Information Security Leadership Forum - ISO 27002: 2022

Upcoming events

Certified ISO 27001 Lead Implementer - Information Security Management System (ISMS) Course (session 1 of 5)

Monday, May 13, 2024 8:30 AM

Live Online
Certified ISO 27001 Lead Implementer - Information Security Management System (ISMS) Course (session 2 of 5)

Tuesday, May 14, 2024 8:30 AM

Live Online
Certified ISO 27001 Lead Implementer - Information Security Management System (ISMS) Course (session 3 of 5)

Wednesday, May 15, 2024 8:30 AM

Live Online

Latest ISLF News

Information Security Program Benchmark Initiative Launch

Monday, March 18, 2024 1:00 PM

Timothy Phillips

A Community of Today and Tomorrow's Leaders

Back to list

ISO 27002: 2022 - What Has Changed?

Wednesday, March 22, 2023 3:15 PM | Timothy Phillips (Administrator)

The New ISO 27002 Is Finally Here

The new revision of ISO 27002 was published on February 15th, 2022 and there are some major changes from the 2nd edition released in 2013 that you should be aware of. The main focus of this revision was to improve the guidance for implementation of ISO 27001 Annex A controls.

This won’t be the only ISO standard revised this year, as ISO is expected to release a new version of ISO 27001 soon.

* UPDATE (June 12, 2023): for a detailed breakdown of changes in Clauses 4 through 10 of ISO 27001 in the 2022 release, please see our earlier article entitled, "ISO 27001: 2022 - A Detailed Summary of Change from 2013 to 2022 Version?"

What Changed?

The number of controls has been reduced from 114 to 93, and they’re now organized in 4 categories. These categories are:

Organizational controls (Clause 5)
People controls (Clause 6)
Physical controls (Clause 7)

Technological Controls (Clause 8)

The new categorization will help organizations determine the applicability of the controls along with determining who or what department is responsible for the control.

The controls in ISO 27002 now also have attributes designated to each control. These new attributes are:

Control types: Preventive, Detective, and Corrective
Information security properties: Confidentiality, Integrity, and Availability

Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
Security domains: Governance and ecosystem, Protection, Defense, and Resilience

This brings ISO 27002, and 27001: 2022, upon its release later this year, more in line with other cybersecurity frameworks like NIST.

The correlation of controls between the different frameworks can be a headache for organizations. The addition of attributes to the 27002 controls will make correlating the controls a bit easier.

New Controls

There are 12 new controls in the standard, a result of the ever changing InfoSec environment, technology, and practice. Many of these controls reflect the expected addition of personal information (PI) and personally identifiable information (PII) as an information asset under the new 27001 revision.

Controls that Have Been Deprecated

While some of the controls have been merged, 16 controls have been removed from the newest version of the standard. These are:

5.1.2 – Review of InfoSec policies
6.2.1 – Mobile device policy
8.1.2 – Owndership of assets
8.2.3 – Handling of assets
9.4.3 – Password management system
11.1.6 – Delivery and loading areas
11.2.5 – Removal of assets
11.2.8 – Unattended user equipment
12.4.2 – Protection of log information
12.6.2 – Restrictions on software installation
13.2.3 – Electronic messaging
14.1.2 – Securing application services on public networks
14.1.3 – Protecting application services transactions
14.2.9 – System acceptance testing
16.1.3 – Reporting InfoSec weaknesses
18.2.3 – Technical compliance review

The last control, Technical compliance review, has been split into two controls: 5.36 – Conformance with policies, rules, and standards for information security and 8.8 – Management of technical vulnerabilities.

What Does This Mean For ISO Security Practitioners?

The biggest impact is in your organization’s risk treatment and risk register. When the new ISO 27001 Annex A is released, it will be imperative that your organization review your risk treatment, review and realign the controls in you Statement of Applicability, and update or even create policies, processes, and procedures for the new controls.

Organizations already certified, will have to certify to the new ISO 27001 standard within 2 years of release. This gives organizations time to review, revise, and improve their Information Security Management Ssystem (ISMS) before having to seek recertification by 2024.

Questions For You!

What are your thoughts on this topic?

Is ISO going in the right direction by reducing the volume of controls?

What do you see as the next steps forward?

Do you have any unique insights on where ISO security is going that you'd like to share with other readers?

If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.

Scann ing, Reading or Otherwise Accessing this Website by Any Artificial Intelligence (AI) Engine, or any Application Connected to, or Using Any AI Engine is Expressly Prohibited.