List of ISO 27002 2022 Controls : What changed in 2022
Meeba Gracy
Sep 25, 2024
Are you tired of constantly worrying about your organization’s security? Do you want to ensure that your company’s sensitive data is protected at all times? If so, then this guide on ISO 27002 controls is for you.
In this article, you will learn what ISO 27002 is, the changes implemented since the update last year, and the difference between ISO 27002 controls and ISO 27001.
Let’s dive in…
TL;DR
- ISO/IEC 27002:2002 is not a certification like ISO/IEC 27001. Instead, it offers a list of controls along with detailed guidance on their implementation. Use it as a blueprint to establish an ISO/IEC 27001-compliant system and refine your cybersecurity practices.
- In its latest edition, ISO/IEC 27002 includes 93 controls, spread across four domains, with some controls merged and 11 new controls added to enhance security.
What is ISO 27002 Standard?
ISO/IEC 27002 is a supplementary international standard to ISO/IEC 27001, providing detailed guidance on implementing the controls listed in Annex A of ISO/IEC 27001. Unlike ISO27001, ISO27002 it isn’t a certification. Consider it your blueprint to establish an ISO27001-compliant system and refine your cybersecurity practices.
In its latest iteration, ISO 27002:2022, it covers 93 controls and practical guidance on implementing them. These controls span over four key domains:
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
What are ISO/IEC 27002 controls?
ISO/IEC 27002 controls are a collection of information security, cyber security, and privacy protection measures, along with implementation recommendations that are based on globally accepted industry standards.
The latest version of the ISO/IEC 27002 has been updated to ensure that it reflects developments and the most up-to-date information security practices that are being used in different sectors across businesses and governments.
After months of work, the new edition was finally published on February 15th, 2022 for all to use.
The latest version of the ISO/IEC 27002 has been updated to ensure that it reflects developments and the most up-to-date information security practices that are being used in different sectors across businesses and governments.
After months of work, the new edition was finally published on February 15th, 2022 for all to use.
ISO 27002:2013 vs ISO 27002:2022: What’s changed?
The most prominent change between the older iteration and the latest update is that ISO 27002 now offers a straightforward, standalone list of information security controls, rather than just a code of practice for implementing them.
Let’s dive a little deeper into the changes:
Aspect | ISO 27002:2013 | ISO 27002:2022 |
Structure | Structured as a code of practice with guidelines. | Presents a standalone list of information security controls. |
Controls | Contains 114 controls organized into 14 clauses. | Consolidates controls into 93 controls across 4 themes. |
Themes/Categories | Clauses include categories such as Asset Management, Access Control, etc. | Themes are now: Organizational, People, Physical, Technological. |
Control Format | Controls are descriptive, with detailed guidelines for implementation. | Controls are concise, providing clear objectives and implementation guidance. |
Annexes and Appendices | Includes annexes that guide the implementations of controls under fourteen domains. | Reduces the number of themes from fourteen to four, focusing more on core domains and two annexes. |
Terminology | Uses terminology from 2013 standards and practices. | Updates terminology to align with current technology and practices. |
Risk Management | Emphasizes risk management throughout the guidelines. | Continues to emphasize risk management, with more focus on cybersecurity and data privacy. |
Alignment with Other Standards | Aligns with ISO 27001:2013. | Aligns with ISO 27001:2022, ensuring compatibility with the updated standard. |
Implementation Guidance | Provides code of practice for controls. | Offers more detailed and structured guidance, making it easier to understand and implement. |
Focus | Broad focus on various aspects of information security practices. | Increased focus on practical implementation and usability of controls. |
How to select and Implement ISO 27002 controls?
Implementing ISO/IEC 27002 controls in alignment with the annexures of ISO/IEC 27001 involves mapping each control to the corresponding requirements specified in ISO/IEC 27001 Annex A.
