of ISO/IEC 27001, as compared to the 2013 version, introduces minor changes, with the addition of two new clauses 4.2(c) and 6.3. In clause 4.2(c), organizations are mandated to address the requirements of interested parties through the information security management system (ISMS). The addition in clause 6.3, titled Planning of Changes, requires organizations to implement changes in a planned manner upon determining the need for such changes related to the information security management system (ISMS). Additionally, the Annex A of ISO/IEC 27001 provides a concise summary of the controls, which are further detailed in ISO/IEC 27002.
As per the Transition Requirements for ISO/IEC 27001:2022 – Issue 2 published by the International Accreditation Forum (IAF), organizations currently certified against ISO/IEC 27001:2013 are required to undergo the transition process to the 2022 version within a three-year timeframe commencing from October 31, 2022, and concluding on October 31, 2025. However, organizations have the option to voluntarily transition to the new version before the specified deadline.
It is essential for organizations seeking initial certification or recertification to take note of this timeline and ensure their compliance by implementing or transitioning to the new version of ISO/IEC 27001.
If you have any questions or need assistance with transitioning your organization’s management system to the new standard, feel free to contact us.