ISO 27001: 2022

ISO 27001:2022 and ISO 27002:2022 Information security, cybersecurity and privacy protection — Information security controls


Changes in ISO/IEC 27001:2022

The main changes in ISO/IEC 27001:2022 include:

  • Annex A references to the controls in ISO/IEC 27002:2022, which includes the control title and the control;
  • The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”;
  • The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.

Changes in ISO 27002:2022

ISO/IEC 27002:2013 contains 114 controls in 14 domains; ISO/IEC 27002:2022 will contain 93 controls in 4 domains:

  • Chapter 5 – Organizational (if they do not fall under any other domain) – 37 controls
  • Chapter 6 – People (if they concern individual people) – 8 controls
  • Chapter 7 – Physical (if they concern physical objects) – 14 controls
  • Chapter 8 – Technological (if they concern technology) – 34 controls

There are now 5 control attributes for each control:

  1. How to categorize – preventative, detective, corrective
  2. Information security properties – confidentiality, integrity, availability
  3. Cybersecurity concepts – identify, protect, detect, respond, recover
  4. Operational capabilities – governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance
  5. Security domains – governance and ecosystem, protection, defence, resilience

Twelve new controls have been introduced in the new version of ISO/IEC 27002:

  • Threat intelligence
  • Identity management Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring User endpoint devices
  • Configuration management Information deletion
  • Data masking
  • Data leakage prevention
  • Web filtering
  • Secure coding

Sixteen controls were deleted due to duplication or better alignment under other controls:

  • Review of the policies for information security
  • Mobile device policy
  • Ownership of assets
  • Handling of assets
  • Password management system
  • Delivery and loading areas
  • Removal of assets
  • Unattended user equipment
  • Protection of log information
  • Restrictions on software installation
  • Electronic messaging
  • Securing application services on public networks
  • Protecting application services transactions
  • System acceptance testing
  • Reporting information security weaknesses
  • Technical compliance review

There are a few controls that were modified and integrated to become one main control. Here are a few examples:

  • “Inventory of Assets” is modified as “Inventory of information and other associated assets”.
  • “Acceptable use of assets” changed to “Acceptable use of information and other associated assets”.
  • Policy on cryptographic controls and key management etc. changed to “Use of Cryptography controls”.
  • Event logging renamed to “Logging”.
  • Admin and operator logs changed to “Monitoring activities”.
  • Information transfer policies and procedures, agreement on Information transfer, etc. combined as a main control under “Information transfer”.


Read more at the ANSI Blog: Planned Changes in the New ISO/IEC 27001 and ISO/IEC 27002

June 09, 2023

Comments are closed.