 Knowledge Sharing Session

on Improve your organization’s

information security controls with
the new ISO 27002:2022 standard

Renjith P Sarada
Lead Auditor & Tutor- Digital Trust
 2

 In the next 60 minutes

✓ ISO 27002:2022 – Title & scope
✓ Control Structure
✓ New controls
✓ Updated controls
✓ Merged controls
✓ Control attributes
✓ What next?
✓ Q&A round

Copyright © 2022 BSI. All rights reserved

 ISO 27002:2022 Title & Scope
3

Implementing
IS controls
based on best
practice
Developing
ISMS based
organizational
on ISO/IEC
ISMS
27001
guidelines

Information
security
controls

Copyright © 2022 BSI. All rights reserved

 ISO 27002:2022 93 Controls
4

Clause 5 - Organizational
controls Clause 6 - People controls
37 controls, 34 existing, 3 8 controls, all existing
new

Clause 7 - Physical Clause 8 - Technological

controls controls
14 controls, 13 existing, 1 34 controls, 27 existing, 7
new new

Copyright © 2022 BSI. All rights reserved

 Control structure
5

✓ Addition of selectable and

searchable attributes

✓ Attributes are not mandatory

✓ An organization may create their

own attributes to meet their
needs

✓ Purpose replaces control

objectives

Copyright © 2022 BSI. All rights reserved

 New controls (11)
6

Control Control Name Control Control Name

Identifier Identifier
5.7 Threat intelligence 8.11 Data masking
5.23 Information security for use 8.12 Data leakage prevention
of cloud services 8.16 Monitoring activities
5.30 ICT readiness for business 8.23 Web filtering
continuity
8.28 Secure coding
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion

Copyright © 2022 BSI. All rights reserved

 Updated controls (58)
7

ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC

27002:2013 27002:2022 27001:2013 27002:2022 27001:2013 27002:2022

06.1.1 5.02 18.2.1 5.35 09.2.3 8.02

✓ 58 updated controls 06.1.2 5.03 12.1.1 5.37 09.4.1 8.03
07.2.1 5.04 07.1.1 6.01 09.4.5 8.04

✓ Majority of existing controls 06.1.3

06.1.4
5.05
5.06
07.1.2
07.2.2
6.02
6.03
09.4.2
12.1.3
8.05
8.06
remain relevant 08.1.4 5.11 07.2.3 6.04 12.2.1 8.07
08.2.1 5.12 07.3.1 6.05 12.3.1 8.13
08.2.2 5.13 13.2.4 6.06 17.2.1 8.14
✓ Many needed updated to reflect 09.2.1 5.16 06.2.2 6.07 12.4.4 8.17

latest best practices and 15.1.1 5.19 11.1.1 7.01 09.4.4 8.18
15.1.2 5.20 11.1.3 7.03 13.1.1 8.20
removal of obsolete 15.1.3 5.21 11.1.4 7.05 13.1.2 8.21
technologies 16.1.1 5.24 11.1.5 7.06 13.1.3 8.22
16.1.4 5.25 11.2.9 7.07 14.2.1 8.25
16.1.5 5.26 11.2.1 7.08 14.2.5 8.27
✓ Link between corresponding 16.1.6 5.27 11.2.6 7.09 14.2.7 8.30

control numbers 16.1.7 5.28 11.2.2 7.11 14.3.1 8.33

18.1.2 5.32 11.2.3 7.12 12.7.1 8.34
18.1.3 5.33 11.2.4 7.13
Copyright © 2022 BSI. All rights reserved
18.1.4 5.34 11.2.7 7.14
 Merged controls (24)
8

ISO/IEC ISO/IEC ISO/IEC ISO/IEC

27002:2013 27002:2022 27002:2013 27002:2022

✓ 24 merged controls 05.1.1, 05.1.2 5.01 16.1.2, 16.1.3 6.08

06.1.5, 14.1.1 5.08 11.1.2, 11.1.6 7.02

✓ Merged where existing controls 08.1.1, 08.1.2 5.09 08.3.1, 08.3.2,

08.3.3, 11.2.5
7.10

are inseparable or closely 08.1.3, 08.2.3 5.10 06.2.1, 11.2.8 8.01

13.2.1, 13,2,2, 5.14 12.6.1, 18.2.3 8.08
related 13.3.3
09.1.1, 09.2.2 5.15 12.4.1, 12.4.2, 8.15
12.4.3
09.2.4, 09.2.5, 5.17 12.5.1, 12.6.2 8.19
09.2.6

09.2.2, 09.2.5, 5.18 10.1.1, 10.1.2 8.24

09.2.6
15.1.1, 15.1.2 5.22 14.1.2, 14.1.3 8.26
17.1.1, 17.1.2, 5.29 14.2.8, 14.2.9 8.29
17.1.3
18.1.1, 18.1.5 5.31 12.1.4, 12.2.6 8.31
18.2.2, 18.2.3 5.36 12.1.2, 14.2.2, 8.32
14.2.3, 14.2.4
Copyright © 2022 BSI. All rights reserved
 Control correspondence
9

