What is ISO 27002?

The purpose of ISO 27002 is to provide organisations with guidance on selecting, implementing and managing information security controls, taking into account the organisation’s information security risk environment and appetite.

What is the Relationship Between ISO 27001 and ISO 27002?

ISO 27001 is an international management system standard which provides organisations with a best practice framework for managing information security and is a standard which organisations can certify to.  

The Standard takes a risk-based approach to information security management and requires organisations to identify their information security risks and select appropriate controls to mitigate them.  Those controls are outlined in Annex A of the Standard with ISO 27002 going one step further and providing guidance on their implementation.

Why was ISO 27002 Updated in February 2022?

The purpose of controls in ISO 27002, and by association controls in Annex A of ISO 27001, is to mitigate against common information security risks.

Naturally, threats will change over time and the changes made in the ISO 27002:2022 Standard (published on 15 February 2022) reflect some of the threats that have emerged since the 2013 version was published, e.g., the increasing range of cyber-related threats and moves towards home and remote working.

It also provided the International Organization for Standardisation with the opportunity to restructure and improve the format and user accessibility of the Standard.

What are the Key Changes From the 2013 Standard?

There are several key changes that have been made to the new iteration of ISO 27002.  You can find a breakdown of these below:

The Title

Firstly, ‘Code of Practice’ has been dropped from the title of the updated ISO 27002 Standard.  This change is aimed at reflecting the intended use of the 2022 version as a reference set of generic information security controls and guidance.  

Its full title is now ‘Information security, cybersecurity and privacy protection — Information security controls’ which reflects a broader context and that preventing, detecting and responding to cyberattacks is now considered, as well as protecting data.

Controls:

The ISO 27002:2022 update consists of 93 controls rather than the previous 114.

With the 93 controls:

  • 58 have been updated
  • 24 controls represent merging of 57 of the previous controls
  • 11 new controls have been introduced

Themes:

The controls are now grouped into 4 ‘themes’, rather than the previous 14 clauses, in order to group controls in common categories, these being:

  • Organisational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls).

Introduction of Attributes:

As well as the grouping controls into the 4 themes, another significant change is the introduction of 5 ‘attributes’, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways, i.e., by:

  • Control type, (e.g., preventive, detective, corrective etc).
  • Information security properties (relating to confidentiality, integrity, availability).
  • Cybersecurity concepts (following National Institute for Standards and Technology (NIST) approach with identify, protect, detect, respond, recover).
  • Operational capabilities (e.g., governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, security assurance).
  • Security domains.  (e.g., governance and ecosystem, protection, defence, resilience).

It is not mandatory to use attributes, however, it is argued their use will make an organisation’s controls categorisation process easier.  Attributes can also help organisations and industry bodies apply the Standard in their own context.

When was the ISO 27002:2022 Standard Released?

The new ISO 27002 edition was released on 15 February 2022.

What About ISO 27001?

Whilst the main management system clauses of ISO 27001 Standard will remain the same, Annex A of the Standard will be amended to include the new ISO 27002:2022 control set and the updated version is expected to be published in Q4 of 2022.

It is important to note that until the new version of ISO 27001 is rolled out, your Statement of Applicability (SoA) must still refer to Annex A of ISO 27001:2013, although it would be good practice to consider the latest and most up-to-date control set.

What are the Next Steps for Organisations Already Certified to ISO 27001?

In terms of the next steps, the main activities to perform include the following:

  • Purchasing the updated Standard.
  • Review the new ISO 27002 Standard and its control changes.
  • Conduct a risk assessment/analysis.  URM can assist you with this process.
  • To mitigate any identified risks, select controls that are the most applicable and update your ISMS policies, standards etc accordingly.
  • Update your Statement of Applicability (SoA).

ISO 27002:2022 Control Migration Online Course

If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course. There are no prerequisites for attending this course.  The course is aimed at anyone who needs to understand the changes associated with ISO 27002 and which will be adopted as  Annex A of ISO 27001.

ISO 27001:2022 Transition Online Course

Once the ISO 27001:2022 Standard has been published, URM will be delivering a series of 2 day ISO 27001:2022 Transition online courses.  By attending this course, you will be provided with a detailed insight into the changes to the Standard, both the mandatory clauses and, more significantly, the changes to Annex A.  You will receive practical guidance on exactly how to transition from the control set of ISO 27001:2013 to ISO 27001:2022.  One of the most noteworthy changes with ISO 27002:2022 has been the introduction of 5 attributes, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways.  URM’s Transition Course will provide you with advice on how to take advantage of and utilise the attributes capability and make your information security management system (ISMS) easier to implement and manage.

Stay in the loop

Please provide your contact details and we will email you with details of ISO 27001:2022 once it has been published, along with the contents of URM’s online 2 day ISO 27001:2022 Transition course.

ISO 27002:2022 Update

If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course.
Thumbnail of the Blog Illustration
Information Security
Published on
10/7/2023
ISO 27001 vs SOC 2 - Part 3

3rd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
What are the Basics of Internal Auditing?

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for ISM.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
19/7/2022
How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

‘How do we approach asset identification within our information security risk assessment?’. This blog examines which assets or asset types to include.

Read more
After a bad experience with a previous provider, we looked to URM for QSA support. The URM QSA we have worked with is phenomenal, and considerably better than our previous QSAs. My team enjoy working with him, and find him to be extremely credible and effective. Whenever we have asked our QSA and account manager whether additional work is required outside of the annual cycle, there has never been a hard sell of any of URM’s services, and instead offer advice based on our compliance requirements and business needs. Our URM QSA always consults with the aim of making compliance as straightforward as possible, and pointed us towards a way of significantly minimising and streamlining our assessment scope that neither we nor our previous PCI DSS consultancy provider had considered.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.