Main changes in the new ISO 27002 2022 revision

Updated: December 12, 2022, according to ISO 27001 2022 revision.

It’s been nine years since the last revision of ISO/IEC 27002 (in 2013), and although ISO 27001:2013 was confirmed in 2019 (i.e., no changes in the Information Security Management System standard were required) – ISO 27002 definitely needed improvement to fulfill its role as guidance for implementation of ISO 27001 Annex A controls.

The new 2022 revision of ISO 27002 was published on February 15, 2022, and, in this article, I’ll present the main changes when compared to ISO 27002:2013 – these are not only about controls, but also how to organize and use them.

New ISO 27002 has 93 controls in the following four sections:
  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)

Structure of sections

From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes:

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)
  • Annex A – Using attributes
  • Annex B – Correspondence with ISO/IEC 27002:2013

This new structure makes it easier to understand the applicability of the controls in a high-level sense, as well as the designation of responsibilities.

Number of controls

This new version has reduced the number of controls from 114 to 93. Technological advancements, and an improvement to the understanding of how to apply security practices, seem to be the reasons for the change in number of controls.

Elements of each control

The controls in the new version of ISO 27002 have two new elements in their structure:

  • Attribute table: attributes associated with the control (see next section for explanation)
  • Purpose: rationale for applying the control

These added elements make it easier to find information to better understand how to sort and justify the use of a control.

Additionally, in the new ISO 27002, one level of subtitle was eliminated. As a comparative example, access control was previously “9 Access control – 9.1 Business requirements of access control – 9.1.1 Access control policy,” whereas it is now “5 Organizational controls – 5.15 Access control.”

New ISO 27002:2022 – What are the main changes?

Controls attributes

In my opinion, this is the change that brings the most value for this new version, because it provides a standardized way to sort and filter controls against different views to address the needs of different groups.

Attributes options for each control are as follows:

  • Control types: Preventive, Detective, and Corrective
  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework.

New controls

Here are the 11 controls that are new:

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding

To learn more about these new controls and their requirements, read the article Detailed explanation of 11 new security controls in ISO 27001:2022.

Renamed controls

23 controls have had their names changed for the sake of making them easier to understand. For example:

  • Control 12.7.1 Information systems audit controls was changed to 8.34 Protection of information systems during audit testing.
  • Control 15.1.3 Information and communication technology supply chain was changed to 5.21 Managing information security in the ICT supply chain.

These changes help keep the focus on the information security aspects of business processes and activities, reducing the effort for implementing and maintaining the Information Security Management System.

To see a full list of controls in the new ISO 27002, and to learn which controls were renamed and merged when compared to ISO 27002:2013, download this free white paper: Overview of new security controls in ISO 27002:2022.

Excluded controls?

Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.

Merged controls

57 controls have been merged into 24 controls. For example:

  • Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
  • Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.

In my understanding, these merges were considered either because related controls are natural steps of a bigger process, or because more efficient security could be achieved by considering them in a single control.

Split controls

There is only one control that was split: 18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules and standards for information security and 8.8 Management of technical vulnerabilities.

Controls that have stayed the same

35 controls remained the same, only changing their control number.

Implications for the ISMS

If you already have your Information Security Management System implemented according to ISO 27001, you don’t have to worry too much for now – no matter which changes the new ISO 27002 revision has brought, there will be a transition period of three years for certified companies to align with these new controls, and that period starts on October 31, 2022.

Once these new controls become part of ISO 27001 Annex A, you will need to follow these steps:

  1. Review the risk treatment and make sure it is aligned with the new structure and numbering of controls.
  2. Align the list of controls in the Statement of Applicability.
  3. Update your policies and procedures, and potentially write new documents related to the new controls.

Since this change in the standard involves 11 new controls, this alignment in risk treatment and documentation will be the biggest job that’s ahead of you, although it probably will not require a big change in technological and process areas.

And this is where the new ISO 27002 will bring the most value – during the transition period you will have plenty of refreshed best practices to choose from, as well as a new set of attributes to use to make controls selection easier and more effective. And because ISO 27002 is quite detailed, and you still have the freedom to choose only the appropriate stuff for your organization, it will definitely help you make this transition easier.

To automate your compliance with ISO 27001 security controls, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.