The new ISO 27002: 2022 – Answers to some Frequently Asked Questions

The new 2022 revision of ISO 27002 was published on February 15, 2022

It’s been eight years since the last revision of ISO/IEC 27002 (in 2013), and although ISO 27001:2013 was confirmed in 2019 (i.e., no changes in the Information Security Management System standard were required) – ISO 27002 definitely needed improvement to fulfil its role as guidance for implementation of ISO 27001 Annex A controls.

We’ve covered the changes in more details in our previous blog posts – here and here.

This blog post is directed as answering some of the frequently asked questions about the new ISO 27002 standard.

Changes to ISO 27002: 2022

Why was ISO 27002 changed?

Digital transformation, together with a worsening cyber threat landscape and growing concerns around protecting personal data, accelerated the need for changes to ISO 27002. The impact of this changing landscape is evident in the inclusion in ISO 27002 of new controls relating to threat intelligence, cloud services and protecting personal data.

Perhaps more importantly, the new standard, in changing from a code of practice a set of controls, provides a broader structure which supports the easier integration of controls with other frameworks and approaches, like that in the NIST Cyber Security Framework. The new structure is less prescriptive and gives organisations the autonomy to explore options to meet control objectives.

It has also streamlined the control set,  eliminating redundancy between controls across multiple domains as well as within the same domain. It allows users to examine the subject based on themes which helps in the easier and more effective implementation of controls.

What are main changes to the ISO 27002 controls?

The main changes to the ISO 27002 controls are:

• Controls are now organised into 4 sections
• 35 controls remained the same with change in control number and realigned to the  4 sections;
• 11 new controls were added;
• 23 controls have been renamed to make them easier to understand
• Even though the number of controls have been reduced (from 114 to 93 ); no controls are excluded;
• 57 controls have been merged into 24controls;
• Only one control was split; Control 18.2.3 Technical Compliance Review was split into:
  • 3.6 – Compliance with policies, rules and standards for information security;
  • 8 – Management of technical vulnerabilities

We’ve covered the changes in more details in our previous blog posts – here and here.

What will be the main impact of the changes to ISO 27002?

The re-organisation of ISO 27002 controls will change the way organisations who made “hard links” to the previous 14 domain areas look at their controls. Once this is done however, the new standard, with 93 controls divided into 4 sections (rather than 114 controls over 14 sections) should support easier design, implementation and maintenance.

The Statement of Applicability  and any mappings to other common control framework mappings (like the NIST Cyber Security Framework or the Common Control Framework)  will need to be updated to address the additions and updates and remove some of the legacy domains.

What are some of the changes to controls?

The new control set reflect current security practices such as threat intelligence, securing cloud services, data masking, web filtering, secure coding, and Data Loss Protection (DLP).  These new and merged controls will need to be integrated into the ISMS.

There have been interesting changes around the treatment of ‘assets.’ The Inventory and Ownership of Assets clauses (formerly A.8.1.1 ad A.8.1.2) have been updated to require an inventory of “information and associated assets” (Control 5.9 “Inventory of information and other associated assets”). Though many organisations have done a data mapping exercise through their privacy compliance work, that mapping may have been selective to PII and may need to be extended more broadly to include all information assets.

ISO 27002 makes very few references to the term “Information Assets” which was the commonly adopted term for all types of assets holding value (i.e. assets which must be protected). Instead, it uses the concept of primary assets and supporting assets and often refers to associated assets. Those organisations which based their governance framework around ensuring the security of “Information Assets” will need to consider how this more granular and specific treatment of information and associated assets will affect them.

Is there an easy way to map the new ISO 27022: 2022 controls against those in the ISO 27002: 2013 version?

Yes, ISO 27002:2022 includes an Annexure that compares the 2022 controls against the 2013 iteration, making the task of comparing the set of controls relatively straightforward. Where the controls are the same, there is no need for repetition (if you are looking at adding the new controls into your Statement of Applicability).

When is the deadline for implementing the ISO 27002: 2022 version?

As at April 2022, there is no requirement to implement the new ISO 27002: 2022. This will only be required when the new ISO 27001 standard, with an updated Annex A referring to the new ISO 27002 controls, is released. This is expected later this year but there will also be a transition period for organisations currently certified.  We discuss the transition period below.

