ISO/IEC 27002:2022: A High-Level Breakdown of the Update

In the context of the U.K. education system, “revision” is sometimes defined as the act of reviewing material to ensure retention and updating with new information where necessary.

At Schellman, we’re not British students, but we are in information security and so we too know that term well. However, for us it’s less about studying for exams and more about understanding the latest changes to industry standards.

For instance, ISO standards typically go through a systemic review cycle every five to seven years. Back in March 2018, this process was started for ISO 27002. Following that, we’ve had the release of the Draft International Standard (DIS) for ISO 27002 in January 2021. But ever since the review window on those potential updates closed in April 2021, we’ve been waiting.

The wait is now over.

Because on February 15, 2022, the notification came out that the 2022 version of ISO/IEC 27002 (ISO 27002) was going into publication. Not only that, but the new ISO 27002 standard became available on the ISO standards store as of February 15, 2022 as well.

In less than four years, ISO and its dedicated team of experts and members have been able to revise one of the most recognized standards and produce a version that is now ready for consumption. Now having gotten our hands on it, we personally believe it to be a very well-designed standard.

Schellman has been socializing this update with our clients for nearly the last three years since the latest revision cycle started. With this publication, we can now comfortably avoid any assumptions and generalizations and instead start working to ensure that ISO 27002 gets put to use.

We wanted to get ahead of this massive new update and help you understand—at a high level—what exactly is in this new version. In this article, we’ll do exactly that, with more information to come as we learn more.

But read on for a breakdown of the changes within the new, formal ISO 27002: 2022 so that you’re better prepared as the roll out continues.

What is ISO 27002?

Before we get started, let’s recap for a moment to establish exactly what ISO 27002 is.

The International Organization for Standardization (ISO) may publish thousands of standards, but some of those most prevalent in use are their management system standards. If you’re reading this, you likely know which ones we mean—the ISO 9001 standard for quality management is fairly well known, and of course, you have ISO 27001 for information security management.

You know those we mean, because perhaps you’ve become certified against one or both previously, or you’re considering it. If so, you already understand what a labor-intensive process that can be to get through. Which is why, for some of their standards, ISO also publishes accompanying guidance that can aid organizations in initially establishing their ISO direction or to further clarify requirements or control objectives.

That’s what ISO 27002 is—guidance. ISO 27002 is intended for use as a reference when determining and implementing controls for information security risk treatment in an ISO 27001 Information Security Management system (ISMS). It provides best practices and support for those of you designing your ISMS to meet the requirements of the standard based on Annex A (which will also soon be updated within an amended version of ISO 27001).

What is In ISO 27002:2022?

ISO 27001 is very popular, as its comprehensive approach to security can create several advantages for an organization.

 You can imagine then how important this formal update to ISO 27002 is, so let’s get into what it actually says. There are a number of advancements included in the 2022 version of ISO 27002, and those will be vetted in future communications.

Even still, the key updates to know include:

  • The control sets are now organized into four (4) categories or themes as opposed to fourteen (14) control domains. The 4 categories include Organizational, People, Physical, and Technological.
  • The total control count has been reduced—there are 21 less controls in the 2022 version.
  • There was a concentrated effort to avoid control redundancy. 24 controls in the 2022 version included merged controls from the 2013 version.
  • There are now 11 new controls to update the standard to the current information security and cyber security landscape.
  • A “purpose” element has been applied to the controls within the 2022 version, as opposed to the use of a control objective for a group of controls.
  • The concept of “attributes to controls” has been introduced, with the intention of enhancing the risk assessment and treatment approach. This will also allow you to create different views—i.e., different categorizations of controls as seen from a different perspective to the control themes.

That gives us:

  • A total of 93 controls in the 2022 version of 27002:
    • 11 of which are new;
    • 24 controls that were merged from two, three, or more controls from the 2013 version; and
    • 58 controls from the 2013 version that were reviewed and revised to better align with the current information security and cyber security environment.

Additionally, the 2022 version of ISO 27002 includes two very useful annexes:

  • Annex A, which includes guidance for the application of attributes, and
  • Annex B, which corresponds with ISO/IEC 27001:2013.

As you have likely grown familiar with the 2013 version of this standard over the last eight years, both of these annexes can help you bridge your understanding to this new one while also further clarifying the new application of controls from the 2022 version.

Next Steps for ISO 27002:2022

Now that it’s finally here and we’ve reviewed it, we at Schellman want to acknowledge the tremendous effort that was clearly put in by ISO, the committees, experts, and members. The new ISO 27002:2022 represents a comprehensive standard and another job well done by all involved.

And while this latest and greatest publication will surely help those already utilizing ISO 27002 as well as those seeking an information security, cyber security, and privacy protection control framework, we understand you may still have questions. Check out our ongoing series of content detailing different facets of this new standard:

Afterward, if you’re still wondering about how this new update will play into your own ISO process, or even if you have any other lingering concerns regarding certification, please reach out to us. We’d love to set up a conversation that would put all your anxieties regarding ISO to rest.

About the Author

Ryan Mackie

Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Article
How to Prepare for ISO/IEC 27001:2022
How to Prepare for ISO/IEC 27001:2022

Now that ISO/IEC 27001:2022 has been released along with further guidance in IAF MD 26 Issue 2, learn about...

Next Article
What is the ISO 27001 Certification Process?
What is the ISO 27001 Certification Process?

Considering ISO 27001 certification? We break down the phases to this cyclical process so that you know wha...