ISO 27001 and 27002 Changes in 2022

March 15, 2022

ISO 27002 Changes in 2022

ISO 27002:2022 is divided into four chapters. This is in sharp contrast to ISO 27002:2013, which comprises fourteen chapters.

  1. Organizational controls (chapter 5)
  2. People controls  (chapter 6)
  3. Physical controls  (chapter 7)
  4. Technological controls  (chapter 8)

ISO 27002 Revision - what has changed

The security controls contained in Annex A have been updated (the number of controls decreased from 114 to 93)

Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.

11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number.

The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).

ISO 27001 amendment - what will change

An amendment to ISO 27001, which is the main standard to which companies are  certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022

Adoption timeline for 27002 changes

Despite the changes set out within the ISO 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO 27001 is officially updated and published.

27002 Control Structure Change Summary

  • 35 controls remained the same with change in control number and realigned to the 4  sections;
  • 11 new controls were added;
  • 23 controls have been renamed to make them easier to understand
  • Even thought the number of controls have been reduced (from 114  to 93 ); no controls are excluded;
  • 57 controls have been merged into 24 controls;
  • Only one control was split; Control 18.2.3 Technical Compliance Review was split into: 5.3.6 – Compliance with policies, rules and standards for information security; and 8.8 – Management of technical vulnerabilities

How will 2002 Updates Impact My Current Certification?

ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.

Not all of the nearly 100 example control measures detailed in ISO 27002 are relevant for every organisation, but when they are, they must be in place in order for your organisation to comply with ISO 27001.

When will InfoSecAssure Assessments include 27002 2002?

InfoSecAssure will be updating the platform to include a full 27002 assessment when the revised 27001 standard is released in late 2022.

Learn More About InfoSecAssure

Learn more about how InfoSecAssure can help you achieve great information security outcomes so you can get on with what you do best.

Other articles

Secure your business.
Today is the day to build the business of your dreams. Let us help you secure your assets without blowing your budget — and focus on the things that count!
i have 60 seconds to watch a quick video