It’s been eight years since the last revision of ISO/IEC 27002 (in 2013), and although ISO 27001:2013 was confirmed in 2019 (i.e., no changes in the Information Security Management System standard were required) – ISO 27002 definitely needed improvement to fulfill its role as guidance for implementation of ISO 27001 Annex A controls.
- Review risk treatment and make sure it is aligned with the new structure and numbering of controls.
- Align the list of controls in the Statement of Applicability.
- Update your policies and procedures, and potentially write new documents related to the new controls.
Since this change in the standard involves 12 new controls, this alignment in risk treatment and documentation will be the biggest job that’s ahead of you, although it probably will not require a big change in technological and process areas.
And this is where the new ISO 27002 will bring the most value – during the transition period you will have plenty of refreshed best practices to choose from, as well as a new set of attributes to use to make controls selection easier and more effective. And because ISO 27002 is quite detailed, and you still have the freedom to choose only the appropriate stuff for your organization, it will definitely help you make this transition easier.
To automate your compliance with ISO 27001 security controls, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software. The Conformio team is working on integrating controls according to the new ISO 27001, and the software will offer an easy way to transition from the old set of controls to the new ones.