Everything to Know About the ISO 27002: 2022 Updates

Sekuro has an extensive and proven track record in establishing and operating useful  (i.e., non-shelfware) Information Security Management Systems (ISMS) certified to the internationally recognised ISO 27001:2013 standard. All our ISMSs are tailored to our client’s requirements, constraints and maturity levels.

ISO 27002:2022 was published on February 15, 2022, and ISO 27001:2022 is on its way too. This article discusses the changes within the 2022 versions of these two standards.   

Summary of changes between ISO 27001: 2013 and 27001: 2022

    • ISO 27001:2013 Clauses 4 to 10 remain the same with minor wording updates for clarification purposes.
    • The security controls contained in Annex A have been updated (the number of controls decreased from 114 to 93).
    • Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.
    • 11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number. The 11 controls now include:
    1. Physical security monitoring
    2. Threat intelligence
    3. Configuration management
    4. Information deletion
    5. Data masking
    6. Data leakage prevention
    7. Monitoring activities
    8. Information security for use of cloud services
    9. Web filtering
    10. Secure coding
    11. ICT readiness for business continuity

Schedules of Changes:

iso 27002 Revision:

The revision to ISO 27002 Information Security, Cyber Security and Privacy Protection – Information Security Controls containing the security control guidance (referred in ISO 27001 Annex A) was published on February 15, 2022.

ISO 27001 Amendment:

An amendment to ISO 27001, which is the main standard to which companies are  certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022. The exact date has not been announced yet. A draft amendment replacing the Annex A controls (ISO 27002:2022) was made available in February 2022. Amendments to ISO 27001 should be a formality as the same content has been approved under the publication of ISO 27002.

ISO 27001/27002 Major Revision Update:​

ISO/IEC 27001:2013 was last updated in 2013 to comply with Annex L (a.k.a. Annex SL), a structure common to all recent management system standards and which allows better synergies when implementing more than one management system (i.e. QMS+ISMS+EMS as it is often seen). The Annex L structure has been widely adopted, and that could explain why the focus of the 2022 version is not on the ISO 27001 clauses, but rather on Annex A and associated ISO 27002.

ISO 27002 still carried forward a lot of control from the 2005 revision but included a much-needed uplift to fulfil its role as a guide for the implementation of ISO 27001 Annex A controls. This was particularly important as both the way we handle information and the pace of that change has shifted quickly in the 8 years since it was last reviewed.

Impact Of ISO 27001 Revision:​

  • The re-organisation of Annex A controls may look like a formality to some, but it will change the way organisations who made “hard links” to the previous 14 domain areas look at their controls. The change makes it easy for future evolutions, with 93 controls divided into 4 sections and legacy domains no longer a source of contention.
  • The Statement of Applicability (SoA)’s and the common control framework mappings (for the more mature organisations which do have Common Control Framework, known as CCF)  will need to be updated to address the additions and updates and remove some of the legacy domains.
  • The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).
  • ISO 27002 makes very few references to the term “Information Assets” which was the commonly adopted term for all types of assets holding value (i.e. assets which must be protected). Instead, it uses the concept of primary assets and supporting assets and often refers to associated assets. As passionate GRC professionals, whilst this departure from the term “Information Asset” can be understood, we also expect a lot of confusion on this. The many organisations which used the term “Information Assets” in their governance framework will need to consider how it impacts them should they choose to change.

The often-misused-and-misunderstood Inventory and Ownership of Assets clauses (formerly A.8.1.1 ad A.8.1.2) have been updated to in-effect mandate an inventory of “information and associated assets”, which means that organisations who have not yet done data flows or a data mapping exercise should consider it as soon as practical. Though many organisations have done a data mapping exercise through their privacy compliance work, that mapping may have been selective to PII and may not meet the intent of Control 5.9 “Inventory of information and other associated assets”

Speak to us today if you think you may have exposure there.

Adoption Timeline:

  • Despite the changes set out within the ISO 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO 27001 is officially updated and published.
  • Companies can nonetheless leverage the published ISO 27002 standard and proactively adopt the new standard.

ISO 27002: 2022 Control Structure​

Here what's changed in ISO 27002: 2022/ ISO 27001 Annex A:

    • 35 controls remained the same with change in control number and realigned to the  4  sections;
    • 11 new controls were added;
    • 23 controls have been renamed to make them easier to understand
    • Even thought the number of controls have been reduced (from 114  to 93 ); no controls are excluded;
    • 57 controls have been merged into 24 controls;
    • Only one control was split; Control 18.2.3 Technical Compliance Review was split into:
      • 5.3.6 – Compliance with policies, rules and standards for information security;
      • 8.8 – Management of technical vulnerabilities

The following table presents the new ISO 27001 Annex A control sections with the most significant controls additions or updates highlighted. 

