Skip to content

The Definitive Guide to ISO 27002 2022: Part 1

Andrew Robinson Apr 12, 2022
The Definitive Guide to ISO 27002 2022: Part 1

The only constant is change. Even for ISO standards.

The original version of ISO 27001 was published in 2005, with minor updates in 2013, and now finally a moderately sized update in 2022. That’s about one update per decade!

In a fast-changing industry like cyber and information security that could be seen as a bad thing. But ISO 27001 like ISO itself is a steady ship in a fast-changing environment.

This differs from, say, the Australian Government Information Security Manual (ISM), which was being updated monthly to keep pace with changes to the environment but has now slowed to quarterly updates.

The unintended consequence of too frequent change is paralysis by analysis loop that, if not broken, represents a missed opportunity for achieving tangible improvement.

In this article, we are going to explore what has changed in ISO 27002:2022, including control additions, the reasons behind those additions, and reductions (or rather merged or simmered controls).

In a follow-up article, we will perform a deep dive analysis into the characteristics of controls found in ISO 27002:2022 versus the 2013 version, and versus the NIST Cyber Security Framework.

We will use this analysis to highlight the strengths and weaknesses of ISO/IEC 27002:2022 and how you can utilize the new version.

Keep in mind, that we're actually talking about the guidelines found in ISO 27002 and not the certification requirements found in ISO 27001. But it won't be long until the certification requirements are updated.


So what has changed?

ISO 27002 2022


The biggest change is attributes

Perhaps the biggest change introduced by ISO 27002:2022 is not those within the controls but the control metadata. ISO 27002:2022 introduces the concept of attributes including control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

This is generally a good concept because it provides informative characteristics for the risk treatment planner or security architect to consider when developing a purposeful and diversified control environment (i.e., to avoid being overly dependent on a particular control type).

There are limitations to the control type definitions adopted in ISO/IEC 27002:2022 that could have the opposite effect and weaken security programs, but of course, ISO/IEC 27002:2022 is a guideline only and should be adapted and enhanced by an organization for the best effect.



The following list summarizes the new controls introduced in ISO/IEC 27002:2022. These controls reflect key trends or drivers in the environment including the increased adoption of cloud services (tagged #Cloud by the author), use of mobile devices (tagged #Mobility by the author), the importance of secure code/software (tagged #Code by the author), privacy (tagged #Privacy by the author) and need eternal vigilance (tagged #Visibility by the author).

  • 5.7 Threat intelligence | #Visibility
  • 5.23 Information security for use of cloud services | #Cloud
  • 5.30 ICT readiness for business continuity | #BCP
  • 7.4 Physical security monitoring |  #Cloud
  • 8.9 Configuration management | #Cloud #Code
  • 8.10 Information deletion | #Privacy
  • 8.11 Data masking | #Privacy
  • 8.12 Data leakage prevention | #Visibility #Privacy
  • 8.16 Monitoring activities | #Visibility
  • 8.23 Web filtering | #Visibility
  • 8.28 Secure coding | #Code



Let's unpack those key drivers a bit more. Firstly, #Cloud controls are necessary for response to the continued rise of cloud computing, the dominance of global hyper-scale cloud service providers, the occasional service failure or vulnerability that has an unprecedented impact, and contractual or data sovereignty issues.

A renewed focus on #BCP is relevant in response to the Covid pandemic, but also the disruption caused by ransomware and natural disasters. #Mobility enables working from home, a wider trend towards flexible/remote work,  and potentially a return to travel both business and leisure (hopefully!).

Secure #Code and technology supply chains are another area of focus following Solarwinds, Log4j/log4shell, and so on and so on. #Privacy continues to dominate headlines following the continued loss of personal information and the rise of privacy legislation such as, e.g., GDPR (EU), CCPA (US), and NDBS (Australia). Finally,  cooperation between government and industry is maturing to achieve #Visibility of threats.



There are a lot of controls from ISO/IEC 27002:2013 that have been merged into ISO/IEC 27002:2022. Specifically, 56 controls from the older version have been merged down to 24 controls in the new version.

The merged controls were largely duplicative in the prior version and their merger makes way for the important new controls without merely adding more controls and making the baseline controls unnecessarily unwieldy. This was quite pleasing to see in the new version.

The two most pertinent examples are electronic media security (4 controls merged into 1) having receded in preference to cloud storage and logging controls (3 controls merged into 1) still important for visibility but not needing to be represented as 3 controls.

Regulators often get caught in the vicious ivory tower trap of adding without removing, making the requirements ever more demanding and complex, tending increasingly towards becoming unachievable. Luckily we have fewer minimum - more dense - controls in 2022.



There was only one split of a single control in ISO/IEC 27002:2013 into two controls in ISO/IEC 27002:2022 and --drum roll-- it was... A.18.2.3 Technical compliance review. In practice, this control had a large degree of overlap with A.12.6.1 Management of technical vulnerabilities (e.g. hardening, patching, etc.) now 8.8 and A.18.2.2 Compliance with security policies and standards (and internal audits) now 5.36.

In tallying the numbers, if you've tried to add the additions and remove the merged controls, you shouldn't add one for this split, since both 5.36 and 8.8 are also counted as merged controls. The exact formula as we count it is:

114 controls in ISO/IEC 27002:2013 + 11 additions - 56 merged + 24 condensed (+ 1 split - 1 already merged) =
93 controls in ISO/IEC 27002:2022


6c ISO 27002 2022 by domain


How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.


All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!

Leave a Comment

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"

CEO | Startup

6clicks Risk Registers and Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC


Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?