Cloud 101CircleEventsBlog

ISO/IEC 27002:2022: Understanding the Update

Published 02/23/2022

ISO/IEC 27002:2022: Understanding the Update

A version of this blog was originally published here.

Written by Ryan Mackie, Schellman & Company, LLC.

On February 15, 2022, the notification came out that the 2022 version of ISO/IEC 27002 (ISO 27002) was going into publication.

ISO standards typically go through a systemic review cycle every five to seven years. In March 2018, this process was started for ISO 27002. Nearly three years later came the release of the Draft International Standard (DIS) for ISO 27002 in January 2021. The review window on those potential updates closed in April 2021, and now the new standard is complete.

As of February 15, 2022, the new ISO 27002 standard became available on the ISO standards store.

In less than four years, ISO and its dedicated team of experts and members have been able to revise one of the most recognized standards and produce a version that is now ready for consumption.

The question now becomes, what changed? What can organizations expect as the transition to this new version begins?

What Are the Changes In ISO 27002:2022?

What follows is a high-level breakdown of this update to answer said questions.

While there are a number of advancements included in the 2022 version of ISO 27002 that will be vetted in future communications, the key elements to understand include:

  • Categories vs. Domains: The control sets are now organized into four (4) categories or themes as opposed to fourteen (14) control domains. The 4 categories include Organizational, People, Physical, and Technological.
  • Less Controls: There are 21 less controls in the 2022 version.
  • Less Control Redundancy: 24 controls in the 2022 version included merged controls from the 2013 version.
  • New Controls: 11 new controls help update the standard to the current information security and cyber security landscape.
  • The “Purpose” Element: Rather the use of a control objective for a group of controls, the controls within the 2022 version now have a purpose element applied to each.
  • “Attributes to Controls:” The intention is to enhance the risk assessment and treatment approach, allowing organizations to create different views—i.e., different categorizations of controls as seen from a different perspective to the control themes.

To summarize, there are a total of 93 controls in the 2022 version of 27002:

  • 11 are new.
  • 24 controls were merged from two, three, or more controls from the 2013 version.
  • 58 controls from the 2013 version were reviewed and revised to better align with the current information security and cyber security environment.

The 2022 version of ISO 27002 also includes two very useful annexes. There is Annex A, which includes guidance for the application of attributes, as well as Annex B, which corresponds with ISO/IEC 27001:2013.

Both appear to be useful in helping bridge the gap between versions of this standard. They also further clarify the new application of controls from the 2022 version.

ISO 27002:2022 Moving Forward

The new ISO 27002:2022 represents a comprehensive standard, the creation of which clearly required tremendous effort by ISO, the committees, experts, and members.

This latest update will surely help those already utilizing ISO 27002 as well as those seeking an information security, cyber security, and privacy protection control framework. Now that the update has been formally published, the next step will be the establishing of a timeline for transition to this new version, as well as updates to ISO 27001.

In the meantime, organizations interested or affected can continue to dissect the details within ISO 27002:2022 so that their understanding is as thorough as possible for when their latest certification phase begins under these new requirements.

Share this content on your favorite social network today!