Home » Security Bloggers Network » Main changes in the new ISO 27002 2022 revision

Main changes in the new ISO 27002 2022 revision

by ISO 27001 & ISO 22301 Blog – 27001Academy on January 30, 2022

January 30, 2022

Update 2022-02-16: This blog post was updated since the official ISO 27002 2022 revision was published on February 15, 2022.

It’s been eight years since the last revision of ISO/IEC 27002 (in 2013), and although ISO 27001:2013 was confirmed in 2019 (i.e., no changes in the Information Security Management System standard were required) – ISO 27002 definitely needed improvement to fulfill its role as guidance for implementation of ISO 27001 Annex A controls.

The new 2022 revision of ISO 27002 was published on February 15, 2022, and, in this article, I’ll present the main changes when compared to ISO 27002:2013 – these are not only about controls, but also how to organize and use them.

New ISO 27002 has 93 controls in the following 4 sections:

Organizational controls (clause 5)
People controls (clause 6)
Physical controls (clause 7)
Technological controls (clause 8)

Structure of sections

From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes:

Organizational controls (clause 5)
People controls (clause 6)
Physical controls (clause 7)
Technological controls (clause 8)
Annex A – Using attributes
Annex B – Correspondence with ISO/IEC 27002:2013

This new structure makes it easier to understand the applicability of the controls in a high-level sense, as well as the designation of responsibilities.

Sponsorships Available

Number of controls

This new version has reduced the number of controls from 114 to 93. Technological advancements, and an improvement to the understanding of how to apply security practices, seem to be the reasons for the change in number of controls.