
ISO 27001 vs 27002: What’s the Difference?
Read articleEvery day, the world of security, privacy, and compliance faces new and complex challenges. As the threat landscape evolves, so do the security frameworks designed to protect organizations from security incidents and malicious entities.
Recently, ISO 27001 was updated along with its companion guidance standard ISO 27002. This updated version’s official title is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection.
Keeping up with the latest changes to compliance requirements can be difficult, which is why we make it part of our mission to notify customers of any industry or regulatory changes they need to know about. In this article, we’re explaining the changes made to ISO 27001 and ISO 27002 and what they mean for your compliance posture.
ISO 27001 is an internationally-respected information security framework. It outlines the requirements to establish, maintain, and continually improve an information security management system (ISMS). Organizations can pursue ISO 27001 certification by completing an external audit by an accredited ISO audit firm.
On the other hand, ISO 27002 isn’t a standard that you can be certified on — it’s a companion to ISO 27001 that provides guidance and explains the purpose, design, and implementation of each control in greater detail.
ISO 27001 vs 27002: What’s the Difference?
Read articleThe ISO 27001:2022 standard was officially published in October 2022. Overall, the updates in the ISMS Clauses 4-10 include minor wording and structural changes.
For example, changes to Clause 6: Planning remove ambiguity and outdated language (i.e., control objectives).
In terms of structural changes, Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. However, the requirements remain the same.
Similarly, Clause 9.3: Management review was split into three subsections — 9.3.1: General, 9.3.2: Management review inputs, and 9.3.3: Management review results. The 2022 version also introduces a new Clause 6.3: Planning for Changes.
The major change that organizations need to be aware of is the official update to Annex A controls, reflected in the “Annex A” section within the new ISO 27001:2022 standard. This change marks a major update for the ISO 27001 standard.
ISO published changes to ISO 27002 back in February 2022. The major changes to ISO 27002 (and therefore ISO 27001) include consolidating and reorganizing the original 14 Annex A control domains into 4 categories:
As a result, the total number of controls was also reduced from the original 114 to 93. 58 controls remain mostly unchanged, with minor contextual updates. 57 controls were merged into 24 controls, and 11 controls are brand new (not found in ISO/IEC 27001:2013).
The 11 new controls added to Annex A include:
What Are ISO 27001 Controls? A Quick Guide to Annex A
Read articleOrganizations that are currently certified to ISO 27001:2013 will have three years to transition to ISO/IEC 27001:2022. The transition period starts on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period.
Transition audits can either be done at the same time as the next audit (e.g., Recertification audit and transition audit), or separately.
Organizations pursuing ISO 27001 for the first time (both Stage 1 and Stage 2 audits) can still be certified on the 27001:2013 version until October 2023. Transition audits can either be done at the same time as your next audit (e.g., surveillance audit and transition audit), or separately.
Whether you’re pursuing ISO 27001 compliance for the first time or just need an easier way to maintain certification, Secureframe can help. We’ll work with you to design an ISMS that aligns with ISO 27001 standards and your organization’s needs, help you get audit ready fast, and monitor your tech stack to ensure continuous compliance.
To learn more, schedule a demo of Secureframe today.