ISO/IEC 27002 ISO/IEC 27002:2013 control identifier Control name

control
Table B.1
identifier
5.1 05.1.1, 05.1.2 Policies for information security

ISO/IEC ISO/IEC 27002 control Control name

27002:2013 identifier
Table B.2 control identifier

5 Information security policies

5.1 Management direction for information security

5.1.1 5.1 Policies for information security

Copyright © 2022 BSI. All rights reserved

 Control attributes (Annex A.1)
10

Control Attributes Attribute Values

Control Type #Preventive, #Detective, #Corrective
Information Security #Confidentiality, #Intergrity, #Availability
Property
Cybersecurity #Identify, #Protect, #Detect, #Respond, #Recover
Concepts
Operational #Governance, #Asset_management, #Information_protection,
Capabilities #Human_resource_security, #Physical_security,
#System_and_network_security, #Application_security,
#Secure_configuration, #Identity_and_access_management,
#Threat_and_vulnerability_management, #Continuity,
#Supplier_relationships_security, #Legal_and_compliance,
#Information_security_event_management,
#Information_security_assurance

Security Domains #Governance_and_Ecosystem, #Protection, #Defence,

#Resilience Copyright © 2022 BSI. All rights reserved
 Control Type
11

#Detective #Preventive #Corrective

Copyright © 2022 BSI. All rights reserved

 12

 Information security
properties
#Confidentiality

#Integrity

#Availability

Copyright © 2022 BSI. All rights reserved

 13

 Cybersecurity concepts: ISO/IEC TS 27110

#Identify #Protect #Detect

#Respond #Recover

Copyright © 2022 BSI. All rights reserved

 14

 Operational capabilities
#Asset_management #Information_protection

#Human_resource_security #System_and_network_
#Physical_security
security
#Identity_and_access_m
#Application_security #Secure_configuration
anagement
#Threat_and_vulnerability_ #Supplier_relationships_
#Continuity
management security
#Information_security_ #Information_security_
#Legal_and_compliance
event_management assurance

Copyright © 2022 BSI. All rights reserved

 15

 Security domains

#Governance_and_Ecosystem

#Protection

#Defence

#Resilience

Copyright © 2022 BSI. All rights reserved

 16

 Organizational attributes (Annex A.2)

Risk event scenario Control maturity Management priorités

Other frameworks used Industry body or trade

Implementation State
by the organization associations specific

Copyright © 2022 BSI. All rights reserved

 17

 What next?
Amendment to ISO/IEC 27001:2013
expected later this year to reflect ISO/IEC
27002:2022 revision

Purchase a copy of ISO/IEC 27002:2022

Gap analysis of existing controls against

• Anticipate an update to
ISO/IEC 27002:2022
your SOA

Risk assessment and risk treatment in • Be prepared to evidence

accordance with clause 6.1.2 & 6.1.3 your justification of
inclusion or exclusion of
new controls Copyright © 2022 BSI. All rights reserved
 18
Learn more about Information Security with our Resources

Visit Webpage: Scan the QR Download the ISO 27001 Self Read our Executive Briefing helps
code and read more about the Assessment Checklist senior management understand the
changes in Information Security overarching business benefits of
Standards adopting ISO/IEC 27001.

Copyright © 2022 BSI. All rights reserved

 19
Learn more about ISO 27001:2022 Transition

On-Demand Webinar: Secure your information in the Download the ISO 27001:2022
new digital age with ISO/IEC 27001:2022 Transition Journey Guide
Date: Thursday, 4th October 2022
Time: 2:30 PM to 3:30 PM (IST)
Scan QR code to watch replay webinar

Copyright © 2022 BSI. All rights reserved

 20
Learn more about Information Security with client case study

ISO/IEC 27001 Case Study - CogentHub
CogentHub is a global provider focused on the
delivery of business solutions integrated with the
latest technologies.
Scan QR code to download case study
ISO/IEC 27701 Case Study - Befree
Befree, are among the leading organizations to achieve
ISO certification in ISO/IEC 27701:2019 for Data
protection and standardization to secure data assets.
Scan QR code to download case study

Copyright © 2022 BSI. All rights reserved

 21
Learn more about Information Security with BSI

BSI provides a range of solutions on information and communication technologies, you need to ensure
that you manage your digital infrastructure, systems and processes in the most effective way.

Our ICT newsletters, blogs, case studies, replay webinar will keep you up to date with what our ICT
community experts have to say on the hot topics in the ICT industry.

To Subscribe our Newsletter, please scan the QR code.

Copyright © 2022 BSI. All rights reserved

 22

 Thank You and Q & A

Copyright © 2022 BSI. All rights reserved