Skip to content

The definitive guide to ISO 27002 2022: Part 1

Andrew Robinson Apr 12, 2022
The Definitive Guide to ISO 27002 2022: Part 1

The only constant is change. Even for ISO standards.

The original version of ISO 27001 was published in 2005, with minor updates in 2013, and now finally a moderately sized update in 2022. That’s about one update per decade!

In a fast-changing industry like cyber and information security that could be seen as a bad thing. But ISO 27001 like ISO itself is a steady ship in a fast-changing environment.

This differs from, say, the Australian Government Information Security Manual (ISM), which was being updated monthly to keep pace with changes to the environment but has now slowed to quarterly updates.

The unintended consequence of too frequent change is paralysis by analysis loop that, if not broken, represents a missed opportunity for achieving tangible improvement.

In this article, we are going to explore what has changed in ISO 27002:2022, including control additions, the reasons behind those additions, and reductions (or rather merged or simmered controls).

In a follow-up article, we will perform a deep dive analysis into the characteristics of controls found in ISO 27002:2022 versus the 2013 version, and versus the NIST Cyber Security Framework.

We will use this analysis to highlight the strengths and weaknesses of ISO/IEC 27002:2022 and how you can utilize the new version.

Keep in mind, that we're actually talking about the guidelines found in ISO 27002 and not the certification requirements found in ISO 27001, so it's not exactly ISO 27001 vs 27002. But it won't be long until the certification requirements are updated, too.


So what has changed in ISO 27002?

ISO 27002 2022


The biggest change in ISO 27002:2022 is attributes

Perhaps the biggest change introduced by ISO 27002:2022 is not those within the controls but the control metadata. ISO 27002:2022 introduces the concept of attributes including control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

This is generally a good concept because it provides informative characteristics for the risk treatment planner or security architect to consider when developing a purposeful and diversified control environment (i.e., to avoid being overly dependent on a particular control type).

There are limitations to the control type definitions adopted in ISO/IEC 27002:2022 that could have the opposite effect and weaken security programs, but of course, ISO/IEC 27002:2022 is a guideline only and should be adapted and enhanced by an organization for the best effect.


Additions in ISO 27002 2022 controls

The following list summarizes the new controls introduced in ISO/IEC 27002:2022. These controls reflect key trends or drivers in the environment including the increased adoption of cloud services (tagged #Cloud by the author), use of mobile devices (tagged #Mobility by the author), the importance of secure code/software (tagged #Code by the author), privacy (tagged #Privacy by the author) and need eternal vigilance (tagged #Visibility by the author).

  • 5.7 Threat intelligence | #Visibility
  • 5.23 Information security for use of cloud services | #Cloud
  • 5.30 ICT readiness for business continuity | #BCP
  • 7.4 Physical security monitoring |  #Cloud
  • 8.9 Configuration management | #Cloud #Code
  • 8.10 Information deletion | #Privacy
  • 8.11 Data masking | #Privacy
  • 8.12 Data leakage prevention | #Visibility #Privacy
  • 8.16 Monitoring activities | #Visibility
  • 8.23 Web filtering | #Visibility
  • 8.28 Secure coding | #Code



Let's unpack those key drivers a bit more. Firstly, #Cloud controls are necessary for response to the continued rise of cloud computing, the dominance of global hyper-scale cloud service providers, the occasional service failure or vulnerability that has an unprecedented impact, and contractual or data sovereignty issues.

A renewed focus on #BCP is relevant in response to the Covid pandemic, but also the disruption caused by ransomware and natural disasters. #Mobility enables working from home, a wider trend towards flexible/remote work,  and potentially a return to travel both business and leisure (hopefully!).

Secure #Code and technology supply chains are another area of focus following Solarwinds, Log4j/log4shell, and so on and so on. #Privacy continues to dominate headlines following the continued loss of personal information and the rise of privacy legislation such as, e.g., GDPR (EU), CCPA (US), and NDBS (Australia). Finally,  cooperation between government and industry is maturing to achieve #Visibility of threats.


Mergers from ISO 27002 2013 into 2022

There are a lot of controls from ISO/IEC 27002:2013 that have been merged into ISO/IEC 27002:2022. Specifically, 56 controls from the older version have been merged down to 24 controls in the new version.

The merged controls were largely duplicative in the prior version and their merger makes way for the important new controls without merely adding more controls and making the baseline controls unnecessarily unwieldy. This was quite pleasing to see in the new version.

The two most pertinent examples are electronic media security (4 controls merged into 1) having receded in preference to cloud storage and logging controls (3 controls merged into 1) still important for visibility but not needing to be represented as 3 controls.

Regulators often get caught in the vicious ivory tower trap of adding without removing, making the requirements ever more demanding and complex, tending increasingly towards becoming unachievable. Luckily we have fewer minimum - more dense - controls in 2022.


Split control from ISO 27002 2013 into 2 controls in ISO27002 2022

There was only one split of a single control in ISO/IEC 27002:2013 into two controls in ISO/IEC 27002:2022 and --drum roll-- it was... A.18.2.3 Technical compliance review. In practice, this control had a large degree of overlap with A.12.6.1 Management of technical vulnerabilities (e.g. hardening, patching, etc.) now 8.8 and A.18.2.2 Compliance with security policies and standards (and internal audits) now 5.36.

In tallying the numbers, if you've tried to add the additions and remove the merged controls, you shouldn't add one for this split, since both 5.36 and 8.8 are also counted as merged controls. The exact formula as we count it is:

114 controls in ISO/IEC 27002:2013 + 11 additions - 56 merged + 24 condensed (+ 1 split - 1 already merged) =
93 controls in ISO/IEC 27002:2022


6c ISO 27002 2022 by domain


How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.


All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!

Relates useful resources

Leave a Comment