Thoughts on the updated ISO 27002

Monday, 23 January, 2023

Thought clouds

In my previous blog post, we looked at the latest changes to ISO 27002. This included the changes to the controls with the new additions and the attributes table. In this blog post, I’ll be giving my thoughts on the new version and look if it’s improved enough.

Progressive changes

The latest revision title includes cyber security and privacy protection, not just information security. The change in perspective shows the progression since 2013 in the developments within the technology industry which are reflected in the new controls.

With continual developments in technology and the way businesses operate and work, there’s more focus on areas like cloud, software development and threat intelligence.


Why cloud? There has been a significant increase in businesses adopting the cloud and there continues to be an increase in businesses transforming their operations to be cloud based. So, it’s important that there’s a control on the security of cloud services.

Software development

Likewise, software development, alongside cloud, has a greater significance. Particularly in using secure coding processes, or using tools that assist in the assurance of code quality and security, so that developers do not introduce weaknesses or vulnerabilities into products.

Threat intelligence

Back in 2013, threat intelligence wasn’t something that was wide-spread. This new control highlights the importance of trends within industries in relation to cyber security through the ever-growing use of threat intelligence to help better understand threats and how to respond to them. With the increase in the past couple of years in remote working and more CVEs each year, it is even more important that collaboration in threat intelligence helps to make informed decisions.

Emphasis on physical security controls

There are still controls relating to physical security, including a new physical control. It’s only relevant to some companies, particularly given companies are not returning to offices by becoming remote or scaling down their use, or number of offices, due to taking a hybrid working approach.

Does it matter? No, because if these aren’t applicable, you state and justify that in your Statement of Applicability. However, when one out of only four categories is entirely dedicated to physical controls, it suggests an over-emphasis on it, considering the shift in how companies are working.

So why only four categories?

It simplifies the controls by splitting them into manageable categories but at a higher-level than before. This makes the controls more usable as it is easier to assign controls and understand who may operate or own them. It’s reasonable to see why the controls are grouped together where there is overlap in who would manage them.

The value of the attributes table

The control type allows you to categorise controls in relation to their impact on a risk event. This will help identify gaps in controls, for example you may have many applicable controls for detecting a risk event, but not enough that prevent the risk event from occurring.

Information security properties use the CIA (confidentiality, integrity and availability) triad. This is useful when conducting risk assessment to understand the impact risk could have and likewise how the control, when treated, can reduce the impact. It helps to communicate risk within your business.

Cyber security concepts allow a direct cross-reference to the NIST Cybersecurity Framework. This is useful if your business already has adopted the NIST framework, or is looking to. It can help to align your understanding of your compliance to the framework and understand the controls that can help improve your compliance to a particular area, such as responding to any risk events.

The operational capabilities attribute is helpful to identify a department within your business that is responsible for the operation of the control.

The security domain attribute provides the area or services within information security that the control belongs to.

How you can use ISO 27002

You may use ISO 27002 alongside when certifying for ISO 27001, or you might just use it as a standalone control framework to help “frame” what you are doing in your business.

Automated tools of gathering compliance to standards like ISO 27002 can be used. This also helps make things easier with auditors to provide evidence of the controls (as long as you’ve kept your evidence collection up to date and relevant).

Has it improved enough?

For the controls themselves, it’s significantly improved in certain areas. Especially to keep in line with technological progression and how digitally transformed businesses are becoming.

It’s understandable why physical controls are a category still as it is important, but only where it’s applicable. Being a remote-first business ourselves, we know it’s not as relevant to us. It may be that in the future if businesses continue with hybrid or entirely remote business models, then there may be a lesser focus on it in the next version.

Photo by Alex Machado from Unsplash.