ISO 27002:2022 update: What changed? Will it affect my ISO 27001:2013 certification?

Reading Time: 6 minutes
Published on: March 29, 2022
On 25 October 2022, a new version of ISO 27001 was published – ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. Learn more about the standard update in this blog article.

ISO Standards generally go through a review cycle every five to seven years. In March 2018, this process was started for the ISO 27002:2013 standard, and after the release of a draft in January 2021, the ISO Organisation published the new ISO 27002:2022 just last month, on February 15th.

There are many improvements in the 2022 version of the ISO 27002 Standard. Whether your organisation is looking to implement the ISO 27001:2013 Information technology – Security techniques – Information security management systems – Requirements standard, or if you want to understand the impact of ISO 27002:2022 on your processes and Management System current certification to ISO 27001:2013, this article will guide you through the main changes and questions.

In summary, ISO 27002:2022 Information security, cybersecurity and privacy protection – Information security controls is a reference and guidance document that aims to support organisations in determining and implementing controls for information security risk treatment in an information security management system based on ISO 27001:2013 Information technology – Security techniques – Information security management systems – Requirements.

ISO 27001:2013 vs ISO 27002:(2013 & 2022)

ISO 27001:2013 provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within your business.

ISO 27002:2013 and its newest version (ISO 27002:2022) is an international standard used as a guide for selecting and implementing information security controls listed in Annex A of ISO 27001:2013.

Unlike ISO 27001:2013, your organisation cannot become certified to ISO 27002, as this is a guidance document, so it’s considered a supporting standard.

Note: These Standards are also referenced as ISO/IEC 27001:2013 and ISO/IEC 27002:(2013 & 2022), as a reference to the International Organization for Standardization/International Electrotechnical Commission.

What’s new in ISO 27002:2022?

The first noticeable change is that the term “code of practice” was dropped from the title of the ISO 27002:2022 Standard, which is now titled Information security, cybersecurity and privacy protection — Information security controls. This better reflects its purpose as a reference for determining and implementing information security controls.

Although some controls have been merged or removed, resulting in 21 fewer controls, the ISO 27002:2022 document is actually longer than its previous edition, as it goes into more detail and explores comparisons with the older version.

Keep reading to find out what changed in more detail:

Number of controls

There are now a total of 93 controls as opposed to the previous 114. They comprise:

  • 11 new controls to conform the standard to the present information security and cyber security context:
  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding
  • 24 controls merged from two, three, or more controls from the 2013 version, in an effort to avoid control redundancy.
  • 58 controls from the 2013 Standard that were reviewed and amended to reflect the current state of information security.
  • A new “Purpose” element has been introduced to the layout of each control. This is to reinforce why the control should be implemented.

New categories organisation

The controls are now organised into 4 categories (from Clauses 5 to 8 of the standard), instead of the 14 domains from the 2013 version:

  • Organisational (Clause 5 of ISO 27002 ) – 37 controls
  • People (Clause 6 of ISO 27002) – 8 controls
  • Physical (Clause 7 of ISO 27002) – 14 controls
  • Technological (Clause 8 of ISO 27002) – 34 controls

As an initiative to make it easier to filter and organise controls that are relevant to the organisation, each control is now associated with attributes.

Attributes can be used to filter, sort or present controls in different views for different audiences. The attributes are divided into five categories, with corresponding attribute values (preceded by # to enable search capability in tools such as spreadsheets or databases).

These attributes were selected because they are considered generic enough to be used by different industries and types of organisations. The business can choose to disregard one or more of the given attributes and also create their own for a customised view.

Click on the images below to zoom in and see the attributes in detail:

ISO 27002:2022 Attributes
Example of Attributes applied to ISO 27002:2022 Control 5.1
Example of Attributes applied to ISO 27002:2022 Control 6.3
ISO 27002:2022 Attributes

The updated ISO 27002:2022 Standard also contains:

  • Annex A – a table to demonstrate the use of attributes as a way of creating different views of the controls.
  • Annex B – a table providing backwards compatibility with the controls in ISO/IEC 27002:2013, showing how the controls in this new version relate to the previous version. It also indicates where the new controls were included.
Expert Tip
Annex B is a good starting point when reviewing the standard to upgrade an existing Information Security Management System against the updated recommendations from ISO 27002:2022.

Will the changes to the ISO 27002 Standard affect my ISO 27001:2013 certification?

How changes to the ISO 27002 Standard affect ISO 27001:2013 certification

It is expected that an updated version of ISO 27001:2013 will be published in 2022. However, it is predicted to only include changes in Annex A (the part of the document that is referenced in ISO 27002:2022) while the main part of ISO 27001 (clauses 4 to 10) will remain the same.

Once the updated version of ISO 27001:2013 is published, a certified organisation must update its Statement of Applicability (SoA). The SoA is a document that shows how you have chosen to implement information security controls (referenced from Annex A) and shows the links between your information security risk assessment and treatment work. It includes justification for inclusion or exclusion of controls. Hence, if looking to update to ISO 27002:2022, organisations must review their existing controls listed in their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.

How long do I have to update to ISO:27002:2022?

Once a new standard is released, there is typically a three year transition period for certified organisations to update their management system. As ISO 27002:2022 is considered a supporting standard, this transition deadline will only be effective when the updated version of the ISO 27001:2013 Standard is published.

For now, there’s no need to rush a revision based on the ISO 27002:2022 update, but if you can work with the new controls sooner rather than later, you’ll reduce the compliance burden and enjoy the benefits of implementing controls that should make your Information Security Management System easier to manage. Furthermore, this is an excellent opportunity to update your organisation’s controls to reflect the current state and demands for business Information Security.

Are you still unsure about how the ISO 27002:2022 update will affect your ISO 27001:2013 Management System certification process and ongoing management? Need advice on how to transition to the new requirements? Call us now on 1300 614 897, email us, or book your online FREE strategy session.

About the author

Consulting Manager at ISO Certification Experts

Anthony is the Consulting Manager at ISO Certification Experts. He is a Certified Implementer and Auditor for ISO 27001, ISO 9001, ISO 14001 and ISO 45001.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.