Organisational Controls:
37 Controls
People Controls:
8 Controls
Physical Controls:
14 Controls
Technological Controls:
34 Controls
Policies for information securityScreeningPhysical security perimetersUser endpoint devices (updated)
Segregation of dutiesInformation security awareness, education and trainingSecuring offices, rooms and facilitiesInformation access restriction
Management responsibilitiesDisciplinary processPhysical security monitoring (new)Access to source code
Contact with authorities Responsibilities after termination or change of employmentProtecting against physical and environmental threatsSecure authentication
Contact with special interest groupsConfidentiality or non-disclosure agreements Working in secure areasCapacity management
Threat intelligence (new)Remote workingClear desk and clear screenProtection against malware
Information security in project management Information security event reportingEquipment siting and protectionManagement of technical vulnerabilities.
Inventory of information and other associated assets
Security of assets off-premisesConfiguration management
(new)
Acceptable use of information and other associated assetsStorage media Information deletion (new)
Return of assets

Supporting utilitiesData masking (new)
Classification of informationCabling securityData leakage prevention (new)
Labelling of information Equipment maintenance Information backup
Information transfer Secure disposal or re-use of equipmentRedundancy of information processing facilities
Access control Logging
Identity managementMonitoring activities (new)
Authentication information
Clock synchronisation
Access rightsUse of privileged utility programs
Information security in supplier relationshipsInstallation of software on operational systems
Addressing information security within supplier agreementsNetworks security
Managing information security in the ICT supply chainSecurity of network services
Monitoring, review and change management of supplier servicesSegregation of networks
Information security for use of cloud services (new)Web filtering (new)
Information security incident management planning and preparationUse of cryptography
Assessment and decision on information security eventsSecure development life cycle
Response to information security incidentsApplication security requirements
Learning from information security incidentsSecure system architecture and engineering principles
Collection of evidenceSecure coding (New)
Information security during disruptionSecurity testing in development and acceptance
ICT readiness for business continuity (new)Outsourced development
Legal, statutory, regulatory, and contractual requirementsSeparation of development, test and production environments
Intellectual property rightsChange management
Protection of records
Test information
Privacy and protection of PIIProtection of information systems during audit testing
Independent review of information security
Compliance with policies, rules and standards for information security
Documented operating procedures

Next Steps:

The following steps are to be followed to meet the revised version:

  1. Companies should review their risk register and the applied risk treatments to ensure alignment with the revised standard
  2. Update the Statement of Applicability (SoA) to align with the updated Annex A
  3. Review and update your documentation, including policies and procedures to meet the new controls

The transition period to the new standard will provide a new set of best practices to choose from as well as a new set of attributes to use to make control selection effective and efficient. The intent of the standard still remains the same, you still need to use a risk-based approach to select only the appropriate and right controls to suit your organisation.

Frequently Asked Questions (FAQ)​

We are in early stages of our ISO 27001 establishment journey.
Should we wait for the new ISO 27001 to be published to get certified?

No. The clauses of ISO 27001 will remain the same which means the way you build and operate an ISMS remains the same. We have already started using the 2022 control in our SoAs, mapped with the legacy controls of ISO 27001:2013 Annex A, in the prevision of the transition period. Remember that certification to ISO 27001 is the engine behind your security maturity journey and not the achievement of your security achievements journey. For that reason alone, we do not recommend delaying your certification project.

We want to start ISO 27001 establishment. Should we use the new set of controls or the old ones?

ISO 27001:2022 will be published later in 2022. In the meantime, organisations can use the existing standard and the controls within. We prefer to add the new 2022 control in the SoAs as a good practice and future proof mechanism for our clients, but this is not yet required.

As mentioned in this article, the changes have minimal impact and there will be enough time (3 years from the date of the ISO 27001:2022 release) to transition to the new standard and as well as update the documentation to the new controls. The transition effort remains minor thus far. 

How will ISO 27002:2022 and ISO 27001:2022 impact my current certification to ISO 27001:2013?

ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.

How much time do I need to align my ISMS to the 2022 version of the standard?

As the new ISO 27001:2022 will be released later in 2022 and a specific date is not published yet, you will likely have at least a year to officially update to the new controls from ISO 27002:2022. As mentioned before, you can be proactive and adopt the new structure and controls earlier. Nonetheless, you will have enough time to transition.

Will the certification body check the changes in our ISMS and the documentation?

Yes, if your company is already certified, your certification body will conduct the necessary check on your ISMS and the documentation during the transition period. This transition will occur during your regular surveillance audits and a separate audit schedule is not required.

Will Sekuro help us transition to the new revision of ISO 27001?

Sekuro is an ISO 27001 and ISO 9001 certified organisation providing end-to-end cyber security services and solutions. We have a proven track record of establishing, certifying and maintaining ISMS’s for organisation of all sizes and from various industry verticals. Sekuro can help organisation transition in many ways. Some examples include:

  1. Update your current SoA to align with the new standard structure;
  2. Ascertain control applicability, keeping your scope in perspective across the new, enhanced and merged controls;
  3. Prepare and update your Common Control Framework (CCF) – if you have one – to ensure the new controls and structure are well integrated and aligned in the CCF, as well as enable you to efficiently meet them;
  4. Conduct a review across the risk and action registers as well as the risk treatments to ensure alignment to the new 2022 updates;
  5. Prepare and update your documentation to meet the new standard based on its applicability to your organisation;
  6. Assist end-to-end with remediation activities including documentation and technology solutions, where required, to continually enhance your security profile.

Author:

Prashant Haldankar
Prashant Haldankar

Prashant Haldankar is the Co-founder and Chief Information Security Officer (CISO) at Sekuro, a global cyber security and digital transformation company headquarted in Sydney, providing end-to-end cybersecurity and resiliency services and solutions. Prashant leads the business resilience function globally with extensive experience establishing and maintaining cyber security visions, strategies and information asset protection frameworks for enterprises.

Scroll to Top