Relationship between Iso 27002 and ISO 27001

When is ISO 27001: 2013 being updated?

An amendment to ISO 27001, which is the main standard to which companies are certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022. The exact date has not been announced yet.

What changes are likely to be included in the update to ISO 27001: 2013?

A draft amendment replacing the Annex A controls (ISO 27002:2022) was made available in February 2022. There are no other expected amendments to ISO 27001 (other than inclusion of minor corrections identified in 2014).

How does the new ISO 27002 impact my current ISO 27001 certification?

At this stage, the ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications.

As discussed above, a new ISO 27001 is expected later in 2022.

Once the new ISO 27001 standard is released, the accreditation bodies  will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.

There is usually at least two-year transition period to allow ISO 27001 certified businesses time to revise their ISMS to adapt to a new version of a standard, meaning there will be plenty of time to implement the changes without affecting your certificate.

Do we need to update our Statement of Applicability to refer to the new ISO 27002 controls?

Until the new version of ISO 27001 is published, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013

The controls in ISO 27002:2022 will be an alternative control set ( that can be used to supplement the controls in ISO 27001 Annex A until those controls are updated).  This means that if you want to be proactive you can start reviewing them to work out what changes might be needed.

At some stage after the release of updated ISO 27001, you will need to cross reference the new ISO 27002 controls to those in ISO 27001 Annex A. However, ISO 27002:2022 includes an annex that compares the 2022 controls against the 2013 iteration, making the task of comparing the set of controls relatively straightforward. Where the controls are the same, there is no need for repetition.

Impact of ISO 27002 on ISO 27001 certification process

When do organisations that are currently certified to ISO 27001, using controls from ISO 27002: 2013, need to move to the new ISO 27002: 2022 controls?

As the new ISO 27001:2022 will be released later in 2022 and a specific date is not published yet, you will likely have at least a year (and more likely two years) to officially update to the new controls from ISO 27002:2022.  The time will be depend on the transition period to be agreed between accreditation and certification bodies.

However, you can be proactive and adopt the new structure and controls earlier, incorporating them into your Statement of Applicability as additional controls.

How does it impact my organization if we are currently going through our ISO 27001 Stage 1 or Stage 2 assessment?

There is no need to include the new ISO 27002 controls until ISO 27001 is updated. As mentioned above, this is likely to be later this year.  Even then, if you are currently part way through the certification process, you may be covered by the transition provisions.  You should however confirm this with your certification body.

We have our ISO 27001: 2013  re-certification in June 2023. Are we going to be audited against the new 27002:2022 version? 

If your company is already certified, your certification body will conduct the necessary check on your ISMS and the documentation during the transition period (once the new ISO 27001 standard is released).

This transition will occur during your regular surveillance audits and a separate audit schedule is not required. There will be no need to schedule any new or additional audits. As covered above, the transition period will be at least one year and more likely two years.

What steps will we need to take when the new ISO 27001 standard, with the updated Annex A, is released?

Once the new controls (based on ISO 27002: 2022) become part of ISO 27001 Annex A, you will need to follow these steps:

1. Review risk treatment and make sure it is aligned with the new structure and numbering of controls.
2. Align the list of controls in the Statement of Applicability.
3. Update your policies and procedures, and potentially write new documents related to the new controls.
4. Implement additional controls as identified in the risk treatment review.

Since this change in the standard involves only 12 new controls, many of which may currently already be implemented, this alignment in risk treatment and documentation will be the biggest job that’s ahead of you, although it probably will not require a big change in technological and process areas.

Changes to other ISO standards

When will ISO 270017: Security controls for public cloud services be updated?

Will ISO 27701: Personal Information Management System be updated to reflect then new ISO 27002: 2022?  If yes, when is that expected?

There are other standards impacted by the change to ISO 27002 such as

• ISO 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services;
• ISO 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; and
• ISO 27701 – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

At this stage, there is limited information on other standards that rely on ISO 27002 controls.

How can Privacy 108 help?

At Privacy 108, we have many years experience advising organisations on ISO 27001 implementations, including advising on controls whether from ISO 27002, ISO 27017 or ISO 27701.

Our team of experts is ready to support your transition to the new standard.

Contact us today to discuss how we can help: hello@privacy108.com.au