Recent Changes to ISO 27002

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have collaborated to create ISO/IEC 27001, the leading international standard for information security. The ISO framework consists of a set of policies and processes. Its goal is to assist enterprises of all sizes and industries in implementing an Information Security Management System (ISMS) to protect their information systems. The ISO 27002 framework has recently experienced changes that might impact your organization. Risk3sixty’s Phalanx GRC tool can help your organization plan and prepare for the recent ISO 27002 changes.

Every five years, the standard’s writers undergo a laborious modification process that begins with ISO 27002, the control implementation guidance. ISO 27002 is a supplementary standard that can help create criteria to meet the goals of the 114 Annex A controls defined in the certifiable ISO 27001 standard’s appendix. The authors issued a significant change to ISO 27002 in February 2022, hoping that an updated ISO 27001 would be released later that year. As with other modifications, the driving factor behind this enormous project was to modernize the security framework to reflect the current technology businesses use today.

What Are The Changes In ISO 27002:2022?

ISO 27002 Changes

There are several advancements included in the 2022 version of ISO 27002 that will continue to develop. To date, the key takeaways to understand include:

  • Categories vs. Domains: The control sets are now organized into four categories instead of 14 control domains. The four categories include Organizational, People, Physical, and Technological.
  • Fewer Controls: There are 21 fewer controls in the 2022 version (from 114 to 93). There are no excluded controls.
  • Less Control Redundancy: 57 controls merged into 24 controls.
  • New Controls: There are 11 new controls. This helped modernize the standard to reflect the current information security landscape.
  • Renamed: 23 controls were renamed to make them easier to understand.
  • Updated/Revised: 58 controls were revised to better align with the current information security and cyber security environment.

What Does This Mean Moving Forward?

This latest update will help reduce the control bloat with outdated technologies. Now that this updated comprehensive standard is formally published, the next step will be establishing a timeline for transition to this new version and updates to ISO 27001. The anticipated release date for ISO 27001 is Q4 of 2022. Organizations interested or affected can begin dissecting the details within ISO 27002:2022. Preparing now for the new certification phase will help ease the transition. Risk3sixty’s Phalanx GRC tool can help your organization plan and prepare for the recent ISO 27002 changes.

Should Companies Currently Pursuing ISO 27001 Certification Wait To Get Certified?

No. The clauses of ISO 27001 will remain the same, which means how you build and operate an ISMS remains the same. Remember that ISO 27001 programs lay the foundation for your security maturity journey. In our opinion, this is a compelling reason not to delay your certification initiative.

Should We Use The New Set Of Controls Or The Old Ones?

ISO 27001:2022 will be published sometime later in 2022. In the meantime, organizations can use the existing standard and the controls within. You could begin inspecting the appendix mapping between control sets found at the bottom of ISO 27002:2022 in preparation for the transition.

How Will These Changes Impact My Current ISO 27001:2013 Certification?

ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications. Accreditation bodies will work with the certification bodies on a transition cycle, giving organizations holding an ISO 27001 certificate ample time to transition from one version to another.

How Much Time Do I Need To Align My ISMS To The 2022 Version Of The Standard?

As the new ISO 27001:2022 will be released later in 2022, and a specific date is not published, you will likely have at least a year to officially update the new controls from ISO 27002:2022 officially. Organizations are expected to be given ample time from certifying bodies to make the transition.

Can risk3sixty Help Your Organization Transition To The New ISO 27002:2022 Revision?

Risk3sixty is currently ISO 27001, 27701, and 22301 certified. We have helped 100’s high-tech growth companies build security, privacy, and compliance programs. Risk3sixty’s Phalanx GRC tool can help your organization plan and prepare for the recent ISO 27002 changes. Our proven track record in establishing, certifying, and maintaining ISMSs has helped organizations of all sizes and various industries. If you want to learn more about risk3sixty’s GRC platform, Phalanx, reach out and schedule a demo.

Share to


Share to

Like our content? Subscribe and stay informed.