ISO 27002: All you need to know about the 2022 update

Nine years on from the last revision, there’s a new version of information security standard ISO 27002. What’s changed, and what does it mean for your company?

ISO 27002 is an internationally recognised security standard that sets out security controls to be used in implementing and maintaining an information security management system (ISMS). This is a system for safeguarding all of your company’s valuable information assets – from IT and digital material to paper documents, physical assets and intellectual property in general. Everything, in short, that’s worth keeping secure.

ISO 27001 is well known as the standard that provides the requirements for an ISMS. In short, ISO 27001 is designed to build the foundations of information security in your organisation and devise its framework, while ISO 27002 is designed to implement the controls to achieve the objectives of your ISMS.

Businesses can choose to be certified to ISO 27001; the many benefits of certification include securing more business, gaining clients’ trust, boosting your company’ culture and reputation, improving working practices, and more. (While certification is normally voluntary, it is increasingly becoming an expectation in third-party contracts.)

What’s new in the updated 27002?

First, let’s look at the previous version. Originally published in 2005, ISO 27002 was updated in 2013 with new controls added to cover emerging risks, such as identity theft and other online vulnerabilities. The 2013 version comprised five introductory chapters setting out scope, definitions and structure; then followed the 114 controls grouped across 14 chapters (corresponding to the groups listed in 27001).

The February 2022 version contains an introduction and eight clauses, plus two annexes. The first four clauses cover the basics of terms, definitions, structure, etc., and clauses 5–8 list four groups of controls: Organisational, People, Physical, and Technological. Annex A is a guide to using attributes (see below for details), and Annex B explains the standard’s correspondence with 27001:2013.

There are three substantial changes in the 2022 update:

1) The title of the standard has changed, from ‘Information technology – Security techniques – Code of practice for information security controls’ to ‘Information security, cybersecurity and privacy protection – Information security controls’. This signifies a key shift from a code of practice to a more reference-style set of controls.

2) There are now 93 controls, down from 114. None have been dropped; rather, there’s been a wholesale rearranging and remapping, and in fact there are 11 new controls among the 93, with titles such as ‘Threat intelligence’, ‘Configuration management’, ‘Information deletion’ and ‘Secure coding’.

3) The controls are now structured across themes and attributes. The themes replace the clauses of old, and they match the control groupings listed in clauses 5–8. The attributes, listed below, are five subsets attached to each control, and each attribute can be further classified by type (see brackets):

• Control type (preventive, detective, corrective)
• Information security properties (confidentiality, integrity, availability)
• Cybersecurity concepts (identify, protect, detect, respond, recover)
• Operational capabilities (governance, asset management, etc.)
• Security domains (governance and ecosystem, protection, defence, resilience)

What’s worth noting here is that these attributes are provided for guidance only; applying them to your ISMS is not mandatory, and you may well come up with different attributes that are more specific to your needs.

View a table of the 93 controls in their group structure.

Are the changes beneficial, and will they affect 27001 certification?

The revisions to 27002 are nothing but beneficial. First, the revised and augmented list of controls reflects an up-to-date understanding of the modern security landscape. Second, the additional layer of attributes (and their sub-types) will help your information security managers add granular detail to the ISMS and fine-tune your systems so they best address your business’s risk profile. In addition, Annex B of 27002 makes it easy to compare the new control set with 27001:2013.

If you are planning to get certified to 27001, none of the changes to 27002 is likely to obstruct your path.

In our next post on this topic, we will go into more detail on the 11 new controls introduced in the updated ISO 27002.

Find out more

Speak to our team about your best practice in IT policy content.