The new ISO/IEC 27002:2021

On the occa­si­on of the SEC4YOU user mee­ting in June 2021, we pre­sen­ted the cur­rent draft the new ISO/IEC 27002:2021.

The new ISO 27002:2021 is an exten­si­on of the aging ISO 27002:2013 (+cor­rec­tions from 2014 and 2015) and adds the fol­lo­wing con­trol objectives:

• Thre­at intelligence
• Infor­ma­ti­on secu­ri­ty for use of cloud services
• ICT rea­di­ness for busi­ness continuity
• Phy­si­cal secu­ri­ty monitoring
• Con­fi­gu­ra­ti­on management
• Infor­ma­ti­on deletion
• Data mas­king
• Data leaka­ge prevention
• Moni­to­ring activities
• Web fil­te­ring
• Secu­re coding

The struc­tu­re and the content

The struc­tu­re has been signi­fi­cant­ly chan­ged and now includes the fol­lo­wing areas:

5. orga­niza­tio­nal controls
6. per­son­nel controls
7. phy­si­cal controls
8. tech­no­lo­gi­cal controls

The 114 con­trol objec­ti­ves in 27002:2013 have beco­me appro­xi­m­ate­ly 93 con­trol objec­ti­ves in ISO 27002:2021.

Alt­hough the term “cyber­se­cu­ri­ty” is in the title of the stan­dard, the­re is not a sin­gle con­trol objec­ti­ve that spe­ci­fi­cal­ly addres­ses cyber­se­cu­ri­ty thre­ats. But of cour­se, Info­Sec mea­su­res sup­port resi­li­ence against cyberattacks.

The topic of data pro­tec­tion is dealt with on ¾ page, so the stan­dard does not offer any com­pre­hen­si­ve recom­men­da­ti­ons for data protection.

In the back of the stan­dard, the­re is an easy-to-use map­ping table that can be used to effi­ci­ent­ly trans­fer all con­trols from 27002:2013 to the new num­be­ring of ISO/IEC 27002:2021. This helps to res­truc­tu­re exis­ting gui­de­lines and quick­ly iden­ti­fy their completeness.

Things to know about the standard

• ISO 27001:2013 is curr­ent­ly being adapt­ed to the struc­tu­re of ISO 27002:2021, which should be com­ple­ted by the end of 2021 or the begin­ning of 2022. From the vali­di­ty of the revi­si­on, the­re is a tran­si­ti­on peri­od of one year in which the old struc­tu­re can still be used for certification.
• Com­pa­nies wis­hing to be cer­ti­fied from 2022 onwards are recom­men­ded to alre­a­dy crea­te their ISMS accor­ding to the new struc­tu­re and to work with the 27002:2013 to 27002:2021 map­ping in Annex B of the standard.
• Com­pa­nies with exis­ting 27001 cer­ti­fi­ca­ti­on will pro­ba­b­ly only have to switch to the new struc­tu­re after 3 years. In any case, howe­ver, all com­pa­nies should ali­gn with and imple­ment the new con­trol objectives.
• When will the stan­dard be available for purcha­se? Pre­su­ma­b­ly from the end of 2021.

Ques­ti­ons?

We will be hap­py to ans­wer them via our cont­act form or by call.