This is a short critical note on the revised standard that got published recently.

When we consider ISO/IEC 27000 series of standards, ISO/IEC 27002 plays a major role as this has a comprehensive list of information security controls that an organisation can consider implementing basis their risk assessment. The effectiveness of implementation of an ISO/IEC 27001 based ISMS depends on the controls chosen by an organisation to deal with their risks and a majority of the controls are recommended by ISO/IEC 27002. Hence without ISO/IEC 27002, ISO/IEC 27001 will become much meaningless. Hence ISO/IEC 27002 plays a significant role, through Annex A of the ISO/IEC 27001 standard.

Yes, ISO/IEC 27002 is the first standard and then only Annex A of ISO/IEC 27001 and hence Annex A is just aligned to ISO/IEC 27002, not the other way.

ISO/IEC 27002:2022 has changes in terms of (re)structuring the domains and controls.

• The structure of the revised standard is simple and helps a practitioner to connect with lots of industry prevalent terms and concepts like cybersecurity terms.

• The concept of Purpose, a change from control objective, makes lot of sense.

• Arguably, the reduction in the categories of controls to four from those well structured 14 domains/major security areas, is not really appreciable as the earlier structure gave a better understanding of the control areas. It is worth a mention that old structure of domains was very logical and that needed some tweaking by bringing in new controls relevant to today's environment and some controls removed or combined as well. The current structuring uses a different logic altogether.

• Combining certain similar controls and bringing in new controls were required and is a welcome change.

• The standard now gives more clarity on the (proposed / intended) type of control part of the control explanation, which cybersecurity concept it addresses, which security domain it belongs to, what capabilities are required or getting impacted and which are the security properties getting addressed or impacted. This type of explanation is a boon to practitioners to frame the right control and to evaluate it correctly.

• Overall, the revision makes it meaningful in today's context, to some extent.

• However, why ISO/IEC 27001 revised version did not get publish together with ISO/IEC 27002 is really a big question. Though ISO/IEC 27002 can exist without ISO/IEC 27001 (consider the origin of the standards), the existence of ISO/IEC 27001 without ISO/IEC 27002 is meaningless as the most important part in ISO/IEC 27001 is Annex A (or the controls) that are taken from ISO/IEC 27002. It is very interesting to see this. Anyways, shortly, ISO/IEC 27001 revised version will get published as it is in the final stages of approval.

Repercussions include -

• that on the PIMS standard ISO/IEC 27701. As this standard has not really picked up well in the market, it has to get revised now to align to ISO/IEC 27002.

• till 27001 revision gets published, the organisations (and individuals too) are confused/hesitant on using 2013 versions of the standard though technically its okay to use this version, especially, for the certification purpose.

The misnomer

It is very appropriate to get familiarised with the controls and the intent of the controls in ISO/IEC 27002:2022. As the misnomer goes, there are 93 𝘤𝘰𝘯𝘵𝘳𝘰𝘭𝘴 in the standard ISO/IEC 27002:2022, it will be congruent to say that there are 𝟵𝟯𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝗿𝗲𝗮𝘀. It is very much prudent for any implementer to understand how the organisation specific controls can be derived from these control areas which can actually run into hundreds of specific controls in an organisation.