ISO 27002:2022 is divided into four chapters. This is in sharp contrast to ISO 27002:2013, which comprises fourteen chapters.
The security controls contained in Annex A have been updated (the number of controls decreased from 114 to 93)
Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.
11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number.
The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).
An amendment to ISO 27001, which is the main standard to which companies are certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022
Despite the changes set out within the ISO 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO 27001 is officially updated and published.
ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.
Not all of the nearly 100 example control measures detailed in ISO 27002 are relevant for every organisation, but when they are, they must be in place in order for your organisation to comply with ISO 27001.
InfoSecAssure will be updating the platform to include a full 27002 assessment when the revised 27001 standard is released in late 2022.