Below we share an article by our CEO Iago Fortes on the news and benefits of ISO 27001 and ISO 27002:
I will not extend and try to make it interesting to write about something is my passion and which I consider key, regarding the organization and management of Information Security (or cybersecurity).
Despite there are a lot of frameworks and standards: NIST, CIS (SANS), VDA-ISA (TISAX), ENS, … I would say without hesitating that ISO 27k series has been the first and always the one I have liked the most, because of his global, standardized view and complementarity (with other standards and systems, such as Quality-ISO 9001,…). Furthermore, some of the ones I have mentioned were born and are still based on ISO 27k.
¿What are ISO 27001 and ISO 27002?
ISO 27001 (requirements for an Information Security Management System – ISMS): This standard is common and very similar (with only a few relevant diferences in 1-2 of the 10 sections of the standard) to any other Management System (ISO 9001: Quality, ISO 14001: Environment, ISO 50001: Energy, ISO 27701: Privacy), with the key exception of having a very important annex. Annex A refers to a set of IS controls, which precisely replicates the set contained on the following (ISO 27002).
ISO 27002 (in the begining described as “best practices”, now a set of “Information Security Controls”): It is a generic set of controls with guidance and high-level recommendations for its design & implementation. If we seriously go for it, helps a lot to manage the controls lifecycle (management of the set of controls).
I consider the following phases (or lifecycle) for a control (or set of controls):
- Need/Identification (origin: Risk) – ISO 27001
- Definition & Design – at high-level within ISO 27002 (linked to next step)
- Implementation – the “core” of ISO 27002 (but high-level again)
- Monitoring – at high-level within ISO 27001, and other references will apply
- Assessment/Audit – at high-level within ISO 27001, and other references will apply
¿What are the changes on new versions? (from 2013 to 2022)
The 2 main standards, mentioned above, have been updated. The first (27001) with minor changes, since the Management System does not suffer significant changes and it is still aligned to any other Management System.
However, it is the second (ISO 27002) the one with significant changes: Number of controls, Organization (categorization and classification) of those controls, usage of new concepts (attributes) to allow more flexibility and better adaptation, such as specific sectors (like industry, where other existing frameworks and standards apply).
I am focusing here in ISO 27002 (or Annex A in 27001), or in other words in “controls”
In my view (and Inprosec´s) big and challenging things has to be split to progress in parts, so we try to focus in an schematic an visual way using the pyramid published in this article, where we organize the Domains (based on the 2013 standard) in 4 categories: Physical, Legal, Organizational & Technical.
This piramid, allow us in a single view to:
- Show the 11 Domains (of controls) from the ISO 27002:2013
- Dividing them with colours in 4 IS categories (Physical, Legal, Organizational & Technical)
- Classifying on their hierarchical level (implicit on the pyramid shape): on the top the most strategic and at the bottom the most operative (or operating).
Precisely the main change on the 27002 version is the organization of the controls, into the following 4 categories (3 matching and 1 not, to our 2013 Piramid): Organitizational (37), People (8), Physical (14) & Technological (34), in total 93 controls (vs 114 in the 2013 version). 11 controls are new, while the rest has been merged, reviewed/updates or removed.
ISO 27002:2022 is an improved version, simpler, more practical and useful.
If you want to go deeper into ISO 27k series, I recommend these 2 best options, 1 in English and the other in Spanish:
- Without any doubt the best option (in English): Free ISO27k Forum (iso27001security.com)
- And the best option in Spanish: Home (iso27000.es)
I hope you have found this small article interesting and I hope to be writing soon, to share my experience and the knowledge I may have achieved, if any, to do my bit on improving Information Security in society and organizations.