Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
The average life expectancy of an ISO standard is about five years, at a time. When the hourglass has run out of sand, a voting will take place to decide whether to maintain the ISO standard as-is, revise it or withdraw the standard altogether.

ISO 27002 will change significantly and more than 27001, which doesn't really change at all

ISO 27001 is not really expected to change that much; the reforms are mainly cosmetic. Future changes will almost exclusively concern the ISO 27002, which contains security techniques and code of practice for information security controls. In 2018, a decision was made to revise ISO 27002:2013. The new revision is currently under publication and is expected to be published in February 2022.

The little things - 27001

To be precise – and because we’re dealing with a standard, we really should be precise – ISO 27001 will experience changes such as:

  • Annex A will refer to controls in ISO / IEC 27002:2022
  • The terms in clause 6.1.3 (c) notes have been harmonized
  • The wording in 6.1.3 (d) has been revised to improve clarity and remove ambiguities

In short, the ISO 27001 is not really changing at all – but it’s a bit clearer.

The bigger things - 27002

Where ISO 27001 is to be just clarified a bit, the changes in ISO 27002 are almost revolutionary. Changes will be seen in control objectives and classifications. In the new revision, there will be less controls altogether and they are categorized into themes (instead of security domains) such as organizational controls, people, physical and technological controls.

Some new controls will be added to respond and reflect the ever-changing threat landscape. They cover topics such as threat intelligence, identity management, cloud security, business continuity, physical security, endpoint management, configuration management, information deletion, data masking, data leakage prevention, web filtering, and secure coding. As a new feature, hashtags have been added, which e.g. align to the five core Functions of the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) and also better express whether the control in question is preventive, detective or corrective in nature.

Some controls have been retired completely. The primary goal is to avoid duplicates and improve alignment with the new controls. Examples of retiring controls include mobile device policy, ownership of assets, password management system, and delivery and loading areas.

What should be done to prepare?

Following the upcoming publication of the ISO 27001, it will be advised how long a transition period will be granted from the 2013 revision — typically it will be 12 or 24 months. If the standard is actually published in March 2022, a 12-month transition period means that all certification or follow-up audits conducted after March 2023 must use the new revision.

While waiting for this certain but still slightly open release event on schedule, it is good to:

  • go through existing controls in accordance with the new 27002 (e.g. in the next internal audit)
  • update risk assessments and SoA, as the controls to mitigate risk will be updated as well
  • ensure good compatibility of existing GRC and SIEM reporting tools with the new compliance requirements
  • update metrics and monitoring to reflect new risk assessments and Annex A changes
  • update the internal audit program to reflect changes to the ISMS
Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.

contact us

Please do contact us. We most likely respond faster than you thought,