ISO/IEC 27002:2022 – what you should know about the new changes

After a wait of over nine years, the revised ISO/IEC 27002:2022 standard has finally been published. Of course, companies have a transition period to bring their ISMS up to date, but all the same, you should already be dealing with the revised standard, because it’s not just the title that has changed. You can find out in this article what else has, and why it is worthwhile to tackle the issue right now.

ISO/IEC 27002:2022 – It was worth the wait

When it comes to introducing an ISMS in a company, ISO/IEC 27002 is the second most important standard after ISO/IEC 27001 (the updated version is still pending).

The ISO/IEC standard is now called “Information Security, Cybersecurity and Privacy Protection – Information Security Controls”. This makes it clear that information security is considered in a much broader context. The contents take into account additional cyber elements (cybersecurity). At the same time, data protection has been given greater prominence (privacy protection). ISO/IEC 27002:2022 contains implementation recommendations for controls (= for information, not as a standard). This means that the standard is not part of the auditing procedure in a certificate audit. Nevertheless, it has a substantial bearing.

The meaning of the ISO/IEC 27002

The 27002 controls show the scope and structure of the control set (currently called Annex A) of the future 27001 standard. The implementation recommendations are an ideal guideline for all those who want to implement ISMS in accordance with 27001. At the same time, they are used by auditors as “guidance” in a certificate audit in order to assess whether the controls implemented in the company are appropriate. It can be assumed that the structure of the 27002 controls reflects the control set of the future ISO/IEC 27001 standard. This of course has an impact on the content and structure of standards based on it, such as ISO/IEC 27019 for energy suppliers, ISO 27799 for hospitals, ISO 27017 for cloud services, ISO 27018 for protection of personally identifiable information (PII) and ISO 27701 for the management of privacy information, etc.

Structure of the ISO/IEC 27002:2022 standard

Certainly the most striking thing is that the standard has been given a new structure. While the previous version contained 14 chapters, there are now just four, entitled:

    • Organisational Controls (37)

    • People Controls (8)

    • Physical Controls (14)

    • Technological Controls (34)

The number of measures included is shown in brackets. Compared to the 2013 version, there are “only” 93 controls. Even though the number has been reduced (114 in the 2013 version), this should not be taken as an indication that the range of subjects has been reduced – quite the opposite in fact: 11 new measures have been added; only three measures have been deleted (11.2.5 Removal of Assets, 8.2.3 Handling of Assets, 16.1.3 Reporting of information security weaknesses). Various controls were consolidated in 19; 61 controls remain unchanged. Additionally, numerous controls have been consolidated, for example in access rights management.

On the other hand, new focal points were put in place, which above all put a greater focus on preventing, detecting and responding to cyber-attacks as well as protecting data – as is already known from the NIST Cybersecurity Framework. This generally means that the effort required to implement them will increase for companies. At the same time, it also becomes more difficult to rule out corresponding measures if they are not applicable in your own company.

Controls in the new version of ISO/IEC 27002:2022 have two new elements in their structure:

  • Attribute table: attributes associated with the control (see next section for explanation).
  • Purpose: basic principles for the application of the control

These added elements make it easier to find information to better understand how to sort and justify a control. In addition, one level of the subtitle has been removed in the new ISO 27002.


All controls now have attributes associated with the control:

    • Control type: Preventive, Detective, and Corrective

    • Information security properties: Confidentiality, Integrity, and Availability

    • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover

    • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance

    • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

These are used to create views of the entire control set. Each attribute can then be assigned several hashtags (#), which make it possible to semantically summarise controls. This is recognition that reducing the main sections down to just four makes it more difficult to find individual topics such as incident management, but with tags like #asset_management (formerly A.8) and #supplier_relationships_security (formerly A.15), it is possible to form thematically related sub-sets. This makes the changeover to the new version much easier. At the same time, the new structure takes into account the fact that often controls are relevant in different areas and they were previously "artificially" squeezed into a framework of main sections and subsections.

11 new controls in the ISO/IEC 27002:2022

The ISO/IEC 27002:2022 currently lists 11 new controls. At the same time, these are also indicators for the new key thematic areas. For you, this means:

  1. Threat intelligence: You need to actively deal with understanding attackers and their methods in the context of your IT landscape.

  2. Information security for use of cloud services: Cloud initiatives must be considered comprehensively, from introduction through operation to exit strategy.

  3. ICT Readiness for Business Continuity: The IT landscape requirements must be derived from the business process perspective.

  4. Physical security monitoring: Avoiding unauthorised physical access is gaining greater emphasis, and is prevented by means of alarm and monitoring systems.

  5. Configuration management: Secure configuration of IT systems and hardening are becoming more and more important.

  6. Information deletion: Secure deletion and, in particular, compliance with external requirements, such as data protection deletion concepts, need to be implemented.

  7. Data masking: Various masking techniques such as anonymization and pseudonymization are used to strengthen data protection.

  8. Data leakage prevention: DLP is the subject of renewed attention and is intended to help prevent the unauthorised leakage of data.

  9. Monitoring activities: Network and application behaviour should be monitored in order to detect anomalies.

  10. Web filtering: Access to external websites that may contain malicious codes is prevented by using web filtering methods.

  11. Secure coding: The closing points of the new controls in ISO/IEC 27002:2022 are secure programming, the use of tools, monitoring of libraries and repositories used, commenting and tracking changes and avoiding insecure programming methods

Why ISO/IEC 27002:2022 is more than just a facelift

ISO/IEC 27002:2022 has literally been given a completely facelift. The previous measures have been grouped into four categories and, where appropriate, they have been combined with a total of 11 out of 93 measures being added. In particular, there is now a greater focus on preventing, detecting and responding to cyber attacks, as well as protecting data. This means that the 2021 edition is more comprehensive. It takes new trends and changes in the hazard situation into consideration. However, it is not enough just to implement the new measures because new or extended requirements have also been added to the existing measures.

The standard is not yet in its final version, but everyone operating ISMS in accordance with ISO/IEC 27001 should already be dealing with this standard and taking steps now. Once the revised structure becomes effective (ISO/IEC 27001), there will probably be a one-year transition period during which the old structure can still be used for certification. Existing certifications will probably only have to switch to the new structure after three years have passed. In any case, all companies should be aligning themselves with the new control objectives and implementing them.

You should follow the steps below:

  • Review the risk treatment and make sure it matches the new structure and numbering of the controls.
  • Align the list of controls in the Statement of Applicability.
  • Update policies and procedures and/or write new documents related to the new controls.
  • Since the change to the standard includes 12 new controls, this alignment of the risk treatment and documentation is the largest task.

Do you have any questions? Our experts will be happy to help!
Contact us!

(Last update: March 2022)

<< >>

Cyber Security , IT Security

Reinhold Zurfluh
About the author / Reinhold Zurfluh

InfoGuard AG - Reinhold Zurfluh, Head of Marketing, Mitglied des Kaders

More articles from Reinhold Zurfluh

Related articles
ISO/IEC 27701 – the aspects of data protection that are integrated in the ISMS
ISO/IEC 27701 – the aspects of data protection that are integrated in the ISMS

When the European General Data Protection Regulation (GDPR) was introduced in May 2018, there was a great [...]
The secure way to the cloud [Part 2]
The secure way to the cloud [Part 2]

Do you remember that in the first part of our two-part blog series, we looked at general aspects of cloud [...]
Dark clouds on the security horizon – Azure accounts compromised
Dark clouds on the security horizon – Azure accounts compromised

Over the past few months, InfoGuard's CSIRT has been working on various cyber incidents in the Azure [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media