The New ISO 27002:2022 - What You Need to Know
If you own a cell phone, you likely know that Apple releases a new version of the iPhone virtually every year. But sometimes, the versions look so similar you wonder what the difference is between models and you have to go digging into the specs of each before you fork over your hard-earned dollars.
When it comes to the latest update to ISO 27002, you don’t have to wonder in the same way—the differences between the 2013 iteration we’ve long become used to and the new 2022 version are stark. But that doesn’t mean you don’t also need to examine the details—in fact, if you’re seeking to stay in compliance with ISO 27001, you must.
But as an ISO Certification Body, we’re here to help, having stayed cognizant of what is the biggest update to these standards in years. In this article, we’ll explain what we have before at speaking events around the country—the differences between the 2013 version of ISO 27002 and that of 2022, including an extensive look at the control sets as well as terminology.
The transition period is already underway, so help yourself simplify the changeover and your work to adjust to the new standard by reading on.
ISO 27002:2013 Controls vs. ISO 27002:2022 Controls
Of course, the biggest concern for your switch to ISO 27002:2022 will be regarding the control set and requirements. If you’re already certified against ISO 27001, maintaining the certification will mean complying with this new control set in the future, so what’s in it?
ISO 27002 Themes
The control set as we know it is organized into 14 domains:
ISO/IEC 27002:2013 (A.5-A.18) |
|||
---|---|---|---|
A.5 Information security policies |
A.9 Access control |
A.13 Communications security |
A.16 Information security incident management |
A.6 Organization of information security |
A.10 Cryptography |
A.14 System acquisition, development and maintenance |
A.17 Information security aspects of business continuity management |
A.7 Human resources security |
A.11 Physical and environmental security |
||
A.8 Asset management |
A.12 Operations security |
A.15 Supplier relationships |
A.18 Compliance |
In an attempt to modernize the control set, the new version condensed these domains into just 4 control categories—also known as themes—and these can be found in 4 separate clauses:
- Clause 6 – People (controls that concern individuals)
- Clause 7 – Physical (controls that concern physical objects)
- Clause 8 – Technological (controls that concern technology)
- Clause 5 – Organizational (controls that involve anything else)
ISO 27002 Control Set
As part of this modernization, 57 controls from 27002:2013 were merged and consolidated into just 24 for simplification purposes. 11 brand new controls were also introduced in the new standard.
Where that all leaves us is here—the old version featured 114 total controls, but ISO 27002:2022 now only features 93—that’s a -21 net reduction intended to remove outdated references and better help organizations understand this reconstructed set. 75% of these controls are within the aforementioned Organizational and Technological themes.
The nice thing is that all controls from the 2013 version are mapped to the 2022 control set—in fact, 58 controls are roughly one-for-one from the 2013 version to the 2022 version (though the updates were made to control context).
What’s in the ISO 27002 Control Set?
Here’s a high-level look at the 27002:2022 controls and what they were consolidated from in 27002:2013:
New ISO 27002:2022 Control |
Old ISO 27002:2013 Controls |
---|---|
5.1 Policies for information security |
5.1.1, 5.1.2 |
5.8 Information security in project management |
6.1.5, 14.1.1 |
5.9 Inventory of information and other associated assets |
8.1.1, 8.1.2 |
5.10 Acceptable use of information and other associated assets |
8.1.3, 8.2.3 |
5.14 Information transfer |
13.2.1, 13.2.2, 13.2.3 |
5.15 Access control |
9.1.1, 9.1.2 |
5.17 Authentication information |
9.2.4, 9.3.1, 9.4.3 |
5.18 Access rights |
9.2.2, 9.2.5, 9.2.6 |
5.22 Monitoring, review and change management of supplier services |
15.2.1, 15.2.2 |
5.29 Information security during disruption |
17.1.1, 17.1.2, 17.1.3 |
5.31 Identification of legal, statutory, regulatory and contractual requirements |
18.1.1, 18.1.5 |
5.36 Compliance with policies and standards for information security |
18.2.2, 18.2.3 |
6.8 Information security event reporting |
16.1.2, 16.1.3 |
7.2 Physical entry controls |
11.1.2, 11.1.6 |
7.10 Storage media |
8.3.1, 8.3.2, 8.3.3, 11.2.5 |
8.1 User endpoint devices |
6.2.1, 11.2.8 |
8.8 Management of technical vulnerabilities |
12.6.1, 18.2.3 |
8.15 Logging |
12.4.1, 12.4.2, 12.4.3 |
8.19 Installation of software on operational systems |
