2. Changes in the New ISO/IEC 27001 and
ISO/IEC 27002
• ISO/IEC 27001 is under revision, and ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy
Protection – Information Security Controls has been released.
• The latest revision of ISO/IEC 27002 was published in February 2022, and ISO/IEC 27001 will follow shortly
thereafter.
• The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) joint
technical committee, ISO/IEC JTC 1, is changing the structure of the ISO/IEC 27001/27002 control framework after
nearly 20 years.
3. What Is the Difference Between ISO/IEC
27001 and ISO/IEC 27002?
• Organizations can achieve certification to ISO/IEC 27001 but not ISO/IEC 27002.
• ISO/IEC 27001 documents requirements for establishing, implementing, maintaining, and
continually improving an information security management system, while ISO/IEC 27002 is
designed for organizations to use as a reference for selecting controls.
• Also provides guidelines for information security management practices including the
implementation and management of controls.
4. Changes in ISO/IEC 27002:2022
ISO/IEC 27002:2013 contains 114 controls in 14 domains; ISO/IEC 27002:2022 contains 93
controls in 4 domains:
• Chapter 5 – Organizational (if they do not fall under any other domain) – 37 controls
• Chapter 6 – People (if they concern individual people) – 8 controls
• Chapter 7 – Physical (if they concern physical objects) – 14 controls
• Chapter 8 – Technological (if they concern technology) – 34 controls
5. DESE INFORMATION SECURITY SYSTEMS
SCHEME
The Department of Education, Skills and Employment Information Security Management
Systems (DESE ISMS) scheme is a customised version of the ISO 27001 Information Security
Management Systems Standard that includes additional controls from the Australian
Government Information Security Manual.
The Department has mandated that providers of employment skills training and disability
employment services must be compliant with the framework by March 2024, in order to fulfil
their obligations.
6. DESE INFORMATION SECURITY SYSTEMS SCHEME
Currently SGS is able to conduct unaccredited audits against the scheme, while working towards
setting up a team and getting accredited for it.
7. Audit Time Chart
DESE Information Security Systems Scheme
REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) OF CONTRACTED
EMPLOYMENT SERVICE PROVIDERS DESE ISMS Scheme Issue 1, 10 March 2021 (re-issued 24 May 2021)