ISO/IEC 27002: changes and consequences for ISO/IEC 27001 certified organizations

The new version of ISO/IEC 27002, a standard which is extremely useful for those dealing with information security, has recently been announced.

Information security is a constantly evolving area, and international standards are thus also subject to continuous updates.

What is, then, the state of progress of the latest update to the ISO/IEC 27002 standard? And what impacts will it have on ISO/IEC 27001 certified companies?

The new version of ISO 27002 is still in the draft phase, and it is reasonable to assume that the definitive version of the updated standard will be approved by the end of 2021.

The draft already makes clear that the standard will be radically changed in the areas we will describe shortly, but what impact will there be on ISO 27001 certified companies?

The ISO 27000 series of standards identifies a series of regulations and guidelines which lay out the requirements for creating an information security management system within an organization.

Like with all ISO series of standard, the 27000 series is also made up of a range of standards, of which only some are “certifiable”.

While ISO/IEC 27001 is the standard which lays out the requirements of the information security management system, the one companies have to follow in order to get certified, ISO/IEC 27002, is a guide to the implementation of the management system based on a series of best practices.

Currently, ISO/IEC 27001 establishes a series of requirements for the management system and controls to implement, while ISO/IEC 27002 provides a precise explanation of these.

But this situation is soon destined to change:

• ISO/IEC 27001 may still remain unchanged for a few years.
• ISO/IEC 27002 will soon be updated, changing the structure of the controls (which may therefore not correspond to those provided for by the current ISO 27001).

The update to 27002 contains various new aspects, which we have summarized in the following table.

Can ISO/IEC 27001 certified companies breathe a momentary sight of relief? It may seem so, for a number of reasons.

First and foremost, the update to ISO 27002 is only in the draft stage. As well as this, the standard which lays out the requirements for information security management systems is and remains ISO/IEC 27001 – therefore, until the latter is updated, there will be no concrete impact on certification and the security measures to be implemented.

ISO 27001 will undoubtedly be updated, in order to align it with the new version of 27002. The question is, when will this alignment occur? Some believe that the next update will not come before 2024; some leaks, however, have suggested that only annex A of ISO/IEC 27001 will be updated for the release of the new ISO 27002 (presumably by the end of the year).  

What is certain is that until annex A of ISO/IEC 27001 is updated, auditors will continue to base their inspections on the current version of annex A, which currently provides for 114 checks. 

The update to ISO/IEC 27002 is a big step towards streamlining of information security checks. This standard represents a very useful tool for companies wishing to be certified, but also for those who intend only to raise their information security level.

The effects of the conceptual reorganization of the checks in the update to ISO/IEC 27002 will be understood more clearly only with the update to the certifiable standard, 27001, or its annex A.

As such, two scenarios may come to pass:

• If annex A of ISO 27001 is not updated alongside the adoption of the new version of ISO/IEC 27002: organizations which intend to focus on the future by adopting the checks laid out in the new version of 27002 can do so as soon as the new standard is formally adopted – on condition that a conversion table is attached to the Statement of Applicability specifying the 114 checks currently provided for by ISO/IEC 27001.
• If, on the other hand, annex A of ISO 27001 is updated at the time of the release of the new version of ISO 27002, certified organizations and those undergoing certification will have to prepare themselves as a consequence, and structure their checks in keeping with it, in order to renew or obtain the certification.

In this changeable context, it is always necessary to keep up to date in order to ensure your organization has the best possible preparation.