ISO 27002: 2022 – What Has Changed?

a digital wheel with ISO in the middle and on the outter icons for a circle gears, a globe, a light bulb, folder, shield with a check mark and people

ISO 27002: 2022 - What Has Changed?

The New ISO 27002 Is Finally Here 

The new revision of ISO 27002 was published on February 15th, 2022 and there are some major changes from the 2nd edition released in 2013 that you should be aware of.  The main focus of this revision was to improve the guidance for implementation of ISO 27001 Annex A controls.   

This won’t be the only ISO standard revised this year as it’s expected a new version of ISO 27001 will be released soon. 

What Changed? 

The number of controls has been reduced from 114 to 93, and they’re now organized in 4 categories.  These categories are: 

  • Organizational controls (Clause 5) 

  • People controls (Clause 6) 

  • Physical controls (Clause 7) 

  • Technological Controls (Clause 8) 

a digital wheel with ISO in the middle and on the outter icons for a circle gears, a globe, a light bulb, folder, shield with a check mark and people

The new categorization will help organizations determine the applicability of the controls along with determining who or what department is responsible for the control. 

The controls in ISO 27002 now also have attributes designated to each control.  These new attributes are: 

  • Control types: Preventive, Detective, and Corrective 

  • Information security properties: Confidentiality, Integrity, and Availability 

  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover 

  • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance 

  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience 

This brings ISO 27002, and 27001: 2022, upon its release later this year, more in line with other cybersecurity frameworks like NIST.  

The correlation of controls between the different frameworks can be a headache for organizations.  The addition of attributes to the 27002 controls will make correlating the controls a bit easier. 

New Controls 

There are 12 new controls in the standard, a result of the ever changing InfoSec environment, technology, and practice. Many of these controls reflect the expected addition of personal information (PI) and personally identifiable information (PII) as an information asset under the new 27001 revision. 

Controls that Have Been Deprecated

While some of the controls have been merged, 16 controls have been removed from the newest version of the standard.  These are:

  • 5.1.2 – Review of InfoSec policies 
  • 6.2.1 – Mobile device policy 
  • 8.1.2 – Owndership of assets 
  • 8.2.3 – Handling of assets 
  • 9.4.3 – Password management system 
  • 11.1.6 – Delivery and loading areas 
  • 11.2.5 – Removal of assets 
  • 11.2.8 – Unattended user equipment 
  • 12.4.2 – Protection of log information 
  • 12.6.2 – Restrictions on software installation 
  • 13.2.3 – Electronic messaging 
  • 14.1.2 – Securing application services on public networks 
  • 14.1.3 – Protecting application services transactions 
  • 14.2.9 – System acceptance testing 
  • 16.1.3 – Reporting InfoSec weaknesses 
  • 18.2.3 – Technical compliance review 
older male in casual attire waving good bye

The last control, Technical compliance review, has been split into two controls: 5.36 – Conformance with policies, rules, and standards for information security and 8.8 – Management of technical vulnerabilities. 

What Does This Mean For ISO Security Practitioners? 

The biggest impact is in your organization’s risk treatment and risk register.  When the new ISO 27001 Annex A is released, it will be imperative that your organization review your risk treatment, review and realign the controls in you Statement of Applicability, and update or even create policies, processes, and procedures for the new controls. 

Organizations already certified, will have to certify to the new ISO 27001 standard within 2 years of release.  This gives organizations time to review, revise, and improve their Information Security Management Ssystem (ISMS) before having to seek recertification by 2024.  

Questions For You!

What are your thoughts on this topic?

Is ISO going in the right direction by reducing the volume of controls?

What do you see as the next steps forward?

Do you have any unique insights on where ISO security is going that you'd like to share with other readers?

If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.

Related Articles