Adapting policies to reflect the new guidance in ISO27002:2022

Steve Macmillan

The release of a new version of the 27002 standard by ISO has introduced a number of changes from its predecessor, the 2013 version, as covered in our August and September newsletters. On 16th November, Protocol Policy Systems will make a new mapping option for the ISO27002:2022 version available to existing and new customers of IT Policy Management as a Service.

To prepare for the introduction of the new mapping a panel of 4 people were engaged for a 6 week period to review the contents of the new standard, understand the structural changes ISO have applied to their guidance, and determine the impact on the existing best practice statements across all of our policy content.

A restructuring of the standard by ISO sees 24 of the original 2013 version controls being merged together, 11 new controls being introduced and the overall number of controls in the new version reducing from 114 to 93.This has also resulted in changes to the numbering system applied by ISO to the 2022 release.


View a table of the 93 controls in their group structure.


We asked two of the panel members, Ed Vella and Jon Flatley, some questions regarding the changes introduced by ISO and their impact.

At a high level what are the main changes to be aware of?

“The introduction of the 11 new controls comes with over 170 different areas of implementation guidance. The panel reviewed all the existing best practice statements currently used to build customer policies in the IT policy management software to confirm their ongoing suitability. Thereafter we drafted and added an additional 61 new best practice statements to our statement library and edited 14 existing statements, which will be applicable to any organisation wishing to be aligned with the new version of the standard”.

Some of the newly introduced controls cover Threat Intelligence and information security considerations for using Cloud services – what can you tell us about these inclusions?

“In the case of Threat Intelligence we were required to draft a number of new technically focussed best practice statements with supporting explanations and audit requirements. The statements cover aspects such as establishing processes and documenting categories to ensure appropriate information is collected, determining the quality of the intelligence being gathered, and then communicating and using that intelligence for decision making”.

“For the new cloud controls content within ISO27002:2022 we had an existing library of relevant best practice statements that we could work with as we had previously created policy statements covering cloud services usage and an existing mapping to the ISO27017 standard. This meant that upon completing our review of this content we were only required to create 7 new statements for managers and technical users and modify 8 existing statements”.

What initial steps should a customer take if they are to ultimately align with the new version of 27002?

“The work the panel completed means PPS can help customers quickly identify what has changed in the new version of 27002 and provide all the resulting new best practice statement details they need to consider. Also, each new best practise statement we have created comes with additional explanation content, audit and compliance details”.

How will PPS help existing customers manage their transition?

“For the next 12 months we will provide mapping support in IT Policy Management as a Service for both the 2013 and 2022 versions of the standard, so customers can engage with stakeholders regarding all of the changes. Once the stakeholder engagement phase has concluded PPS will be able to assist customers with policy content adjustments and alignment with the 2022 version”.

Contact us to discuss how we make developing, delivering and maintaining IT policies aligned the new version of ISO27002 easy.


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233