Expert Advice Community

Guest

27001:2022 Query

  Quote
Guest
Guest user Created:   Dec 15, 2022 Last commented:   Dec 15, 2022

27001:2022 Query

Hi Dejan,

Regarding this article:

https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)

ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?

So will ISO 27001 become ISO 27002?

Also, in reality, how would a small company deal with the following:

A.5.7 Threat Intelligence - gather information and analyse them? (interpret)

Could this be outsourcing to AV/MDR or something else?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 15, 2022

Hi Dejan,

Regarding this article:

https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

1 - What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)

I assume you are asking about ISO 27001 sections and Annex A. Annex A lists all the 93 controls, and they are divided into 4 sections (Organizational, People, Physical, and Technological controls).

2 - ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?

Your assumption is correct. Released  in October 2022, ISO 27001:2022 Annex A has now only 93 controls, aligning this standard with ISO 27002:2022.

3 - So will ISO 27001 become ISO 27002?

ISO 27001 will not become ISO 27002. They have different purposes.

Please note that ISO 27001 is the standard that provides requirements for the implementation of an Information Security Management System (ISMS), while ISO 27002 is a complementary standard, which provides guidance to implement controls defined in ISO 27001:2022 Annex A. Additionally, ISO 27002 is not mandatory to implement ISO 27001 requirements.

For further information, see:

4 - Also, in reality, how would a small company deal with the following:A.5.7 Threat Intelligence - gather information and analyse them? (interpret)Could this be outsourcing to AV/MDR or something else?

To implement control A.5.7 Threat Intelligence, a company should consider gathering information internally (e.g., from logs of internal systems, incident reports, etc.), as well as from external sources (e.g., vendor reports, government agency announcements, etc.)

ISO 27001 does not prescribe that the organization needs to perform this information gathering by itself, so outsourcing this activity is an acceptable option.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 15, 2022

Dec 15, 2022

Suggested Topics

Guest user Created:   Jan 20, 2023 ISO 27001 & 22301
Replies: 1
0 0

27001 query

Guest user Created:   Dec 14, 2022 ISO 27001 & 22301
Replies: 1
0 0

SoA update