Skip to main content

ISO 27002 revision sets the bar for cybersecurity, protecting your data across the world

In the world of cybersecurity, information security and privacy protection, the publishing of newly revised ISO 27002:2022 Information technology – Security techniques – Code of practice for information security controls is a big deal.

Tony KrzyzewskiThis major rewrite is the first update in almost a decade and only the third ever revision. New Zealand’s representative and convenor of the international committee SC27, Tony Krzyzewski, explains why he’s so excited to see this published. 

‘A lot of work has gone into this revision’, says Tony, an ICT veteran of over 40 years, ‘and there have been considerable changes to incorporate since the last revision of ISO 27002 in 2013. Think about what technology, software and systems you use today compared with the last revision in 2013? An easy comparison is the iPhone 4 with the current iPhone 13. Each one of the apps you use on a daily basis - from personal and work email and teleworking to banking, social and leisure activities – is a potential access point for nefarious types to get your information.’ 

A solid model to counter growing threats 

‘And the threats have grown as our reliance on the systems that are integral to our lives have grown. Underpinning every app, piece of software and technology and cloud-based service are numerous specifications in cybersecurity, data and identification management. ISO 27002 is bult on the three core components of the CIA triad – Confidentiality, Integrity, and Availability – an information security model meant to guide an organisation's security procedures and policies.

We had to ask how is information used, managed, and owned? How can we ensure it is only accessed by those who are the right people in the right circumstances? Can people be confident the information is dependable? How can we determine availability for those dependent on information?’ 

‘The committee also considered the NIST cybersecurity principles of identify, detect, protect, respond and recover, together with organisational protection requirements including people controls, physical controls and technological controls as part of this extensive rewrite of the standard.’ 

Part of an arsenal of international standards keeping you safe 

The controls within ISO 27002 also form the appendix to ISO 27001 Information technology — Security techniques — Information security management systems — Requirements and are an essential part of any organisation seeking ISO 27001 certification.  The controls within ISO 27002 can also be seen as generic and are intended to be applicable to all organisations, regardless of type, size or nature even if the organisation isn’t seeking certification. Typical users include financial institutions and those in international distribution and food exports and can demonstrate compliance for certification. This can provide a competitive edge when working in global markets. 

Consensus built by national experts at the cutting edge of their fields 

As founder and director of cloud-based Self-Assessment and Management system 'SAM for Compliance', while also convening international committee SC27 since 2018, Tony is a busy man. ‘Overseeing New Zealand’s contribution to ISO 27002 is just a small part of my role, and I was pleased to see six of my recommended controls that I submitted as a New Zealand National Expert make it through to this version.

The submitter and committee-based development process means that content gets adapted and modified as the standards are being developed, but seeing the standard mature and elements adopted is a rewarding part of the consensus approach. Together, you’re literally shaping the standards you and countries across the world will be using.’ 

Being convenor of SC27, Tony holds New Zealand’s vote ISO SC27, along with 48 participating member countries (with 34 non-voting observing members), and is arguably one of our busiest committee members. With 70 standards under development and 215 currently published standards covering cybersecurity, information security and privacy protection, he has to do a lot of reading. 

‘I work with other National Experts who may have greater expertise in particular fields, for example I recently had to read a proposed standard on quantum entanglement for cryptographic transmission protection. There was some serious maths in that one and some amazing concepts to absorb and then decide whether New Zealand would give its support towards progression. Where we don’t have National Experts on working groups for a particular field it is acceptable to abstain in our votes.’ 

‘In a typical month I will vote on behalf of New Zealand on a dozen or so ballots, though the next six weeks are going to be busy as I have 32 ballots that I am obligated to vote on. ISO 27001 and ISO 27002 are seen internationally as two of the most important standards developed by this committee as together they define the requirements for Information Security Management Systems and the technical controls by which compliance with security requirements can be measured.’ 

Future focused — are you our future expert? 

‘The content in a standard like ISO 27002 may have to remain relevant for up to 10 years, so committee members and working group members really need to be at the cutting edge of their field of expertise. Current trends like blockchain, cryptocurrency, protection against phishing and teleworking can all change significantly as we’ve seen over the past few years. Everything we do has to be done in response to known issues and current technology but needs to take into account that we live in a constantly developing world of technology and threat’. 

With an eye to the future, Tony reminds us that the next generation will need to consider how best to meet the needs and challenges of global data management. 'I encourage anyone who is interested in wanting to make a difference, with expertise to give in their field, to consider joining a committee. The up-and-coming experts of tomorrow will need to be around to ensure that ISO 27002 and other standards remain fit for duty in the years ahead. Because people’s lives and businesses depend on standards setting the benchmark for protection.’ 

ISO 27002:2022 Information technology — Security techniques — Code of practice for information security controls is available from our webshop. 

If Tony has inspired you to consider joining him and hundreds of New Zealanders on a development committee you can learn more here: 

ISO and IEC technical committee participation