The specifics would vary depending upon the organization’s risk profile,and compliance considerations, and keeping aligned with ISO 27002 control objectives should be the rationale when selecting and implementing ISO 27002 controls. You may add, enhance, exclude, or consolidate controls addressing similar concerns.
Here are the five steps that can help you evaluate the right controls and implement them:
1. Understand ISO/IEC 27001 Annex A
Annex A of ISO/IEC 27001 provides a list of control objectives and controls. ISO/IEC 27002 provides detailed implementation guidance for these controls. Annex A serves as a reference to ensure that all necessary controls are considered for the ISMS.
A comprehensive assessment identifying critical assets and the associated risks must be conducted to determine risk profile. This helps in understanding the likelihood and impact of potential threats as well as prioritize the selection of controls.
3. Make a selection based on applicability
In order to tailor the control selection as per your business needs, consider operational requirements and technological capabilities along with the above two. Also ask a lot of questions for determining the applicability like:
- Are there any controls mandated by industry or regulatory frameworks?
- Does excluding a control leave any critical risks unaddressed?
- What are the costs and benefits of implementing each of these controls?
- Are there multiple controls for similar risks that can be streamlined into one control?
4. Create a tactical implementation plan
A well-documented plan with specific, measurable and time-bound objectives defined along with outlined tasks and procedures form a solid tactical implementation plan. It should also include the KPIs and KRIs that will be used to measure the effectiveness of control implementation.
5. Train and educate workforce
A combination of communication and training will help the workforce understand the rationale behind the process and implement controls well. Tailor the training program as per skill gaps and keep it engaging for maximum participation.
6. Continuously improve to stay compliant
Periodic reviews, internal audits, and other surveillance techniques must be implemented to get progress visibility as well addressing any ingrained weaknesses that persist. To stay compliant, businesses must be ‘always watchful.
Also, check out this video on ISO 27002 to learn more:
Becoming ISO 27001 compliant should not be this complex
What has changed from the old version of ISO 27002 Controls?
The ISO/IEC 27002:2022 as a revision to ISO/IEC 27002:2013 now consists of 93 controls and an additional 11 new ones. While the 2013 release had 114 controls under 14 clauses, the 2022 version has only 4 security domains. To simplify security management guidelines, 24 controls have been merged and 58 updated from the previous version, streamlining the entire framework and enhancing overall usability.
New controls have been added to the revised list keeping in mind the need for even more robust security requirements with evolving threat sophistication.
Instantly access the complete and expertly curated ISO 27002:2022 controls list now by downloading from below:
ISO 27002:2022 Controls List
The ISO 27002:2022 as a revision to ISO 27002:2013 now consists of 93 controls and an additional 11 new ones. While the 2013 release had 114 controls under 14 clauses, the 2022 version has only 4 domains. To improve navigation, 24 controls have been merged and 58 updated from the previous version, streamlining the entire framework and enhancing overall usability.
New controls have been added to the revised list keeping in mind the need for even more robust security requirements with evolving threat sophistication.
