Contact

ISO 27002 is getting updated, finally!

Published
04 Oct 2021
Read time
5 min read
Category
News, Security, Security Practice

More than eight years since its last face-lift, ISO 27002 is under review with a new version expected to be released later this year.  The reason for the update is to streamline and re-organise the 114 controls to better support organizations recognising the changed risk landscape of the modern information security environment. And not before time!

What can we expect with new information security code of practice?

  • Fewer controls – down to 93 from 114 controls
  • Some controls will be removed, others will be consolidated and some new ones will be added. The new controls include threat intelligence, information security for the use of cloud services, physical security monitoring, data leakage prevention, and more.
  • Controls will be organised into 4 categories: organisational, people, physical and technological controls, rather than the existing 14 categories (information security policies, organisational of information security, human resource security etc).

Background to ISO 27002

ISO/IEC 27002 is a guidance document, or a code of practice, designed to be used as a reference for selecting controls, while implementing an Information Security Management System (ISMS) based on ISO/IEC 27001.   The controls included in clauses 5 – 18 of ISO 27002 map to those in ISO 27001 Annex A, with much more detailed implementation guidance for each control included in ISO 27002.

While an organization can only get a certification for ISO 27001, ISO 27002 is essential as it explains how the required controls are implemented. The 2013 version of ISO 27002 has been under review for some time and the latest draft has already gone through several rounds of discussions and changes.

The target release date for the final version is late 2021.

Changes to ISO 27002

In summary, the new ISO 27002 consolidates the security controls of the standard into four new categories (i.e. Organizational, People, Physical and Technological) and updates the controls (removing some, merging others and adding in new controls).

The total number of controls will be reduced from current count of 114 controls to 93 controls divided into 4 categories (as opposed to the 14 domains in the existing version). The 4 new categories, and the number of controls in each, are:

  • Organizational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)

The 16 controls to be removed – because they duplicate other controls or to enable better alignment in other areas – are:

  • Control 5.2.2: Review of the policies for information security
  • Control 6.2.1: Mobile device policy
  • Control 8.1.2: Ownership of assets
  • Control 8.2.3: Handling of assets
  • Control 9.4.3: Password management system
  • Control 11.1.6: Delivery and loading areas
  • Control 11.2.5: Removal of assets
  • Control 11.2.8: Unattended user equipment
  • Control 12.4.2: Protection of log information
  • Control 12.6.2: Restrictions on software installation
  • Control 13.2.3: Electronic messaging
  • Control 14.1.2: Securing application services on public networks
  • Control 14.1.3: Protecting application services transactions
  • Control 14.2.9: System acceptance testing
  • Control 16.1.3: Reporting information security weaknesses
  • Control 18.2.3: Technical compliance review

11 new controls are to be added to reflect the evolution in and updates to industry best practices over the eight years from release of the current version of ISO 27002.  The new controls to be introduced include:

  • Threat intelligence
  • Identity management
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • User endpoint devices
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Secure coding

Threat Intelligence is a new control of particular interest. To certify to ISO 27001, “information relating to information security threats should be collected and analyzed to produce threat intelligence.”

Some of the other changes to be implemented include:

  • The Inventory of Assets will have to be an “Inventory of information and other associated assets”.
  • The controls around the acceptable use of assets are changed as “Acceptable use of information and other associated assets”.
  • The policy on cryptographic controls and key management etc. modified as “Use of Cryptography controls”.
  • Event logging will be renamed as “Logging”.
  • The controls around maintaining Admin and operator logs will be integrated into “Monitoring activities”.
  • Information transfer policies and procedures and the control requiring an agreement on Information transfer will be integrated as one control under “Information transfer”.

What is the impact on current compliance with ISO 27002?

There is “No” impact at this point in time as ISO 27002 is code of practice. However, over time, changes will need to be implemented as organisations will need to prove they have considered all of the updated controls in the new version of ISO 27002 for implementation.

The target release date for the final version of ISO 27002:2021 is late 2021 and after that there will be a transition period from the current version to the new one.

Because ISO 27001 depends on ISO 27002, the upcoming changes to ISO 27002 will likely impact ISO 27001, and the certification will likely also be updated in the coming year (2022).

What should you do to prepare for the new ISO 27002?

Although there is a transition period, it is always worth being aware of the upcoming controls/changes.  They will be here in the next few months so it is time to start planning for how to update your ISMS based on the new practice.

Some steps to help plan what changes might be required:

  • The information security team should review the draft recommendations and the proposed 93 controls in the current draft of the new ISO 27002.
  • They should then perform a gap analysis between existing and new (draft) implementation guidelines, and wherever possible link to the existing documents and other  evidence of implementation, wherever possible.
  • Check the recommendations for new policies and procedures and start to plan how these might be implemented.
  • Think about raising awareness of the approaching changes among IT – Risk & Security management and with all relevant stakeholders (as required).  The changes are significant and it’s worth getting this into the planning cycle now.

How can Privacy 108 Help?

Our team of privacy and information security experts are available to assist you at any time with your privacy and security needs.

We are familiar with ISO 27001, 27002 and 27701 and other ISO standards and can support you in the design, implementation, maintenance and review of your Information security Management System.

Contact us to see how we might be able to help: hello@privacy108.com.au.

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.