skip to content
Contact
Click to open search Open mobile navigation menu Close mobile navigation menu
Home

Important updates to ISO 27002 for 2022 (and impacts to ISO 27001)

Published: January 10, 2024
Updated: January 10, 2024
Article

Our colleagues at member firm BDO USA posted the original version of this article on April 18, 2022. You can also read it below.

Cybersecurity threats are escalating around the globe and can affect any organization. The International Organization for Standardization (ISO) developed standards to provide solutions to these types of global challenges.

On Feb. 15, 2022, ISO issued an update to ISO 27002 (which impacts the Annex A of ISO 27001). The goal was to make the standards more relevant and up to date with the latest technologies and security threats. The changes will also make it easier for organizations to comply with the standard.

Notable changes include:

  • The standard will be renamed ISO 27002:2022. It was previously named ISO 27002:2013.
  • Control changes:
    • Decreased the number of information security controls in Annex A to 93 from 114.
    • Introduced 11 new controls and merged controls to avoid redundancy.
  • Sections were restructured and there are now four main domains instead of 14.
  • There’s a greater emphasis on cyber risks.

What are the differences between ISO 27001 and 27002?

ISO/IEC 27001 and ISO/IEC 27002 (their formal names) are the primary ISO standards designed to enhance the security of an organization’s information.

ISO 27001 is the actual certification standard for organizations—they get certified against it. As the globally recognized standard, it provides the requirements to establish, implement, maintain, and continually improve an organization’s information security management system. The current version, ISO27001:2013 will be renamed ISO/IEC 27001:2013+A1:2022 (the last major updates occurred in 2013, with some minor revisions in 2017).

ISO 27002 provides guidance to organizations on selecting, implementing, and managing information security controls listed in the Annex A of ISO 27001. Organizations cannot get a certification against ISO 27002 since it is a supporting standard containing guidance, not a requirement. The updated name is now ISO/IEC 27002:2022.

What are the new controls?

The 11 new control topics introduced are:

  1. Threat intelligence (5.7)
  2. Information security for the use of cloud services (5.23)
  3. ICT readiness for business continuity (5.30)
  4. Physical security monitoring (7.4)
  5. Configuration management (8.9)
  6. Information deletion (8.10)
  7. Data masking (8.11)
  8. Data leakage prevention (8.12)
  9. Monitoring activities (8.16)
  10. Web filtering (8.22)
  11. Secure coding (8.28)

What are the section changes? 

ISO restructured the sections to four sections and two annexes, down from 14 total sections.

Sections

  1. Organizational Controls (37), now Domain 5.
  2. People Controls (8), now Domain 6.
  3. Physical Controls (14), now Domain 7.
  4. Technological Controls (34), now Domain 8.

Annexes

  1. Annex A, which includes guidance for the application of attributes.
  2. Annex B, which corresponds with ISO/IEC 27002:2013.

When did the changes take place? 

  • ISO 27002 was updated on Feb. 15, 2022 (ISO 27002:2022).
  • Annex A of ISO 27001 will be aligned with these changes sometime during 2022—– although the official date has not been announced (ISO 27001:2013+A1:2022).

What does this mean for organizations? 

Organizations already certified to ISO 27001:2013 will need to update their certification to align with the revised standard. They may also want to: 

  • Purchase the new guide.
  • Review and update policies, procedures, and documentation (i.e., Internal Audit Plan/Policy, Statement of Applicability, Risk Assessment, Asset Inventory, and other components).
  • Perform a gap analysis.
  • Inform their certification body on the planned timing to certify to the new standard.

When must organizations comply/adopt? 

Certified organizations will have a transition period to update their certification (once the official update to ISO 27001 is published). The transition period will be defined by your certification body.

 Organizations without a certification should certify to the new 2022 standard.

What are the benefits of ISO 27001 certification? 

  • Improved security—By identifying and addressing information security risks, organizations are better positioned to protect their data and reduce the risk of a data breach. 
  • Address global customer requirements—Having ISO 27001 certification can help an organization meet the security compliance requirements of global customers. 
  • Competitive advantage—By demonstrating your organization meets the highest standards for information security it can increase trust and transparency with your customers. 
  • Mitigate risks—Certification can help mitigate the risk of cyber attacks and data breaches that may cause organizations to lose customers, incur regulatory fines, and suffer damage to their brand and reputation.  

How we can help

Choosing the right service auditor is critical to an organization’s success. Our trusted and experienced team collaborates with organizations to develop a comprehensive and defensible compliance program to meet various security standards. Contact us to learn how we can help your business get its certification.

Contact us

Sam Khoury
Partner, Third Party Assurance Leader
416-369-6030

LinkedIn
View bio

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close