Instantly access the complete and expertly curated ISO 27002:2022 controls list now by downloading from below:
Here is the List of ISO 27002 controls (As per the latest version 2022):
Category | Control Number | Control Title | Description |
Organizational Controls | 5.1 | Policies for Information Security | Develop and implement policies that establish an effective framework that promises information and data security. |
5.2 | Information Security Roles and Responsibilities | Define and communicate specific security responsibilities for all personnel, minimizing the risk of fraud. | |
5.3 | Segregation of Duties | Separate responsibilities to reduce vulnerabilities and prevent conflicts of interest. | |
5.4 | Management Responsibilities | Ensure management oversight and accountability for information security. | |
5.5 | Contact with Authorities | Establish communication channels with regulatory and law enforcement authorities. | |
5.6 | Contact with Special Interest Groups | Engage with industry groups to stay informed about security trends and threats. | |
5.7 | Threat Intelligence | Gather and analyze information on potential threats to enhance security measures. | |
5.8 | Information Security in Project Management | Integrate security considerations into project planning and execution. | |
5.9 | Inventory of Information and Associated Assets | Maintain a detailed inventory of all assets and their owners | |
5.10 | Acceptable Use of Information and Associated Assets | Define and enforce rules for the proper use of organizational assets. | |
5.11 | Return of Assets | Ensure the secure return of assets when no longer in use by employees or contractors. | |
5.12 | Classification of Information | Categorize information based on its sensitivity and criticality. | |
5.13 | Labeling of Information | Appropriately label information according to its classification. | |
5.14 | Information Transfer | Securely manage the transfer of information within and outside the organization. | |
5.15 | Access Control | Implement controls to restrict and regulate access to information, preventing unauthorized access. | |
5.16 | User Access Management | Manage the lifecycle of user access from provisioning to de-provisioning. | |
5.17 | User Responsibilities | Hold users accountable for maintaining the confidentiality of their access credentials. | |
5.18 | System and Application Access Control | Ensure access controls are in place for systems and applications. | |
5.19 | Information Security in Supplier Relationships | Ensure suppliers adhere to security requirements. | |
5.20 | Addressing Information Security within Supplier Agreements | Include security clauses in supplier contracts. | |
5.21 | Managing Information Security in the ICT Supply Chain | Assess and manage security risks in the ICT supply chain. | |
5.22 | Monitoring and Review of Supplier Services | Regularly monitor and review supplier performance. | |
5.23 | Managing Changes to Supplier Services | Control and approve changes to supplier services affecting security. |
Category | Control number | Control Title | Description |
People Controls | 6.1 | Screening | Screen potential employees to ensure security. |
6.2 | Terms and Conditions of Employment | Include security expectations in employment terms. | |
6.3 | Information Security Awareness, Education, and Training | Educate employees on security practices. | |
6.4 | Disciplinary Process | Address security breaches through disciplinary actions. | |
6.5 | Responsibilities after Termination or Change of Employment | Manage security responsibilities after employment changes. |
Category | Control Number | Control Title | Description |
Physical controls | 7.1 | Physical Security Perimeter | Establish secure boundaries for sensitive areas. |
7.2 | Physical Entry Controls | Control physical access to secure areas. | |
7.3 | Securing Offices, Rooms, and Facilities | Ensure security of offices, rooms, and facilities. | |
7.4 | Physical Security for Equipment | Protect physical equipment from security threats. | |
7.5 | Secure Disposal or Reuse of Equipment | Ensure secure disposal or reuse of equipment. | |
7.6 | Cabling Security | Protect cabling from interception or damage. | |
7.7 | Security of Supporting Utilities | Ensure the security of utilities supporting information systems. | |
7.8 | Security of Equipment Off-premises | Protect off-premises equipment. | |
7.9 | Clear Desk and Clear Screen Policy | Implement clear desk and screen policies to protect information. |
Category | Control Number | Control Title | Description |
Technological controls | 8.1 | Operational Procedures and Responsibilities | Define and document operational procedures and responsibilities. |
8.2 | Change Management | Manage changes to information systems securely. | |
8.3 | Capacity Management | Manage capacity to ensure performance and security. | |
8.4 | Separation of Development, Testing, and Operational Environments | Separate environments to reduce risk. | |
8.5 | Protection from Malware | Implement measures to protect against malware. | |
8.6 | Management of Technical Vulnerabilities | Manage technical vulnerabilities. | |
8.7 | Information Backup | Ensure regular backups of critical information. | |
8.8 | Logging and Monitoring | Implement logging and monitoring of activities. | |
8.9 | Control of Operational Software | Control installation of software on operational systems. | |
8.10 | Management of Technical Documentation | Manage technical documentation securely. | |
8.11 | Monitoring and Control of ICT Networks | Monitor and control ICT networks. | |
8.12 | Web Filtering | Control access to web resources to enhance security. | |
8.13 | Management of Removable Media | Control the use of removable media. | |
8.14 | Information Transfer | Protect information during transfer across networks. | |
8.15 | Control of Mobile Devices and Teleworking | Secure mobile devices and teleworking arrangements. |
Out of these 93 controls, here are some new controls that weren’t there in the list in the previous iteration.
