Policies
      Back to home
      1. Help center
      2. Policies

      ISO 27002 2013/2022 and Tenacy modelling

      We will see the differences between the 2013 and 2022 versions and how they are modeled on the platform.

      Summary :

      Introduction

      1. 14 categories reduced to 4 domains

      2. Redesign of security controls

      3. Introduction of attributes for controls

      Introduction

      In the world of information security, ISO 27001 and ISO 27002 standards position themselves as essential pillars in the creation of WSIS. This article explores the nuances between the two standards and their 2013 and 2022 versions, highlighting the evolutions and how this is presented in the Tenacy tool.

      🔎 Throughout this article we will use the acronym "ISMS" for Information Security Management System.

      1. 14 categories reduced to 4 domains

      The 4 domains are :

      • Organizational Controls
      • People Controls
      • Physical Controls
      • Technological Controls

      iso 27002 - 2013 EN

      Above the 14 categories you find in the 2013 version, and below the 4 domains of the 2022 version in the Tenacy tool.

      iso 27002 - 2022 EN

      2 annexes referenced :

      • Annexe A – Using attributes
      • Annexe B – Correspondence with ISO 27002:2013

      The main influence of ISO 27002 is its contribution to the stability of ISMS within an organization. A crucial distinction is that this standard is not intended to separate applicable and non-enforceable controls within an organization. Its primary role is to serve as a reference for the selection of security controls, rather than being a certification process in itself.

      2. Redesign of security controls


      Between version 2013 and version 2022, change from 144 security controls to 93.
      Of these 93 measures, 58 were updated, 24 were merged and 11 new controls were created.

      Overview of the 11 new controls:

      The latest iteration of the ISO 27002 standard paid more attention to certain topics, although they are already mentioned in many controls.
      This update provided specific and detailed guidance in the context of controls dedicated to these topics.

      3. Introduction of attributes for controls


      The recent major change included five attributes, each with defined values.

      • Cybersecurity concepts: 
        #Identify, #Protect, #Detect, etc.
      • Information Security Properties: 
        #Confidentiality, #Integrity and #Availability
      • Security domains: 
        #Governance_and_Ecosystem, #Protection, #Defense, etc.
      • Control types: 
        #Preventive, #Detective and #Corrective
      • Operational capabilities: 
        #Governance, #Asset_management, #Information_protection, etc.

      Which, in the solution, results in the presence of 5 classifications of the ISO 27002 policy according to the selected attribute: 

      Now when referencing Annex A, attributes will link one or more values from each attribute to any of the security controls. Easier grouping and sorting are the result of this change. As an example, if an organization wishes to strengthen preventative controls, filtering using the #preventative value in the attribute Control types will present a list of preventative control references.

      Annex B in this version remains retroactive to ISO 27002:2013 and allows for an easy transition to ISO 27002s updated version.