ISO 27002:2022 Changes, Updates & Comparison

ISO/IEC 27002 has been revised to update the information security controls to reflect developments and current information security practices in various sectors of businesses and governments.

In this post, we will explain the main changes to the standard and how you can successfully approach them.

There are a large number of standards and other similar security frameworks related to or based upon ISO 27002:2013. The change of this standard to a new version will impact them.

ISO 27002 2013 original scope

The primary purpose of ISO 27002:2013 was to provide a comprehensive information security and asset management program for any organisation that either needed a new information security management program or wanted to improve its existing information security policies and practices. The code of practice gave the recommendations for managing information security to those responsible for initiating, implementing and maintaining information security in an organisation.

What has changed in ISO 27002 2022?

In ISO 27002:2022, the name of the standard has been changed. Instead of “Information technology – Security techniques – Code of practice for information security controls”, the name is now “Information security, Cybersecurity and privacy protection – Information security controls” in the 2022 revision.

Changes in the compliance landscape, e.g. regulations such as GDPR (General Data Protection Regulation), POPIA (Protection of Personal Information Act), APPs (Australian Privacy Principles), the evolving business continuity, cyber risks and compliance challenges faced by organisations around the world and the introduction of ISO 27701 resulted in a need for ISO 27002 to broaden the scope of its controls from its original information security focus, to account for cyber security and information privacy and vulnerability management.

The ISO organisation hopes to improve the intent by providing a reference set for information security control objectives for use in context-specific information security, privacy and cyber security risk management.

When did it go live?

The new ISO 27002 2022 revision was published on the 15th of February 2022.

Interpreting the changes

Our first impression of the revised standard is that it provides a more straightforward structure that can be applied throughout an organisation and can now also be used to manage a broader risk profile. This can include information security and the more technical aspects of physical security, asset management, cyber security, and the human resource security elements that come with privacy protection.

The first significant change to the standard is moving away from a “Code of Practice” and positioning it as a set of controls that can either stand alone or exist as part of an ISO 27001 information security management system.

What has changed?

The number of controls in the new version ISO 27002 2022 has decreased from 114 controls in 14 clauses in the 2013 edition to 93 controls in the 2022 edition. These controls are now categorised into four control “themes,” which are “Organisational controls”, “People controls”, “Physical controls”, and “Technological controls.”

What is a control?

A “control” is defined as a measure that modifies or maintains risk. An information security policy, for example, can only maintain risk, whereas compliance with the information security policy can modify risk. Moreover, some controls describe the same generic measure in different risk contexts.

Control Guidance

The Guidance section for each control has been reviewed and updated (where needed) to reflect current developments and practices. In addition, each control is now equipped with a ‘Purpose’ statement and a set of “Attributes” to also relate with cybersecurity concepts and other security best practices.

Which controls have changed?

Within the 93 controls (and compared with the 2013 edition), 11 controls are new, 24 are merged, and 58 are updated (mainly for the Guidance section).

The control sets are now organised into four (4) categories or themes instead of fourteen (14) control domains. The four categories include:

• Organisational
• People
• Physical
• Technological

The total control count has been reduced—there are 21 fewer controls in the new version of ISO 27002:2022.

A concerted effort was made to avoid control redundancy. The 2022 version includes 24 controls that were merged from the 2013 version.

The standard now has 11 new controls to reflect the current information security, physical security and cyber security landscape.

The control objective for a group of controls has been replaced by a “purpose” element in the 2022 version.

To enhance the risk mitigation, assessment and treatment process, the concept of “attributes to controls” has been introduced. Moreover, you will be able to create different views of controls – that is, categorisations of controls from a different perspective than the control themes.

New controls

The scope of ISO/IEC 27002:2022 now lists 11 new controls. These are:

1. Threat intelligence – understanding attackers and their methods in the context of your IT landscape.
2. Information security for the use of cloud services – the introduction through operation to exit strategy regarding cloud initiatives now needs to be considered comprehensively.
3. ICT readiness for business continuity – the requirements for the IT landscape should be derived from the overall business processes and the ability to recover operational capabilities.
4. Physical security monitoring – the use of alarm and monitoring systems to prevent unauthorised physical access has gained more emphasis.
5. Configuration management – hardening and secure configuration of IT systems.
6. Information deletion – compliance with external requirements, such as data protection deletion concepts needs to be implemented.
7. Data masking – using techniques that mask data, such as anonymisation and pseudonymisation, to bolster your data protection.
8. Data leakage prevention – taking steps to help prevent sensitive data from being leaked.
9. Monitoring activities – your organisation should be monitoring network security and application behaviour to detect any network anomalies.
10. Web filtering – helps prevent users from viewing specific URLs containing malicious code.
11. Secure coding – using tools, commenting, tracking changes, and avoiding insecure programming methods are ways to ensure secure coding.