Threat intelligence involves collecting, analyzing, and contextualizing data regarding such risks. By doing so, companies can acquire comprehensive insights into potential threats—ultimately making them better prepared against attacks.
A.5.23 Information security for cloud services
Businesses of all sizes embrace the advantages of cloud services, but with their growing popularity comes the heightened risk of information security. To mitigate risks the 5.23 is the way to go and it is a game-changer that proactively creates processes for the acquisition, use, management, and exit from cloud services.
This helps ensure that businesses have the procedures to protect their data and optimally manage their security posture when using these services.
A.5.30 ICT Readiness for Business Continuity
The importance of maintaining ICT platforms and services cannot be understated to ensure business continuity in the face of disruption or a critical event.
Control 5.30 guides organizations on managing and optimizing ICT systems in light of this, outlining the processes for a response, recovery, and restoration that should be adhered to, as well as analyzing key metrics such as RTOs and BIA results.
This assists organizations in ensuring their ICT readiness is sufficient for maintaining continuous operation throughout severe episodes.
A.7.4 Physical security monitoring
Ensuring physical security is of utmost importance for organizations wishing to protect their critical data. Physical security monitoring offers a cost-effective solution for safeguarding premises and deterring any unauthorized access to restricted areas.
This includes deploying CCTV cameras, motion sensors, and even tamper-proof locks to monitor security around buildings with confidential information.
A.8.9 Configuration management
Configuration management is a critical element of any organization’s security infrastructure. It enables hardware, software, and entire networks to be configured with the appropriate policies to protect an organization from unwanted outside influences.
Configuration files can dictate network security measures like block lists, port forwarding, virtual LANs, and VPN information among others. Also, it can help organizations meet compliance standards that are important for the security audit processes.
A.8.10 Information deletion
Information deletion is essential in mitigating data risk, as it can reduce the impact of a potential security breach or failure to comply with legal standards. Control 8.10 ensures organizations comply with relevant laws and regulations regarding data erase strategies by providing a complementary approach designed around the company’s current data retention practices.
A.8.11 Data masking
Data masking is an effective method to protect PII stored within an organization’s systems. Data masking takes access control measures further, ensuring that sensitive data stored within systems is obfuscated or encrypted so that it is not readily accessible.
This goes beyond the scope of regular access controls and can be required due to statutory or regulatory compliance.
A.8.12 Data leakage prevention
Data leakage prevention is vital to protecting and limiting organizations’ vulnerabilities. Implementing Control 8.12 – a dual-purpose preventive and detective control measure supports proactively detecting, preventing, and responding to data leakage from internal and external sources.
A.8.16 Monitoring activities
Network monitoring is a critical part of the IT support and information security process, constituting an integral layer of the organization’s defense-in-depth security strategy.
Control 8.16 provides protective and corrective capabilities in mitigating risks through careful observance and examination of unusual activities, allowing for a speedy resolution to incidents and events. This, in turn, results in improved systems performance and safeguarding of valuable assets from malicious cyber attacks.
A.8.23 Web filtering
Web filtering is a critical control that organizations must use to guard against security risks and ensure the safety of their information systems. By using web filtering technology, organizations can restrict access to malicious websites, helping to protect their networks from malware attacks and data breaches.
This process also reduces staff distraction and potential waste of resources as users cannot access external sites that do not offer any business value. Implementing effective web filtering is essential to guarantee corporate networks’ health and integrity.
A.8.28 Secure coding
Secure coding practices protect information systems against today’s sophisticated cyber threats. Without secure coding, organizations risk exposing vulnerabilities and running the risk of compromise to their critical assets.
To prevent this, implementing Control 8.28 ensures that applications and networks are designed with security throughout the entire process by eliminating potential risks before they become an issue.
