Last Updated on March 16, 2023
The new and upcoming changes to the ISO 27001 and ISO 27002 “gold standards” for cybersecurity are a big deal for organizations across our global industry that have achieved or are working towards ISO 27001 certification, as well as for the service providers that support them.
One of the key structural/categorization changes within the ISO 27002 control set is the recapitulation of 14 control domains into just four “themes” as a top-level organizing principle for the controls. These themes are in turn supported by a rich collection of searchable “attributes” assigned to each control.
To unpack how these changes look and what they mean for your security and privacy program, we invited Danny Manimbo and Ryan Mackie, co-leads for the ISO certification practice at Schellman, to join a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Less is more
The 4 new themes that encompass the former 14 clauses for grouping the ISO 27002 controls are:
What was the point of this change?
“I think the main objective of the change was to make the controls more modernized, simplified, and versatile, and really just making the standard more user friendly and generally more useful,” Danny relates. “This is also where things like the attributes and the associated views come into play.”
“When you have 114 controls scattered across 14 domains (A.5 through A.18), it can get a bit cumbersome,” continues Danny. “Getting down to those themes was more of a simplified approach to where now you’re just looking at four main buckets, right? You’ve got People in clause 6, which is now 8 controls. You’ve got Physical, clause 7, which is now 14 controls. So not a whole lot between those two, whereas the meat and potatoes of the standard is really in the Technological controls of clause 8, which has 34 controls. Everything else, which is 37 controls, falls into Organizational controls, which is clause 5.”
“So, it’s getting away from that control objective format that everybody’s used to, for example clause 9 with access controls, which had four control objectives that sat under it with the associated controls all rolling up to achieve that control objective,” adds Danny. “Whereas now, it’s a pivot away from that in a more simplified approach with those themes.”
Grouping by responsibility
Ryan shares the insight that the new themes help to group the controls according to who is responsible for them: “Organizational controls are more about policies and procedures, so you would assume maybe system ops? Technological might be IT. Physical would be those responsible for facilities. I think that’s going to be a good approach when organizations take a look at the controls. HIPAA takes a similar approach. I think getting away from the domains avoids a lot of the duplication we had in the 2013 control set.”
Consolidation of controls has also reduced redundancy and functional overlap.
“I actually like that—that’s smart,” offers John. “Now you have me more intrigued to dig into the 94 individual controls. Having that [responsibility] context to revisit it is really cool.”
To hear this special show on ISO 27002:2022 all the way through, click here.
Want best-practice guidance on optimizing your ISO 27001 program? You’ll love this recent podcast episode: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance