List of ISO 27002 2022 Controls : What changed in 2022

Meeba Gracy

Meeba Gracy

Sep 25, 2024

ISO 27002 controls

Are you tired of constantly worrying about your organization’s security? Do you want to ensure that your company’s sensitive data is protected at all times? If so, then this guide on ISO 27002 controls is for you.

In this article, you will learn what ISO 27002 is, the changes implemented since the update last year, and the difference between ISO 27002 controls and ISO 27001. 

Let’s dive in…

TL;DR

  • ISO/IEC 27002:2002 is not a certification like ISO/IEC 27001. Instead, it offers a list of controls along with detailed guidance on their implementation. Use it as a blueprint to establish an ISO/IEC 27001-compliant system and refine your cybersecurity practices.
  • In its latest edition, ISO/IEC 27002 includes 93 controls, spread across four domains, with some controls merged and 11 new controls added to enhance security.   

What is ISO 27002 Standard?

ISO/IEC 27002 is a supplementary international standard to ISO/IEC 27001, providing detailed guidance on implementing the controls listed in Annex A of ISO/IEC 27001. Unlike ISO27001, ISO27002 it isn’t a certification. Consider it your blueprint to establish an ISO27001-compliant system and refine your cybersecurity practices.  

In its latest iteration, ISO 27002:2022, it covers 93 controls and practical guidance on implementing them.  These controls span over four key domains:

  • Organizational Controls
  • People Controls
  • Physical Controls
  • Technological Controls

What are ISO/IEC 27002 controls?

ISO/IEC 27002 controls are a collection of information security, cyber security, and privacy protection measures, along with implementation recommendations that are based on globally accepted industry standards.

The latest version of the ISO/IEC 27002 has been updated to ensure that it reflects developments and the most up-to-date information security practices that are being used in different sectors across businesses and governments.

After months of work, the new edition was finally published on February 15th, 2022 for all to use. 

The latest version of the ISO/IEC 27002 has been updated to ensure that it reflects developments and the most up-to-date information security practices that are being used in different sectors across businesses and governments.

After months of work, the new edition was finally published on February 15th, 2022 for all to use. 

ISO 27002:2013 vs ISO 27002:2022: What’s changed?

The most prominent change between the older iteration and the latest update is that ISO 27002 now offers a straightforward, standalone list of information security controls, rather than just a code of practice for implementing them.

Let’s dive a little deeper into the changes:

AspectISO 27002:2013ISO 27002:2022
StructureStructured as a code of practice with guidelines.Presents a standalone list of information security controls.
ControlsContains 114 controls organized into 14 clauses.Consolidates controls into 93 controls across 4 themes.
Themes/CategoriesClauses include categories such as Asset Management, Access Control, etc.Themes are now: Organizational, People, Physical, Technological.
Control FormatControls are descriptive, with detailed guidelines for implementation.Controls are concise, providing clear objectives and implementation guidance.
Annexes and AppendicesIncludes annexes that guide the implementations of controls under fourteen domains. Reduces the number of themes from fourteen to four, focusing more on core domains and two annexes.
TerminologyUses terminology from 2013 standards and practices.Updates terminology to align with current technology and practices.
Risk ManagementEmphasizes risk management throughout the guidelines.Continues to emphasize risk management, with more focus on cybersecurity and data privacy.
Alignment with Other StandardsAligns with ISO 27001:2013.Aligns with ISO 27001:2022, ensuring compatibility with the updated standard.
Implementation GuidanceProvides code of practice for controls.Offers more detailed and structured guidance, making it easier to understand and implement.
FocusBroad focus on various aspects of information security practices.Increased focus on practical implementation and usability of controls.

How to select and Implement ISO 27002 controls?

Implementing ISO/IEC 27002 controls in alignment with the annexures of ISO/IEC 27001 involves mapping each control to the corresponding requirements specified in ISO/IEC 27001 Annex A.

The specifics would vary depending upon the organization’s risk profile,and compliance considerations, and keeping aligned with ISO 27002 control objectives should be the rationale when selecting and implementing ISO 27002 controls. You may add, enhance, exclude, or consolidate controls addressing similar concerns.

Here are the five steps that can help you evaluate the right controls and implement them:

1.  Understand ISO/IEC 27001 Annex A

Annex A of ISO/IEC 27001 provides a list of control objectives and controls. ISO/IEC 27002 provides detailed implementation guidance for these controls. Annex A serves as a reference to ensure that all necessary controls are considered for the ISMS.

A comprehensive assessment identifying critical assets and the associated risks must be conducted to determine risk profile. This helps in understanding the likelihood and impact of potential threats as well as prioritize the selection of controls. 