That gives us:

• 93 controls in the new version of 27002.
• 11 controls are new.
• A total of 24 controls were merged from two, three, or more controls from the 2013 version; and
• 58 controls from the 2013 version were reviewed and revised to align with the current environment for information security and cyber security.
• Annex A, which includes guidance for the application of attributes, and
• Annex B, which corresponds with ISO/IEC 27001 2013. It’s basically two tables table that cross-references control numbers/identifiers for ease of reference detailing what is new and what has merged.

What ARE attributes

The new version of ISO standard 27002 introduces an attributes section to each control. Attributes are a means of categorising controls. These allow you to quickly align your control selection with common industry language and standards. These attributes identify key points:

• Control type
• InfoSec properties
• Cyber security concepts
• Operational capabilities
• Security domains

The use of attributes supports work that many companies already do within their risk assessment and statement of applicability (SOA).

For example, the Cybersecurity concepts from NIST and CIS Controls can be clearly distinguished, and the operational capabilities relating to other standards can be recognised.

How does this affect you?

The ISO 27002 2022 revision will affect an organisation as follows:

• If you are already ISO 27001 2013 certified
• Are you are mid certification
• If you are about to re-certify

ISO 27001 certification lasts for three years. If your organisation is already certified, you do not need to do anything now, the revised ISO 27002 2022 standard will be applicable upon renewal/re-certification. It, therefore, stands to reason that all certified organisations will have to prepare for the revised standard at some stage.

How does it affect your (re)certification

Suppose an organisation is currently in the process of ISO 27001 2013 certification or re-certification. In that case, they will be expected to revisit their Risk Assessment and identify the new controls as applicable and revise their’ Statement of Applicability’ by comparing the revised Annex A controls. Since there are some new controls and modified or additional guidance to other controls, organisations need to review the revised ISO 27002 for any implementation changes.

Even though ISO 27001 revision 2022 is yet to be published, Annex B of ISO 27002 maps controls between the 2013 and 2022 versions of the standard.

Your statement of applicability (SOA) should still refer to Annex A of ISO 27001, while the controls must reference the ISO 27002:2022 revised standard, which will be an alternative control set.

Do you need to amend your documentation

Complying with these changes should include:

• An update to your risk treatment process with updated controls
• An update to your Statement of Applicability
• Update your current policies and procedures with guidance against each control where necessary.

How does it affect ISO 27001 2013

Until a new ISO 27001 2022 standard is published, the current ISO certification schemes will continue, though mapping to the new ISO 27002 2022 controls will be required via Annex B & B1.2.

Upcoming changes to ISO 27001

Most people who follow information security expect that the ISO 27001 changes will be minor textual changes with a minor update of Annex A to align with the ISO 27002 2022 revision.

When will ISO 27001 be updated?

ISO 27001 is widely expected this year (October 2022). This date is speculative and needs to be confirmed.

Are any other 27000 standards affected?

Management system standards and frameworks related to and/or based on the ISO/IEC 27002:2013 version will feel the change. Commonly used standards and frameworks such as ISO 27701 (privacy), ISO 27017 (cloud services) and ISO 27018 (cloud privacy) are expected to follow, and a further impact may be expected for local standards and frameworks.

Are you ready for the changes?

You can start preparing your organisation’s management system against the DIS 27001 version (DIS meaning Draft International Standard) or wait until the revised standard is made final.

Some steps your organisation can take to prepare for the revised standard are:

• Complete a gap analysis of your current controls against the new controls.
• Perform a risk analysis in line with the updated 27002 2022 controls.
• Map controls via Annex B between ISO 27002:2013 and ISO 27002:2022.
• Understand what controls are applicable and update your information security management system accordingly.
• Perform updates to your Statement of Applicability.
• Undergo a review and update of your internal audit program to identify the updated controls required.
• Ensure your security metrics are updated as per your new risk assessment and controls.
• Update and review standards, procedures and policies as per changes in your environment.
• Take steps to update your organisation’s Risk Assessment, as you will be updating your existing controls.
• Evaluate any third-party tools you’re using to currently demonstrate compliance to ensure they can support the new revisions.

This will help you get ahead of the game for re-certification or adoption of additional ISO 27000 family standards/frameworks, e.g. ISO 27018, 27017, 27032, which are widely expected to be updated shortly after the ISO 27001 2022 revision.

Can ISMS.online help you transition to the new ISO 27002:2022 revision?

Yes, we can. If you are already a customer, we will be reaching out to you with a set of migration options shortly. If you are not a customer, we have a range of options to help you migrate your information security management system to ISMS online.