What Has Changed in ISO 27002:2022?

ISO 27002, the standard used to determine and implement controls for information security management systems to ISO 27001, has been revised and published.

Here is what’s changed in ISO 27002:2022:

New Title & Scope

The first significant change to the standard is a move away from “Code of Practice” and instead positioning the standard as a set of controls that can either stand alone, or exist as part of an ISO 27001 ISMS.

The new title is: “Information security, cybersecurity and privacy protection — Information security controls”.

We believe the reference to “privacy protection” is significant here as it supports the privacy information management system ISO 27701 which has increased in popularity as data protection legislation around the world starts to be updated.  

New Control Categories

The control set has been revised down from 114 to 93 controls, and these are now distributed across just 4 categories:

  • Organisational Controls,
  • People Controls,
  • Physical Controls, 
  • Technological Controls.

Many of the controls, 58 of them, remain in place with an update.  However the standard has merged 24 controls and added 11 new ones.

Cloud security is one new area that is now covered by the standard, however it should also be noted that the standards committees have given more thought to controls that detect security breaches, in addition to controls that mitigate risks.

Overall our first impression of the standard is that this provides a clearer structure that can be applied throughout an organisation and it can be used to manage a broader risk profile which includes not just information security but also the more technical aspects of cyber security, as well as the human elements that come with privacy protection. 

What are Attributes in ISO 27002:2022?

The new version of ISO 27002 has introduced an Attributes section to each control.  

This is a table that identifies key attributes such as:

  • Control Type
  • InfoSec Properties,
  • Cyber Security Concepts,
  • Operational Capabilities,
  • Security Domains.

We believe one of the key uses of this attributes table is to direct controls at the right audience, for example at top management, or a technical IT contact.

However, in addition, by identifying the confidentiality, integrity, availability – and other aspects – this table supports work that many clients already do within their risk assessment and SOA. 

How Does ISO 27002:2022 Affect ISO 27001?

The current version of the ISMS standard remains ISO 27001:2013 (2017) at this time, and therefore the Annex A of this standard remains unchanged, with 114 controls.

Therefore, the current ISO Certification schemes will continue on that basis until a revised standard is published. 

ISO 27001 has recently been reviewed and “Confirmed”, so we don’t believe there are any major changes coming in the near future.

However, it is likely that ISO will publish a revision to ISO 27001 and change ONLY Annex A of that standard by swapping the current control set for the new ISO 27002:2022 set.  

This is possible because the framework of the system can be unchanged, while the controls available are updated.

There would be a transition period to allow ISO Certification Bodies and Certified Clients to implement the changes without affecting their certificates.

Preparing for ISO 27002:2022 Control Changes

In practical terms for those operating an information security management system, this will require changes to the Statement of Applicability (SOA) as well as other references to the control set throughout the documentation.

Assent’s ISO 27001 Consultants can help you implement the new controls through awareness training, workshops and consultancy support.  We also recommend an internal audit prior to the next external audit, to ensure any new controls are effectively implemented.
Contact us for support with the new ISO 27002.

Robert Clements
Robert Clements
Articles: 301