Extreme makeover – ISO/IEC 27002:2022 Edition

ISO/IEC 27002 has been updated in 2022. So, what’s changed?

This international standard of generic information security controls is widely used across the information security community as a benchmark for implementing good security practices, and has been largely unchanged since 2013. However, earlier this year the updated standard has had more than a facelift – it’s had a full makeover. Fundamentally there are three main changes, which I’ll go into.

  1. The title has been altered.
  2. The structure has been changed, and now groups 93 controls under four main themes (instead of 114 controls across 14 sections) which are broken down into security attributes.
  3. Some controls have been merged, some deleted and several new controls have been introduced.

1. What’s in a name?

From:    Information technology — Security techniques — Code of practice for information security controls

To:         Information security, cybersecurity and privacy protection — Information security controls

As those of us in the industry know, information security is not just about information technology, and it is great to see the new standard’s name reflecting this. Another important update is the inclusion of cybersecurity and privacy aspects alongside information security when considering security controls to help mitigate these potential risks.

2. How have the themes and attributes been applied?

Each of the 93 controls have been assigned to one of four themes – Organizational, People, Physical or Technological.

Within each theme, the controls in the standard now have more detail about exactly what type of control it is and how it is preserving the characteristic, concept, capability, and domain of information. Confused? Check out the table below which sets out the options available under each theme and attribute to help illustrate this.

27002 controls and themes

As an organisation you don’t have to use all these attributes, they are just there to help your business identify – and even come up with – attributes which are the most useful for your business context.

3. Something old and something new

As you will have already guessed, the reduced number of controls from 114 to 93 will mean that there have been changes to what these controls cover, with some controls being merged, some deleted, and some new ones created.

To help us all get our heads around this, the mapping of ISO/IEC 27002:2013 to 27002:2022 is provided in Annex B of the updated standard, so there is no guesswork required. Phew.

So what does this mean for a certified organisation/service/auditor?

The existing ISO/IEC 27001 standard – which can be certified against – currently has a set of recommended controls in Annex A, which are from ISO/IEC 27002. The updated 27002 standard will therefore need to be carried over to Annex A of the 27001 standard at some point. At the moment, 27001 is being amended, and is unlikely to be published before May 2022.

And what about organisations – or certified auditors – that are certified against the ISO/IEC 27001 standard? You won’t need to recertify to an amended version right now, however stay tuned for more information as we await clarification for a timeline of when changes to the amended standard will take effect.

* Described in ISO/IEC  TS 27110.

And as always, if you have any questions about ISO certification or cybersecurity in general, feel free to drop us a line.