Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly around certification since '27002:2022 no longer aligns with '27001:2013 Annex A. The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were: Organisations that choose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a S tatement o f A pplicability. Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent inter...

The newly-published third edition of ISO/IEC 27002 is a welcome update to the primary ISO27k controls catalogue (officially, a 'reference set of generic information security controls').  Aside from restructuring and generally updating the controls from the 2013 second edition, the committee (finally!) seized the opportunity to beef-up the coverage of information security for cloud computing with new control 5.23, plus ten other new controls, mostly in section 8 (technological controls):   Configuration management (8.9) - concerns the need to manage security and other configuration details for [IT] hardware, software, [information] services and networks. Data leakage prevention (8.12) - DLP is required to protect sensitive information against unauthorized disclosure/extraction (theft, surveillance). Data masking (8.11) - in line with the organisation’s access control policy, plus other business requirements and compliance obligations, scurity controls are apropriate to mitig...