ISO 27002’s crucial role in maintaining the integrity of your information security management system

In terms of information security, ISO/IEC 27001 is the international standard to attain.

So what is the recently announced ISO/IEC 27002? Does it supersede ISO/IEC 27001, which is the standard for information security management systems (ISMS), or does it complement?

Most importantly, how can this really help my organisation?

ISO/IEC 27002 as an important operational guideline

While ISO/IEC 27001 is well-known to be the international standard for information security management systems (ISMS), fewer people are familiar with ISO/IEC 27002.

However, these two actually go hand in hand, the former and the latter are both important for data and cybersecurity professionals.

ISO/IEC 27001 is the standard that you get certified against. With 27001 being the standard, it clearly specifies what an ISMS should look like. If you were the IT professional in charge of information security, your next question would probably be, “How do I now achieve this ISMS being described in the 27001 standard?”

This is where ISO 27002 comes in.

ISO/IEC 27002 is a reference list of several best practices you can adopt to satisfy the 27001 standard. It is like an operations manual to guide you as you build your ISMS, so that it will live up to the requirements of ISO/IEC 27001.

Thus, with the 27001 standard discussing the “what” and 27002 discussing the “how”, ISO/IEC 27002 has always gone together with ISO/IEC 27001.

The best practices laid down in 27002 enable you to achieve the security controls which will minimise the risks you have identified. Thus, 27002 is often referred to as a “code of practice” for the 27001 standard.

As Edwin Concepcion, CIPM and a Certified Lead Implementer of ISO/IEC 27001, explains, “The ISO/IEC 27002 is a Code of Practice or guideline to support the practice of ISO/IEC 27001. For an organisation to fulfil the requirements indicated in the latter, you need to fulfil the code of practice or guidelines in the former.”

Keeping up with the evolving data protection landscape

The last revision to ISO/IEC 27002 took place in 2013. In February 2022, a new version ISO/IEC 27002:2022 was launched.

This update is timely because of the many advances in technology in recent years, coupled with the increased digitisation during the pandemic. With the large amount of data being processed today, it can be a struggle to keep up and maintain the integrity of our information security management systems.

According to the Professional Evaluation and Certification Board, or PECB, information security has become truly challenging, with a 15% increase in global cybercrime costs annually expected. With cyber attacks becoming more rampant, greater vigilance entails adapting new security controls to combat new risks and threats.

Thus, ISO/IEC 27002:2022 provides in detail the newest best practices to guide organisations to better protect the growing amount of information they manage amidst more sophisticated threats.

The updates to ISO/IEC 27002:2022 do not change the standard for ISMS. But it does provide additional guidelines that will help organisations achieve the requirements of the ISO/IEC 27001 standard given today’s data protection landscape.

We heard more from Concepcion on what this latest update means for data professionals and organisations.

With this new version of ISO/IEC 27002, what must I do as a data professional?

As a data professional, there is a need to review the new 27002:2022 to see if the new guidelines are applicable to your organisation.

Concepcion notes, “There were a lot of changes from 2013 to 2022 versions. This latest version now covers your cybersecurity controls.”

Should these changes apply to your organisation, then it is best for you to adapt these new practices and update your policies to ensure that the information you keep is secure from the latest cyber threats.

If you would like to better understand how the newest guidelines apply to your organisation, it is best to book a consultation with our privacy experts. Email us at sales@straitsinteractive.com to schedule a consultation.

Does the new version of ISO/IEC 27002 make my current ISO/IEC 27001 certification obsolete?

No, your 27001 certification will remain valid – if it’s a new certification, this validity is three years. However, for those seeking a renewal for your 27001 certification, you may need to incorporate some of the changes in 27002:2022 to successfully renew your certification. 

Concepcion explains, “Because there are new guidelines, then you also have to implement these new guidelines in 27002 to get your certification for 27001, especially if you are in the process of renewing it.”

Can I get certified against ISO/IEC 27002 instead?

No. Organisations get certified to the ISO/IEC 27001 standard, not 27002.

Concepcion explains, “For individuals and organisations, you can get certified against 27001, but not against 27002, because it is not a standard but a Code of Practice.”

With the rising incidents in cybercrime these days, it is only expected of us to re-evaluate whether our information security practices are sufficient and up-to-date.

Pursuing an internationally recognised certification like ISO 27001 is one way to ensure that you maintain the confidentiality, integrity, and availability of your data.

Begin your ISO certification journey with us by exploring our ISO certification roadmap or by checking our ISO courses.

ISO 27001 is just one of the many certifications in information security and privacy. You may check this article to see which certification is best for your organisation.