On January 28, 2021, the time had finally come. After eight years, the successor to the ISO 27002:2013 certification has been published as a draft. The 12-week submission period for comments is still running, after which it will become binding. Companies have a transition period after the final publication to bring their ISMS up to date. It is therefore important to get to grips with this standard now.
There have been discussions for some time about when the successor to the ageing ISO 27002 “Information technology – Security techniques – Code of practice for information” will finally be published. Normally, ISO standards have a life cycle of around five years, but here it is already eight years.
But it was worth the wait. The new edition makes a tidy and comprehensive impression. This starts with the title, which now reads “Information security, cybersecurity and privacy protection – Information security controls”. It is clear that information security is viewed in a global context and all elements are to be taken into account (cybersecurity) and that data protection is also becoming more important here (privacy protection).
Structure of the ISO 27002:2021 standard
The most striking thing is certainly that the standard has been given a new structure. While the old standard contained 14 chapters, there are now only four.
These are the thematic blocks 5 Organizational controls (37), 6 People controls (8), 7 Physical controls (14) and 8 Technological controls (34). The number of measures is shown in brackets. Anyone familiar with the standard will have noticed that there are now “only” 93 points compared to the previous 114. It can also be seen that 11 new measures have been added.
Anyone who now thinks that there has actually been a reduction here is mistaken. Exactly one single measure has been deleted. This is 11.2.5 (Removal of assets). All other measures have been sensibly grouped together. This increases the cost of implementation for a company. It also becomes more difficult to exclude corresponding measures if they are not suitable for your own company. This could be the case, for example, if a company does not develop software. The classic points “loading areas” or “export of cryptography” have also been integrated into other measures and can therefore no longer be excluded.
Normally, all terms are explained in a central place in ISO 27000 so that they are used consistently in all other 27000 standards. The 2021 edition introduces 37 “new terms”. Some of these are adapted from other standards (including ISO 9000, 15489, 22301, 27301, 27035, 27050, 29100, 29134, 30000, 31000). Various abbreviations are also listed for the first time, 33 in total.
As already mentioned, there are only four chapters left. The following definition was used:
- Category “People” if they affect individual (or several) people;
- Category “Physical” if they concern physical objects;
- Technology” category if they relate to technology;
- otherwise they are classified as “organizational”
Evaluation of the measures
Each measure is now classified. This looks as follows for the 5.1 Policies for information security:
The control type is an attribute for viewing controls from the perspective of when and how the control affects the risk outcome with regard to the occurrence of an information security incident. The attribute values consist of #Preventive (the control acts before a threat occurs), #Detective (the control acts when a threat occurs) and #Corrective (the control acts after a threat has occurred).
The information security attributes are the classic protection goals in information security. The attribute values consist of #confidentiality, #integrity and #availability.
Cybersecurity concepts is an attribute for considering controls from a chronological perspective. They are derived from the cyber security framework described in ISO/IEC TS 27101. The possible attribute values consist of #Identify, #Protect, #Detect, #Respond and #Recover.
Operational capabilities is the subject area covered. Attribute values consist of #Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, #System_and_network_security, #Application_security, #Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management and #Information_security_assurance.
Security domains is an attribute for viewing controls from the perspective of information security domains, expertise, services and products. The attribute values consist of #Governance_and_Ecosystem, #Protection, #Defence and #Resilience.
Structure of the measures
Each measure has the following structure:
- Control title: Short name of the control
- Attribute table: The table shows the value(s) of each attribute for the given control (see previous chapter)
- Control: Description of the measure
- Purpose: Explains the purpose of the control
- Guidance: Implementation guide for the control
- Other information: Explanatory text or references to other related documents
As already mentioned, some of the measures have undergone major changes. This can already be seen in the first measure (New 5.1 Policies for information security). In the 2013 edition, the requirement was “A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties”; the new requirement is “Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur”.
It is clear that some ambiguities in the previous standard have been clarified. It is therefore important for a company to keep the existing guidelines up to date over the entire life cycle.
New measures
The new 27002 standard introduces 11 new measures. These are as follows:
| Chapter | Title | Requirement |
| 5.7 | Threat intelligence | Information relating to information security threats should be collected and analyzed to produce threat intelligence |
| 5.23 | Information security for use of cloud services |
Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. |
| 5.30 | ICT readiness for business continuity | ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
| 7.4 | Physical security monitoring | Premises should be continuously monitored for unauthorized physical access. |
| 8.9 | Configuration management | Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. |
| 8.10 | Information deletion | Information stored in information systems and devices should be deleted when no longer required. |
| 8.11 | Data masking | Data masking should be used in accordance with the organization’s topic-specific policy on access control and business requirement, taking legal requirements into consideration. |
| 8.12 | Data leakage prevention | Data leakage prevention measures should be applied to systems, networks and endpoint devices that process, store or transmit sensitive information. |
| 8.16 | Monitoring activities | Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents. |
| 8.22 | Web filtering | Access to external websites should be managed to reduce exposure to malicious content. |
| 8.28 | Secure coding | Secure coding principles should be applied to software development. |
Appendix
All control elements and attributes of the measures are listed again in Annex A of the standard. It also shows how the corresponding measures are to be selected and evaluated.
Annex B shows the link between the new measures and the measures from ISO 27002:2013 and vice versa from the old to the new ISO 27002:2021.
Conclusion on the new ISO 27002 certification
ISO 27002 has been given a completely new look. The previous measures have been divided into four categories and merged where appropriate. 11 new measures have been added, but only one has been deleted. In total, there are now 93 measures. The extension with control elements and attributes shows what the purpose of a measure is.
The 2021 edition leaves a clean and comprehensive impression. However, it is not enough to simply implement the 11 new measures, as new or extended requirements are “hidden” in the known measures. The standard has not yet been finalized, but anyone who operates an ISMS should already be looking at this standard and taking the first steps. After publication, there will only be a short transition period until an accredited body conducts an audit in accordance with ISO 27002:2021.
Further information on goSecurity can be found at https://www.gosecurity.ch/