🧵 ISO 27002 thread: How to maintain compliance with the 2022 version
#iso27001 #iso27002 #infosec #ISMS #cybersecurity
First of all, ISO 27002 offers implementation guidance for the controls listed in Annex A of the main standard, ISO 27001.
Since you cannot get certification for following the guidance, your existing ISO 27001 certification is not directly effected.
In fact, until a new version of ISO 27001 is published, you are still required in your Statement of Applicability to refer to the 2013 version control set, as listed in Annex A.
The new version of ISO 27001 is expected end of Q2 2022, or even October, according to some sources.
For organizations already holding an ISO 27001 certificate, ISO usually allows a two-year transition period for the revision of the Information Security Management System. It is sensible though, to start preparing for the transition early, to avoid late stage panic.
You can start this transition process by purchasing the updated standard (of course), and conduct a fit/gap analyses against your current controls implementation.
iso.org/standard/75652.html
You can also begin updating your information security policies to reflect the new guidelines.
Pay special attention to new controls Threat intelligence, Data masking and Configuration management, as auditors will surely check if you have picked up on this sufficiently!
Also expect to be queried on the connection between individual controls and risk analysis outcomes: ISO 27002 specifically mentions this as a use case for the newly introduced ‘control attributes’ – more info in this thread👇️
twitter.com/iso27diy/status/1496064223926882308
ISO 27001 Toolkit
@iso27diy
🧰 Implement ISO 27001 yourself!🏅Get Certified 🧘♀️ Build Customer Trust 🚀 Accelerate Sales! #infosec #iso27001 by @richardk