ISO 27001 and ISO 27002: 2022 updates
What we know so far about ISO/IEC 27001:2022 and ISO/IEC 27002:2022
The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated almost a decade ago.
A new iteration of ISO 27002 was published in February 2022, and a revised version of ISO 27001 is expected to be published by October 2022.
This page explains what we know about the changes to ISO 27001 and ISO 27002, and how these changes affect organisations that are certified or planning to certify to ISO 27001.
First, the phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as a reference set of information security controls.
The Standard itself is significantly longer than the previous version, and the controls themselves have been reordered and updated. Some controls have been merged or removed, and some have been added:
ISO 27002:2022 lists 93 controls rather than ISO 27002:2013’s 114.
These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
People (8 controls)
Organizational (37 controls)
Technological (34 controls)
Physical (14 controls)
The completely new controls are:
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Data leakage prevention
The controls now also have five types of ‘attribute’ to make them easier to categorise:
Control type (preventive, detective, corrective)
Information security properties (confidentiality, integrity, availability)
Cybersecurity concepts (identify, protect, detect, respond, recover)
Operational capabilities (governance, asset management, etc.)
Security domains (governance and ecosystem, protection, defence, resilience)
How will this affect organisations implementing ISO 27001?
As part of the risk management process, ISO 27001:2013 allows you to select controls from anywhere, as long as you compare them with Annex A and document the reasons for your choices.
Assuming the 2022 version of ISO 27001 is broadly similar to the 2013 iteration, there will be a new version of Annex A to work against once that standard is published. This will reflect the controls in the new ISO 27002.
However, until the new version of ISO 27001 is published, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013 and the controls in ISO 27002:2022 will be an alternative control set, which you will have to compare with the existing Annex A – just as you would do with any other alternative control set.
(ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.)
What does this mean for organisations that are already certified to ISO 27001:2013?
There is usually a two-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.
It is inadvisable to leave it till the last minute to meet your new obligations, so when you renew your certification during the transition period, you could work against the new control set.
One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus your selections, which could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS (information security management system) easier to implement and manage.
Should organisations planning to certify to ISO 27001 wait till the new standards are published?
No, you lose nothing by implementing an ISMS that conforms to ISO 27001:2013 and uses the existing Annex A control set, whether for direct implementation or as a reference against other controls.
Waiting till the new iteration of ISO 27001 is published will likely leave you at greater risk.
ISO Systems UK has everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.