The updated ISO/IEC 27002:2022 standard has some well-timed improvements that target today’s information security challenges. So, job well-done by the subcommittee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission behind its release!
On February 15 of 2022, ISO/IEC 27002:2022 was released, replacing the 2013 version. So, what has changed? And what does it take to benefit from this new edition?
What’s New in the ISO/ISO 27002:2022 Update?
ISO/IEC 27002:2013 contained 114 controls, divided over 14 chapters. This has been restructured. The 2022 version contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
Note that some controls of the 2013 edition have been merged in the ISO/IEC 27002:2022 update. The table below shows the controls that are new. These may require some tweaking of your existing implementation.
ISO/IEC 27002:2022 | ISO 27002:2013 equivalent |
A.5.7 Threat intelligence | A.6.1.4 Contact with special interest groups |
A.5.16 Identity management | A.9.2.1 User registration and de-registration |
A.5.23 Information security for use of cloud services | A.15.x Supplier relationships |
A.5.29 Information security during disruption | A.17.1.x Information security continuity |
A.5.30 ICT readiness for business continuity | A.17.1.3 Verify, review and evaluate information security continuity |
A.7.4 Physical security monitoring | A.9.2.5 Review of user access rights |
A.8.9 Configuration management | A.14.2.5 Secure system engineering principles |
A.8.10 Information deletion | A.18.1.3 Protection of records |
A.8.11 Data masking | A.14.3.1 Protection of test data |
A.8.12 Data leakage prevention | A.12.6.1 Management of technical vulnerabilities |
A.8.16 Monitoring activities | A.12.4.x Logging and monitoring |
A.8.23 Web filtering | A.13.1.2 Security of network services |
A.8.28 Secure coding | A.14.2.1 Secure development policy |
Mapping ISO/IEC 27001:2013 to ISO/IEC 27001:2022?
We can be very brief about the mapping of the controls of the 2013 version of ISO/IEC 27002 with the controls of the 2022 version. Because Annex B of the new version has a 7-page table called “Correspondence of ISO/IEC 27002:2022 (this document) with ISO/IEC 27002:2013”. So yet again, the subcommittee did well, making it easy to locate your existing control in the updated ISO/IEC 27002:2022 standard.
What Else is New in the ISO/IEC 27002:2022 Update?
Speaking of what is referenced in an Annex of the new edition, check out Annex A.1. Because it has a comprehensive matrix of controls and attribute values. The table below shows what to expect.
IEC 27002 Control Identifier | Control Name | Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
E.g. 5.1, 5.2, etc. | E.g. Policies for information security | Preventive, Detective, or Corrective | Confidentiality, Integrity, or Availability | Identify, Protect, Detect, Respond, or Recover | Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, or Information security assurance | Governance and Ecosystem, Protection, Defence, or Resilience |
What About ISO/IEC 27001?
ISO will release a new ISO/IEC 27001:2022 in October 2022. Obviously, this version will include the 93 controls from ISO/IEC 27002 update. As well as a small update to align the Information Security Management System (ISMS) with the latest changes to Annex SL (such as the addition of 6.3 for Change Management).
What About Certification Training?
INTERPROM is an accredited training provider of APMG International. We have been assured that APMG is ready for the new release to be published and then immediately make the necessary updates to its certification exams and course syllabus. Subsequently, as soon as APMG releases its updates, INTERPROM will update its courses and offer the new version of the Foundation, Information Security Officer, and Auditor certification training courses.
Also, our self-paced online Foundation course will be updated. Furthermore, it will be enhanced with tutorial videos. Speaking of online training, a “bridge course” will be published to bridge existing certification holders to the new edition.
Following the APMG International qualification scheme, existing ISO/IEC 27001 certified individuals do not have to worry about their certified expiring. Or having to retake a course. Moreover, your existing certificate does not expire.
Next Steps
- Purchase the updated edition of ISO/IEC 27002 on websites from organizations such as iso.org or ansi.org.
- Revisit our website later this year for the Bridge course and the updated courses and their schedules
- Use our risk and control owner coaching service to benefit from our guidance on migrating to the new edition
- And finally, hire one of our ISO/IEC 27001-certified auditors to conduct an internal audit to verify your level of compliance with the new editions of ISO/IEC 27001 and ISO/IEC 27002.