12.5.1, 12.6.2 |
8.24 Use of cryptography |
10.1.1, 10.1.2 |
8.26 Application security requirements |
14.1.2, 14.1.3 |
8.29 Security testing in development and acceptance |
14.2.8, 14.2.9 |
8.31 Separation of development, test and production environments |
12.1.4, 14.2.6 |
8.32 Change management |
12.1.2, 14.2.2, 14.2.3, 14.2.4 |
And here are details on the 11 brand-new controls in the new version of the standard:
5.7 Threat intelligence |
8.11 Data masking |
5.23 Information security for use of cloud services |
8.12 Data leakage prevention |
5.30 ICT readiness for business continuity |
8.16 Monitoring activities |
7.4 Physical security monitoring |
8.23 Web filtering |
8.9 Configuration management |
8.28 Secure coding |
8.10 Information deletion |
|
(Note: These tables do not contain all 93 controls in ISO 27002:2022. You can also find more mapping details in Tables B.1 and B.2 in Annex B of ISO 27002:2022.)
ISO 27002:2013 Terminology vs. ISO 27002:2022 Terminology
Though the controls, no doubt, will warrant much of your attention as you transition to the new version of the standard, there were also important changes to the wording that you should note as well.
Purpose vs. Objective
In the 2013 version, we saw details on what were called objectives. Take this example:
- 2 – Mobile
Objective: To ensure the security of teleworking and use of mobile devices.
But in the 2022 version, you’ll see that this information has been reconfigured into what is now a “purpose.” Here’s an example of what we mean:
- 1 – User endpoint devices
Purpose: To protect information against the risks introduced by using user endpoint devices.
The idea behind this change was to instead describe “the why”—"why should you implement this control?” To go with that, additional tools have been provided, including extensive guidance to help you also answer the question as to “how should you implement this control.” All this is intended to provide further clarification.
That being said, keep in mind this is guidance and not requirements. A benefit of ISO 27002 is that, despite these specifications, the controls are very broad—there’s no single way to implement each control and they’re intended to be applied to any type of organization and IT environment
Introduction of Attributes
But perhaps the more impactful change to ISO 27002:2022’s wording is the launch of attributes, the guidance for which can be found in Annex A of the new standard. There are five attribute categories:
- Control Types (Preventative, Detective, and Corrective)
- Information Security Principles (Confidentiality, Integrity, Availability)
- Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover)
- Operational Capabilities
- (Ex: Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, etc.)
- Security Domains (Governance and Ecosystems, Protection, Defense, Resilience)
Each control can have one or many attributes associated with each category, but it’s important to note that attributes are not hard requirements—they’ve been introduced to help create different views, or different categorizations of controls based on similar attributes.
That’s right, attributes aren’t requirements, nor are they even required to be used, but where they can help is during your risk assessment and risk treatment/controls implementation process. Because they’re generic and can be customized to fit different needs, any type of organization can wield this new tool to gain new perspective on the interfacing and relationships between their controls.
For more information on attributes, read our more in-depth article here.
Moving Forward with Your ISO 27001 Certification
At the end of the day, ISO 27002 provides guidance as to how to properly establish a control set to mitigate risks identified through your information security management system (ISMS) risk assessment process, which you’d only do if you’re endeavoring to become ISO 27001 certified.
The ISO 27001 standard has been updated alongside 27002, but the two and their updates are inextricably linked—the ISO 27002:2022 control set replaces that in ISO 27001:2013 (A.5-A.18 “Annex A”), which was previously based on ISO 27002:2013, making what you’ve just read critical for your next certification.
With that being said, the transition to the new versions of these related standards is ongoing—for the details that we have on that, check our article on transition requirements. In the meantime, if you have any questions about the above content or other considerations regarding these significant updates to these standards, please feel free to contact us. You’ll be connected with one of our experts who are ready to help set your mind at ease.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.