This preventive control can protect your company from cyber attacks associated with poor coding practices, such as weak key generation and improper input validation.
Download Your ISO 27001 Controls List
Specific ISO 27002 Control Changes
Here is a detailed overview of ISO 27002:2022 control changes:
Changes | Details |
New Controls | 11 |
Domains | 13 down to 4 |
Split controls | 1 divided into 2 |
Merged controls | 56 reduced to 24 |
Overall | 114 down to just 93 |
The latest update of ISO/IEC 27002 significantly improves how it structures control sets. Previously, 14 control domains were established, but now all those domains have been consolidated into just four security categories that are streamlined, organized, and easier to understand.
These include:
- Organizational
- People
- Physical
- Technological
The standard now consists of 93 controls and an additional 11 new ones. To improve navigation, 24 controls have been merged from 2, 3, or more security controls from the 2013 version, streamlining the entire framework and making it easier to navigate.
This upgrade can attest to the fact that users are now unrestricted by complications in following basic Information Security practices – they are now free to explore a range of new-and-improved navigation options with assured security being maintained at all times.
Annex A was created to guide for applying these attributes, along with Annex B, allowing for an easier reference suite for on-demand information about control numbers/identifiers.
It goes beyond simply telling users what is different from ISO/IEC 27001 2013 by creating two tables that cross-reference this information, providing clarity and a better understanding of how cyber security has changed over time.
Difference between ISO 27001 and ISO 27002
The main difference between ISO 27001 and ISO 27002 is that – ISO 27001 presents a broad framework for effective information security management, while ISO 27002 provides the necessary details to turn that framework into practice.
As an in-depth supplement to ISO 27001, it shows how to choose and implement controls according to best practices, giving organizations the tools they need for secure data protection.
The 114 security controls listed in Appendix A are divided into 14 categories for referencing in ISO 27001 documents. Thanks to this complementary relationship between ISO 27001 and ISO 27002, organizations can ensure that their information security practices are up to industry standards.
Organizations can use ISO 27002 security controls as a guiding beacon on how to meet the requirements of ISO 27001. However, it is not a certification standard in itself.
As such, an assessment against ISO 27001 outlines the accomplishments needed for organizational approval and verification that the ISMS is secure and meets internationally accepted standards.
What’s Next?
Complying with ISO 27001 can be a daunting prospect due to the length of requirements. By understanding the requirements and mapping out a plan, you can ensure your organization takes the necessary steps to protect its data.
And if you need help, Sprinto’s compliance automation makes it much simpler. Our continuous monitoring solution and employee training module helps speed up the process.
At the same time, the internal audit feature allows for improved visibility in existing systems and helps identify areas for improvement. With Sprintos’s intuitive tools and comprehensive resources, you can be certain that your organization is ISO 27001 compliant in no time.
We hope this guide has helped get you started on your compliance journey. What other questions do you have about ISO 27002 controls? Talk to us to know more!
FAQs
Is ISO 27002 A control framework?
The ISO 27002 framework offers extensive guidance and industry expertise on incorporating the essential controls listed in Annex A of ISO 27001. An invaluable resource to ensure optimal security measures are taken, this should be read alongside its sister standard – ISO27001.
What is ISO 27002 used for?
ISO 27002 provides comprehensive guidance on selecting information security controls, giving organizations all they need to protect their data. Annex A in ISO 27001 outlines a number of potential tools and strategies that companies can use to ensure secure operations. Information security experts leverage these resources when crafting sound cybersecurity initiatives for businesses everywhere.
How many controls does 27002:2022 have?
ISO 27002 2022 has 93 controls to address their information security needs. Compared with its 2013 predecessor, this new standard is longer and more robust – some controls are merged or removed while others were added for additional support.
How many ISO 27001 controls are there?
ISO 27001 compliance involves following a comprehensive set of controls to ensure the security and integrity of your organization’s data. This includes 114 distinct controls spread across 14 domains that must be satisfied for ISO certification.