New version of ISO/IEC 27002 launched for security risks

According to DNV, today’s information security, cyber security and privacy risks have dramatically changed. The threat to all companies has intensified and managing information security has become a matter of business continuity and resilience.

What is more, attacks or breaches can at best be a nuisance, but there are increasingly cases where businesses are severely impacted, production hampered or completely stopped for days and even weeks.

The topic is very much at the core of most corporate agendas and boards. It seems that everyone is at risk, but many have not implemented a proper and robust system to identify, manage and mitigate their information security risks. The updated standard helps companies address the changing information security scenarios

says Nanda Kumar Shamanna, ICT business manager of Business Assurance in DNV.

The new version addresses controls related to digital and cloud technologies to incorporating cyber security and privacy threats. The standard has also been reviewed to address other security perspectives, through the identification of various attributes.

The changes to this guideline standard will affect the certifiable standard ISO/IEC 27001. The revision of ISO/IEC 27001 is expected to be published later this year, possibly in October.

The changes are expected to be solely related to the controls. The transition timeline will be decided as part of the ISO/IEC 27001:2022 release later this year; however, with the release of ISO/IEC 27002 it is possible to start preparations.

The main benefits of the new version for certified companies:

• Addresses new scenarios and risks;
• Helps understand other security perspectives;
• Includes cybersecurity and privacy aspects;
• New controls to ensure new scenarios and risks are not missed.

For companies this means primarily reviewing processes and systems related to leadership, corporate security, IT function, delivery and other support functions.