ISO 27002 Is Going Through a Major Revision: What This Means for Companies’ ISO 27001 Certifications

  • April 26, 2021

The International Organization for Standardization (ISO) is changing the structure of the ISO 27001/27002 control framework after 20 years. The name of the standard has changed a few times — British Standard (BS) 7799 Part 1 & 2 in the 1990s, to ISO 17799 in 2000, followed by ISO 27001/27002 — but the structure of the controls have largely remained the same until now.

What’s the difference between ISO 27001 and ISO 27002?

You can get an ISO 27001 certification, but not an ISO 27002 certification because it’s not a management standard that provides a full list of compliance requirements. ISO 27002 is a supplementary standard that provides advice on how to implement information security controls, and they’re listed in Annex A of ISO 27001.

ISO 27001 requires companies to perform a risk assessment to identify risks, what controls are required to mitigate the risk, and how it should be implemented. ISO 27002 on the other hand is simply information on a control, how it works, and how it could be implemented — it doesn’t tell you whether it’s applicable to your company.

How do the ISO 27002 revisions impact your company?

Typically, ISO will provide a period of time before companies will be required to adopt the updated ISO 27001 standard, so companies have time to make changes. You can expect the new standard to be published within the next year.

ISO 27001 may also require less implementation than what ISO 27002 recommends, but we’ll have more clarity once the new ISO 27001 standard is published. There will be a few configuration and process changes that will be a lower lift such as subscribing to threat intelligence feeds. 

Navigating these changes can be confusing but Secureframe is here to help! When the new ISO 27001 standard is released, Secureframe customers will be able to easily transition over before their next audit. 

What is changing in the ISO standards?

Many controls have been removed and consolidated while some new ones have been added. Instead of having 14 categories with 114 controls, there are now 4 themes with 93 controls.

New controls were added to cover the following:

  • Threat intelligence 
  • Information security for use of cloud services 
  • Information and communication technology (ICT) readiness for business continuity
  • Physical security monitoring
  • Configuration management 
  • Information deletion 
  • Data masking 
  • Data leakage prevention 
  • Monitoring activities 
  • Web filtering 
  • Secure coding 

There are now five attributes for each control:

Correspondence and mappings with ISO/IEC 27002:2013 are available in Annex B in the ISO 27002 draft.

If you’re ready to get ISO 27001 compliant or renew your certification, but are unsure how to navigate these changes, Secureframe can help! Request a demo or please reach out to sales@secureframe.com and we’ll be happy to get you started.