The new ISO 27002:2022

For the first time since 2013 a new revision of ISO 27002 has been published. In case you think thats too good to be true, I suggest you go and have a look at the official ISO publication.

ISO 27002 has always been a standard applicable to organizations of all types and sizes. It serves as a reference for implementing controls for information security risk treatment as part of an information security management system (ISMS) based on?ISO/IEC?27001. It is mostly used as a guideline for organizations determining and implementing commonly accepted information security controls.

What has changed?

The most obvious change was made to the controls included in this standard. The previous revision ISO 27002:2013 contained 114 controls, classified into 14 control objectives. The 2022 revision version contains 93 controls, divided over 4 chapters:

• 5. Organizational Controls (37 controls)
• 6. People Controls (8 controls)
• 7. Physical Conrols (14 controls)
• 8. Technological Controls (34 controls)

The following image provides an overview of the new structure. New controls are highlighted in yellow.

Another significant change was made to the profile of each control. ISO 27002:2022 adds the following attributes to each control.

• Control type [Preventive, Detective, Corrective]
• Information security property?[Confidentiality, Integrity, Availability]
• Cybersecurity concepts [Identify, Protect, Detect, Respond, Recover]
• Operational capabilities?[Application security, Asset management, Continuity, Data protection, Governance, Human resource security, Identity and access management, Information security event management, Legal and compliance, Physical security, Secure configuration, Security assurance, Supplier relationships security, System and network security, Threat and vulnerability management]
• Security Domains?[Governance_and_Ecosystem, Protection, Defence, Resilience]

In the following picture you can see the attributes for control 8.32 Change Management.

All in all ISO 27002 seems to have received a major upgrade in terms of structure and flexibility. As soon as an amendment for ISO 27001 will be released, organizations can get certified. However taking the necessary steps to prepare for this upgrade is something you can start with today.