Skip to content

The definitive guide to ISO 27002 2022: Part 2

Andrew Robinson May 14, 2022
The Definitive Guide to ISO 27002 2022: Part 2

The long wait is over, ISO/IEC 27002:2022 has been updated mostly for the better!

But what does it mean? If you're interested in a summary of the changes, refer to our previous post.

In this post, we'll perform a deep dive analysis into the characteristics of controls found in ISO/IEC 27002:2022 versus the 2013 version and versus the NIST Cyber Security Framework. We'll use this analysis to highlight the strengths and weaknesses of ISO/IEC 27002:2022 and how you can utilize the new version.

NOTE: Keep in mind that we're talking about the guidelines found in ISO/IEC 27002 and not the certification requirements found in ISO/IEC 27001. But it won't be long until the certification requirements are updated.


Recap: The biggest change is attributes

Perhaps the biggest change introduced by ISO/IEC 27002:2022 is not those within the controls but the control metadata.

ISO/IEC 27002:2022 introduces the concept of attributes including control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

This is generally a good concept because it provides informative characteristics for the risk treatment planner or security architect to consider when developing a purposeful and diversified control environment (i.e., to avoid being overly dependent on a particular control type).

There are limitations to the control type definitions adopted in ISO/IEC 27002:2022 that could have the opposite effect and weaken security programs, but, of course, ISO/IEC 27002:2022 is a guideline only and should be adapted and enhanced by the organization for the best effect.


ISO/IEC 27002:2022 versus ISO/IEC 27002:2013

For this first comparison, we took the "control type" attribute provided along with each of the controls in ISO/IEC 27002:2022 and ran a comparison against the equivalent attribute in our archives from ISO/IEC 27002:2013.

Yes, a sharp observer would know that attributes are *new* so who would have previously applied these control types to an older version? The answer is fairly mature organizations or downright crazy consultants (or former consultants).


2022 v. 2013: The Comparison

We had the data on hand, despite some minor differences that will surface shortly and be explained more fully later on.

The control types from ISO/IEC 27002:2022 are #Corrective, #Detective and #Preventive. And there is one lucky control that has all three! FWIW it's the new 5.7 Threat intelligence control.

Presumably, if you know about a threat *and* take action to avoid it, this may be the case. Except that the sharing of threat intelligence usually follows threats becoming active. So it's 50:50, maybe 80:20 in your favor if you receive good threat intelligence and respond swiftly. Back to the comparison.

We normalized the control types with a little bit of obstinance and a small but insignificant margin of error to come up with the following chart:

6c ISO 27002 2022 to 2013 by Control TypeChart compliments of 6clicks


2022 v. 2013: The Analysis

From the chart above, you can see a similar distribution on the control types between the two versions. In addition, you will note an increase in the “Preventive” controls, which is explored later in this report (see What’s wrong...).

You can also see the omission in ISO/IEC 27002:2022 of any other control type except for the very mainstream Preventive, Detective, and Corrective types.

This leads to the errant results that most controls are flagged as Preventive if not Detective or Corrective.

The Deterrent and Assurance control types are of the author's creation but serve to better polarize controls, understand their limits (e.g., policies), and ensure sufficient spread in the control strategy.


ISO/IEC 27002:2022 versus NIST Cybersecurity Framework

For this second comparison, we took the cybersecurity concepts attribute from ISO/IEC 27002:2022 and compared it with the NIST Cyber Security Framework.

We normalized the data - which was quite simple in this case because they're based on the Identify, Detect, Protect, Response, and Recover categories first presented in the NIST Cyber Security Framework.

Did you know, though, that ISO has accepted these terms in supporting guidelines specified in ISO/IEC TS 27110:2021? But this is the first time they're been folded into ISO/IEC 27002 and may make their way into ISO/IEC 27001 Annex A.

This language provides another useful way for the risk treatment planner or security architect to polarise controls on a spectrum and ensure that the overall strategy is resilient.

For example, if you focus too much on Identify but not Protect, you know what to do but aren't doing it. And if you don't detect you won't know what is going on.

6c ISO 27002 2022 to NIST by FunctionChart compliments of 6clicks


ISO 27002:2022 v. NIST CSF: The Analysis

From the chart, ISO/IEC 27001:2022 (and its preceding version) have a significant majority of, and potential overemphasis on, #Protect controls.

In fact, many controls are misrepresented as #Protect cybersecurity concept controls in a similar way to being tagged #Preventive in terms of control type.

ISO/IEC 27001:2022 could be improved by correcting the overuse of #Protect and introducing a greater emphasis on resilience with an increase in the number of #Detect, #Response, and #Recovery controls.


What's Wrong and How to Iron It Out

We counted ~20 controls in ISO/IEC 27002:2022 that have the #Preventive attribute which are not truly preventive in a technical sense and should rather be tagged as #Corrective or #Detective only, or preferably many in fact should be tagged #Deterrent or #Assurance controls.

Consider introducing Deterrence and Assurance as cybersecurity concepts into your approach. Deterrence (e.g. a policy) discourages an unwanted action or event but cannot alone prevent it. 

Assurance-related controls (e.g., audits) do not prevent unless followed up with other actions. Assurance is, however, very useful in itself as a goal to know and have confidence that controls are operating effectively.

Preventive controls should be limited to those measures that are designed to limit the operating environment such that the unwanted action or event cannot occur in ordinary circumstances (e.g., firewall, access control), not policies and other planning activities.

How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.


All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!

Leave a Comment