Big Cover - 2021-04-27T180558.077 (1)
IDEAS

ISO/IEC 27002: changes and consequences for ISO/IEC 27001 certified organizations

Technology Advisory

Multi-cloud, Cybersecurity, Governance and Compliance for our Clients’ business

Find out more

The new version of ISO/IEC 27002, a standard which is extremely useful for those dealing with information security, has recently been announced.

Information security is a constantly evolving area, and international standards are thus also subject to continuous updates.

What is, then, the state of progress of the latest update to the ISO/IEC 27002 standard? And what impacts will it have on ISO/IEC 27001 certified companies?

State of progress of the latest ISO/IEC 27002

The new version of ISO 27002 is still in the draft phase, and it is reasonable to assume that the definitive version of the updated standard will be approved by the end of 2021.

The draft already makes clear that the standard will be radically changed in the areas we will describe shortly, but what impact will there be on ISO 27001 certified companies?

A necessary introduction: the ISO 27000 series

The ISO 27000 series of standards identifies a series of regulations and guidelines which lay out the requirements for creating an information security management system within an organization.

Like with all ISO series of standard, the 27000 series is also made up of a range of standards, of which only some are “certifiable”.

While ISO/IEC 27001 is the standard which lays out the requirements of the information security management system, the one companies have to follow in order to get certified, ISO/IEC 27002, is a guide to the implementation of the management system based on a series of best practices.

Currently, ISO/IEC 27001 establishes a series of requirements for the management system and controls to implement, while ISO/IEC 27002 provides a precise explanation of these.

But this situation is soon destined to change:

  • ISO/IEC 27001 may still remain unchanged for a few years.
  • ISO/IEC 27002 will soon be updated, changing the structure of the controls (which may therefore not correspond to those provided for by the current ISO 27001).

New ISO/IEC 27002: new structures and new controls

The update to 27002 contains various new aspects, which we have summarized in the following table.

Impacts on ISO/IEC 27001 certified companies

Can ISO/IEC 27001 certified companies breathe a momentary sight of relief? It may seem so, for a number of reasons.

First and foremost, the update to ISO 27002 is only in the draft stage. As well as this, the standard which lays out the requirements for information security management systems is and remains ISO/IEC 27001 – therefore, until the latter is updated, there will be no concrete impact on certification and the security measures to be implemented.

ISO 27001 will undoubtedly be updated, in order to align it with the new version of 27002. The question is, when will this alignment occur? Some believe that the next update will not come before 2024; some leaks, however, have suggested that only annex A of ISO/IEC 27001 will be updated for the release of the new ISO 27002 (presumably by the end of the year).  

What is certain is that until annex A of ISO/IEC 27001 is updated, auditors will continue to base their inspections on the current version of annex A, which currently provides for 114 checks. 

Conclusion

The update to ISO/IEC 27002 is a big step towards streamlining of information security checks. This standard represents a very useful tool for companies wishing to be certified, but also for those who intend only to raise their information security level.

The effects of the conceptual reorganization of the checks in the update to ISO/IEC 27002 will be understood more clearly only with the update to the certifiable standard, 27001, or its annex A.

As such, two scenarios may come to pass:

  • If annex A of ISO 27001 is not updated alongside the adoption of the new version of ISO/IEC 27002: organizations which intend to focus on the future by adopting the checks laid out in the new version of 27002 can do so as soon as the new standard is formally adopted – on condition that a conversion table is attached to the Statement of Applicability specifying the 114 checks currently provided for by ISO/IEC 27001.
  • If, on the other hand, annex A of ISO 27001 is updated at the time of the release of the new version of ISO 27002, certified organizations and those undergoing certification will have to prepare themselves as a consequence, and structure their checks in keeping with it, in order to renew or obtain the certification.

In this changeable context, it is always necessary to keep up to date in order to ensure your organization has the best possible preparation.

The Advisory Team

Lutech’s Advisory Team accompanies clients along the 27001 certification path, allowing them to optimize their efforts and channel the expertise required to receive the certification in the shortest possible timeframe.
Lutech’s professionals boast many years of experience in the various fields required to obtain this certification. They are experts who belong to multi-disciplinary teams, with the background necessary to guarantee the best support possible to clients who wish to obtain or renew their ISO/IEC 27001 certification.

Find out more
Contact Lutech’s Advisory team

We invite you to read the marketing policy disclaimer.

Please enter a value
Please enter a value
Please enter a valid email address
Please enter a valid phone number
Please enter a value
Please enter a value
Please enter a value

By clicking the "Confirm" button, I declare that I have read and understood the Marketing Disclaimer

I agree to receive commercial and promotional communications relating to services and products as well as information messages relating to marketing activities, as explained in the aforementioned Disclaimer

Please select an option

An error has occurred, please try again later

Thank you for your interest!
We have received your contact request; we will be in touch shortly to further discuss your business requirements.

Case histories

ideas

Vision & Trends on Digital Transformation