Governance & Risk Management , ISO Standards , Security Operations
ISO 27002:2022: Unpacking the InfoSec Management StandardVeteran Security Expert Gary Hibberd Discusses New Controls
The ISO 27001 standard defines the requirements for an information security management system, helping organizations secure their information assets.
Unpacking the biggest change made in the ISO 27001 standard since 2013, Gary Hibberd, known as "The Professor of Communicating Cyber" at cybersecurity services provider Cyberfort Group, says the controls have been reorganized to bring the standard up to date.
Hibberd's book, "New Controls ISO 27002:2022," published in February 2022, says that while there were 114 controls in the original 2013 standard, the number has now dropped to 93.
He says of the differences between the two standards: "While ISO 27001 is the management system that allows you to manage information security, ISO 27002 is guidance on how to implement the controls that are listed within ISO 27001."
As implementation of a new standard takes years, it's unlikely that the release of the ISO 27002 was influenced by the pandemic and hybrid work model, Hibberd says.
"That's not to say the new controls are not connected with what is happening today. For instance, one of the controls is related to cloud services, and our requirement and need for cloud services has increased today."
In this interview with Information Security Media Group, Hibberd also discusses:
- The reorganization of the controls and what it means for enterprises;
- Differences between ISO 27001 and ISO 27002;
- How these standards can help organizations understand security risks.
Hibberd is the managing director of Agenci, an international cybersecurity consultancy. He is also a director at Cyberfort Group. Hibberd began his career as a programmer and a hacker. He has 35 years of experience in cyber, with 20 of them focused on cybersecurity, governance, business continuity and data protection. He is a published author, blogger and international speaker on diverse topics, including the dark web, cybercrime and cyber psychology.