Rumors of an upcoming, major change to ISO 27002

Of the thousands of international standards published by the International Organization for Standardization (ISO), some of the most popular ISO standards are management system standards, such as the well-known ISO 9001 standard for quality management and ISO 27001 for information security management.

These standards comprise a niche group of publications known as management system standards, which organizations can implement and certify to via third-party auditors (i.e., certification bodies). Oftentimes, management system standards are the first publication within a larger family or series of standards and are denoted with a “01” reference. In the case of the more popular references within this group, ISO also issues guidance documents where the purpose of these additional, informative references is to aid organizations who may be initially establishing the program or require further explanatory detail when interpreting the underlying requirement or control objective.

Much is the case with the popular ISO 27002 standard (the full reference being ISO/IEC 27002:2013), which has piggybacked in popularity alongside the ISO 27001 standard, which has been certified by over 36,000 organizations per the most recent release of the ISO Survey. The ISO 27002 standard provides helpful advice and support for internal practitioners designing criteria that will meet the objectives of the 114 Annex A controls described within the appendix to the certifiable ISO 27001 standard.

All ISO standards conform to a minimum, systematic five-year review cycle but can also be proposed for new revisions at any time. Although the ISO 27001 and ISO 27002 standards have both been reviewed and reconfirmed for sufficiency in recent years, the most recent revisions for both publications were issued in 2013.

Beginning in March 2018 (seemingly, immediately following confirmation of its content at the five-year mark), the authors of this group of standards for information security (ISO/IEC JTC 1/SC 27) began the arduous exercise of revising these standards by starting with the control implementation guidance described within ISO 27002. After more than two years of working drafts and digesting subject matter feedback, the Draft International Standard (DIS) for ISO 27002 was released for public ballot in January 2021 before closing of voting in April 2021. The latest copy of this DIS can be purchased directly from ISO via its website.

Aside from national delegations or committee members within ISO/IEC JTC 1/SC 27, the availability of the DIS was the first chance that the general public was able to inspect the proposed revisions and the potential updates to the controls framework that would later also affect ISO 27001. While ISO 27002 is only an informative reference and cannot be used as auditable criteria by certification bodies, revisions to this standard do allude to material and structural changes that will also affect ISO 27001. This understanding is what makes this revision so widespread and why this DIS should be reviewed by every currently certified and applicant organization for the ISO 27001 standard – even if your organization does not utilize ISO 27002 in its current form, the DIS is a precursor to what the next release of ISO 27001 will imitate.

What are the major changes being proposed for this revision?

As our team reviewed the DIS, some key differences were immediately apparent between the current 2013 revision of ISO 27002 and the new proposal, such as 14 Annex A control domains have now been consolidated into only four domains comprising Organizational, People, Physical, and Technological themes.

Likewise, as domains (i.e., control families) decreased, the total number of controls was also reduced from a total count of 114 to now only 93 controls across these four domains. The DIS is very clear that only one control was actually deleted (A.11.2.5 Removal of assets), while the balance of controls were consolidated to meet the intent of this new concept for theme-based auditing.

What remaining activities need to be executed prior to the publication of a new revision of ISO 27002?

The ISO 27002 standard has yet to be published. As of this writing, all feedback received from the public ballot that closed on April 23 is still being aggregated and circulated with the ISO/IEC JTC 1/SC 27 committee members. Depending on the conclusions from the public ballot feedback, the committee could decide to revise the current DIS and recirculate for a second ballot or, alternatively, move forward with an approval and register as a Final Draft International Standard (FDIS).

With current lead time, the ISO 27002 standard could be published as a new revision to the International Standard before the end of the 2021 calendar year, assuming a second ballot is not determined as being necessary by the committee.

The ISO/IEC JTC 1/SC 27 working group responsible for this publication is scheduled to next review this standard on October 29, 2021, via virtual web conference.

What transition timeline will be required of certified organizations after publication?

If published as a new International Standard, it is expected that an amendment will be made to ISO 27001 shortly following the announcement as a means to mitigate any period where Annex A of ISO 27001 does not align or agree with the current revision of ISO 27002.

In the past, major revisions to management system standards, such as the 2015 publication of ISO 9001 and the 2018 revision of ISO 20000-1, have been met with a two-year transition period for currently certified organizations. With that said, if ISO 27001 is revised via amendment in lieu of a formal revision, which carries a longer review and approval cycle, the changes would go into effect immediately.

At this point, it would be expected that the International Accreditation Forum (IAF) or respective accreditation bodies would publish specific guidance on transition periods, which has historically occurred when ISO's Committee on Conformity Assessment (CASCO) has lacked prescriptive steps for handling changes across normative references.

What should we be doing now to prepare?

While there are no requirements to update management system design at this time for currently certified organizations, it is wise to at least begin preparations by conducting internal gap analyses against the revision proposal described within the DIS.

Even if ISO 27002 remains a DIS for an extended period, organizations are permitted to adopt this new structure and control framework now, as Clause 6 of ISO 27001 allows organizations to utilize internal control sets when developing their Statement of Applicability (SOA). In fact, there is no hard requirement that Annex A of ISO 27001 must be utilized – it only needs to be fulfilled, at a minimum, by demonstrating the implemented control set maps or aligns with the Annex A control objectives.

If your organization has immediate questions after purchasing and reviewing the DIS, contact our certification body team at CertificationBodyManagement@coalfire.com.