The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated almost a decade ago. The typical lifespan of an ISO standard is five years. After this period, it is evaluated whether the standard can stay valid, needs revision or should be retracted. On February 15, ISO 27002:2022 was released (source), and a revised version of ISO 27001 is expected to be published by October 2022.replacing the 2013 version. To help you determine the impact on your (upcoming) ISO 27001 implementation, Bring out the Best is ready to support you in your transition to ISO 27001:2022.
The Standard (ISO 27002:2022) itself is significantly longer than the previous version, and the controls themselves have been reordered and updated. Some controls have been merged or removed, and some have been added:
- ISO 27002:2022 introduces 11 new controls and quite a few controls have been merged.so it now lists 93 controls rather than ISO 27002:2013’s 114.
- These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
- The completely new controls are:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
- The controls now also have five types of ‘attribute’ to make them easier to categorise:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)