March 14, 2022

Last Updated on January 15, 2024

The ISO 27001 and ISO 27002 “gold standards” for cybersecurity are both changing in 2022. The new ISO 27002:2022 version was released on February 15, 2022 and the draft amendment to ISO 27001:2013 (no new version) followed shortly thereafter.

For ISO 27001 certified organizations and the service providers that support them, this is exciting stuff! While the main body of clauses 4 through 10 in ISO 27001 are not changing, the control set in Annex A/ISO 27002 is now considerably different in structure and content.

To share all the latest news on these changes and their importance for our industry, we hosted Danny Manimbo and Ryan Mackie, co-leads for the ISO certification practice at Schellman, on a recent episode of The Virtual CISO Podcast. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.

The ISO committee process

Ryan and Danny are both on the ISO 27000 committee that is “all thing 27000.” What has the process for creating the new ISO 27002:2022 been like?

“They started this process about four or five years ago,” recalls Ryan. It’s been a long process, so I want to applaud all the people on those ISO committees. A lot of time and effort went into building out this new control set for ISO 27002, and a lot of debates and discussions.”

The committee process starts with “experts” (including Ryan and Danny) around the world who create and review the new version of the standard. From there, “delegations” in different countries comment on the Draft International Standard (DIS). Once the comment period ends (it was about a year for ISO 27002), the draft standard is finalized.

“Things with ISO can take a long time to get through the voting and the approvals and ultimately get published,” adds Danny. “Schellman did a series of quarterly webinars on ISO 27002, but we didn’t have much to update our clients on. We were thinking the timeline for publication was going to be Q4 of last year and we were preparing our clients as such.”

What is the transition period?

“Also, we didn’t know if there was going to be a transition period [for certification to a new ISO 27001],” Danny relates. “So we were basically erring on the side of, ‘Hey, maybe there won’t be, so let’s all be ready.’ Which is a bit nerve-racking when you don’t know when something’s getting published and there might not be a transition period, potentially.”

Fortunately, there’s a bit more clarity now on the transition period, which will likely be two years. Thus, from the date the ISO 27001:2013 amendment is approved, certified firms will have two years to update their certifications to reflect the new controls.

 

First impressions

Perhaps the biggest change with the new ISO 27002 is not the new control set, but the new structure (4 “themes” instead of 14 control domains) and a new organizing principle, called attributes.

“The difference of going from a control domain focus to an attribute focus is going to be hard,” Ryan offers. “I think it’s going to be a challenging transition to rethink the approach to these control sets. But the end result is going to be great.”

What’s next?

To listen to the podcast on ISO 27002:2022 in its entirety, click here.

Looking for more tips on getting ready for ISO 27000 family changes? We recommend this recent post: Are You Ready for the New ISO 27001:2022?