ISO/IEC 27002 Information Security Controls Standard Updated After 9 Years!

ISO/IEC 27002 Information Security Controls Standard Updated After 9 Years!

After nine long years, ISO 27002:2013 has been updated to 27002:2022 (Information security, cybersecurity, and privacy protection — Information security controls).

ISO 27002:2022 Abstract

“This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations: (a) within the context of an information security management system (ISMS) based on ISO/IEC27001; (b) for implementing information security controls based on internationally recognized best practices; (c) for developing organization-specific information security management guidelines.”


There are a total of 93 controls in the 2022 version of 27002 vs. 114 in the 2013 version:

  • 12 new controls.
  • 24 controls were merged from two, three, or more controls from the 2013 version.
  • 58 controls from the 2013 version were reviewed and revised to better align with the current information security and cyber security environment.
  • A new concept of attributes and categories allows for a straightforward application of the standard and alignment to other frameworks like NIST RMF, NIST CSF, etc.
  • 4 sections (clause 5,6,7,8) plus 2 annexes vs. 14 Domains

The 2022 version of ISO 27002 also includes two very useful annexes. There is Annex A, which includes guidance for the application of attributes, as well as Annex B, which corresponds with ISO/IEC 27001:2013.

Both appear to be useful in helping bridge the gap between versions of this standard. They also further clarify the new application of controls from the 2022 version.

New Format & Structure

Moving away from control objectives and control format; structuring controls by “themes”.

From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes:

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)
  • Annex A – Using attributes
  • Annex B – Correspondence with ISO/IEC 27002:2013

ISO 27002:2013 vs. ISO 27002:2022

The total control count was 114 in the 2013 version and in the 2022 version, the new count is 93.

Sixteen controls were deleted due to duplication or better alignment under other controls:

  • Review of the policies for information security
  • Mobile device policy
  • Ownership of assets
  • Handling of assets
  • Password management system
  • Delivery and loading areas
  • Removal of assets
  • Unattended user equipment
  • Protection of log information
  • Restrictions on software installation
  • Electronic messaging
  • Securing application services on public networks
  • Protecting application services transactions
  • System acceptance testing
  • Reporting information security weaknesses
  • Technical compliance review
  • Review of the policies for information security

24 controls in the 2022 version include the consolidation of 56 controls from the 2013 version.

Twelve new controls have been introduced in the new version of ISO/IEC 27002

  • Threat intelligence
  • Identity management
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Secure coding

14 Domains in 2013 Version

  • Information Security Policies (2)
  • Organization of Information Security (7)
  • Human Resources Security (6)
  • Asset Management (10)
  • Access Controls (14)
  • Cryptography (2)
  • Physical & Environmental Security (15)
  • Operations Security (14)
  • Communications Security (7)
  • Systems, Acquistion, Development, & Maintenance (13)
  • Supplier Relationships (5)
  • Information Security Incident Management (7)
  • Information Security Aspects of Business Continuity Management (4)
  • Compliance (8)

4 Categories in New 2022 Version

  • Organizztional (37) – Clause 5
  • People (8) – Clause 6
  • Physical (14) – Clause 7
  • Technological (34) – Clause 8

New Concept of Attributes in 2022 Version

Now you can sort views to differentiate controls based on different perspectives of an attribute.

Elements of Each Control

The controls in the new version of ISO 27002 have two new elements in their structure:

  • Attribute table: attributes associated with the control (see next section for explanation)
  • Purpose: rationale for applying the control

These added elements make it easier to find information to better understand how to sort and justify the use of a control.

Additionally, in the new ISO 27002, one level of subtitle was eliminated. As a comparative example, access control was previously “9 Access control – 9.1 Business requirements of access control – 9.1.1 Access control policy,” whereas it is now “5 Organizational controls – 5.15 Access control.”

Controls attributes

This is the change that brings the most value for this new version, because it provides a standardized way to sort and filter controls against different views to address the needs of different groups.

Attributes options for each control are as follows:

  • Control types: Preventive, Detective, and Corrective
  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework and NIST CSF.

Impact on Extended Standards

ISO 27017:2015 (Cloud Services), ISO 27018:2019 (PII in the Cloud) will need to use a reverse mapping in the interim until they are updated.

Controls in the current version of 27001:2013 Annex A are based on 27002:2013 have not been updated yet. ISO/IEC 27001:2022 should be published this year. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) joint technical committee, ISO/IEC JTC 1, is changing the structure of the ISO/IEC 27001/27002 control framework after nearly 20 years.

Not all controls from 2013 are a one-to-one mapping and were consolidated.

What Is the Difference Between ISO/IEC 27001 and ISO/IEC 27002?

Organizations can achieve certification to ISO/IEC 27001 but not ISO/IEC 27002. ISO/IEC 27001 documents requirements for establishing, implementing, maintaining, and continually improving an information security management system, while ISO/IEC 27002 is designed for organizations to use as a reference for selecting controls and provides guidelines for information security management practices including the implementation and management of controls, taking into consideration the organization’s information security risk environment.

Organizations can get certified to standards that contain requirements but cannot get certified to standards that provide guidance.

Scheduled Changes in ISO/IEC 27001:2022?

The main changes in ISO/IEC 27001:2022 include Annex A references to the controls in ISO/IEC 27002:2022, which includes the control title and the control; The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”; The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.

Tim Layton specializes in demystifying the complexities and technical jargon associated with cloud computing security and risk management for business stakeholders across the enterprise. Tim is a cloud security thought leader defining actionable and defensible strategies to help enterprise stakeholders make risk-based decisions and prioritize investments in the new digital frontier.

Stay Connected With Tim Layton



Get My Free Cloud Security Risk Management Journal


Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. (NIST 800–30)

Threat: potential cause of an unwanted incident, which can result in harm to a system or organization. (ISO 27001)

Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (NIST 800–30)

Vulnerability: weakness of an asset or control that can be exploited by one or more threats. (ISO 27001)

Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. (NIST 800–30)

Likelihood: chance of something happening. (ISO 27001)

Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST 800–30)

Risk: effect of uncertainty on objectives. (ISO 27001)

Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. (NIST 800–30)

Compensating Security Control: A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. (NIST 800–30)

Impact Level: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (NIST 800–30)

Residual Risk: Portion of risk remaining after security measures have been applied. (NIST 800–30)

Security Posture: The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST 800–30)

Get My Free Cloud Security Risk Management Journal

Tim Layton

Tim Layton

Get Tim Layton's Free Cloud Security Journal so you can remain current with the latest cloud security trends and updates. Tim is a cloud security thought leader defining actionable and defensible strategies to help organization's make risk-based decisions and prioritize investments.