3. Make a selection based on applicability

In order to tailor the control selection as per your business needs, consider operational requirements and technological capabilities along with the above two. Also ask a lot of questions for determining the applicability like:

  • Are there any controls mandated by industry or regulatory frameworks?
  • Does excluding a control leave any critical risks unaddressed?
  • What are the costs and benefits of implementing each of these controls?
  • Are there multiple controls for similar risks that can be streamlined into one control?

4. Create a tactical implementation plan

A well-documented plan with specific, measurable and time-bound objectives defined along with outlined tasks and procedures form a solid tactical implementation plan. It should also include the KPIs and KRIs that will be used to measure the effectiveness of control implementation.

5. Train and educate workforce

A combination of communication and training will help the workforce understand the rationale behind the process and implement controls well. Tailor the training program as per skill gaps and keep it engaging for maximum participation.

6. Continuously improve to stay compliant

Periodic reviews, internal audits, and other surveillance techniques must be implemented to get progress visibility as well addressing any ingrained weaknesses that persist. To stay compliant, businesses must be ‘always watchful.

Also, check out this video on ISO 27002 to learn more:

Becoming ISO 27001 compliant should not be this complex

What has changed from the old version of ISO 27002 Controls?

The ISO/IEC 27002:2022 as a revision to ISO/IEC 27002:2013 now consists of 93 controls and an additional 11 new ones. While the 2013 release had 114 controls under 14 clauses, the 2022 version has only 4 security domains. To simplify security management guidelines, 24 controls have been merged and 58 updated from the previous version, streamlining the entire framework and enhancing overall usability.

New controls have been added to the revised list keeping in mind the need for even more robust security requirements with evolving threat sophistication.

Instantly access the complete and expertly curated ISO 27002:2022 controls list now by downloading from below:

ISO 27002:2022 Controls List

The ISO 27002:2022 as a revision to ISO 27002:2013 now consists of 93 controls and an additional 11 new ones. While the 2013 release had 114 controls under 14 clauses, the 2022 version has only 4 domains. To improve navigation, 24 controls have been merged and 58 updated from the previous version, streamlining the entire framework and enhancing overall usability.

ISO 27002 updated controls list

New controls have been added to the revised list keeping in mind the need for even more robust security requirements with evolving threat sophistication.

Instantly access the complete and expertly curated ISO 27002:2022 controls list now by downloading from below:

Here is the List of ISO 27002 controls (As per the latest version 2022):

CategoryControl NumberControl TitleDescription
Organizational Controls5.1Policies for Information SecurityDevelop and implement policies that establish an effective framework that promises information and data security.
5.2Information Security Roles and ResponsibilitiesDefine and communicate specific security responsibilities for all personnel, minimizing the risk of fraud. 
5.3Segregation of DutiesSeparate responsibilities to reduce vulnerabilities and prevent conflicts of interest.
5.4Management ResponsibilitiesEnsure management oversight and accountability for information security.
5.5Contact with AuthoritiesEstablish communication channels with regulatory and law enforcement authorities.
5.6Contact with Special Interest GroupsEngage with industry groups to stay informed about security trends and threats.
5.7Threat IntelligenceGather and analyze information on potential threats to enhance security measures.
5.8Information Security in Project ManagementIntegrate security considerations into project planning and execution.
5.9Inventory of Information and Associated AssetsMaintain a detailed inventory of all assets and their owners 
5.10Acceptable Use of Information and Associated AssetsDefine and enforce rules for the proper use of organizational assets.
5.11Return of AssetsEnsure the secure return of assets when no longer in use by employees or contractors.
5.12Classification of InformationCategorize information based on its sensitivity and criticality.
5.13Labeling of InformationAppropriately label information according to its classification.
5.14Information TransferSecurely manage the transfer of information within and outside the organization.
5.15Access ControlImplement controls to restrict and regulate access to information, preventing unauthorized access.
5.16User Access ManagementManage the lifecycle of user access from provisioning to de-provisioning.
5.17User ResponsibilitiesHold users accountable for maintaining the confidentiality of their access credentials.
5.18System and Application Access ControlEnsure access controls are in place for systems and applications.
5.19Information Security in Supplier RelationshipsEnsure suppliers adhere to security requirements.
5.20Addressing Information Security within Supplier AgreementsInclude security clauses in supplier contracts.
5.21Managing Information Security in the ICT Supply ChainAssess and manage security risks in the ICT supply chain.
5.22Monitoring and Review of Supplier ServicesRegularly monitor and review supplier performance.
5.23Managing Changes to Supplier ServicesControl and approve changes to supplier services affecting security.
CategoryControl number Control TitleDescription
People Controls6.1ScreeningScreen potential employees to ensure security.
6.2Terms and Conditions of EmploymentInclude security expectations in employment terms.
6.3Information Security Awareness, Education, and TrainingEducate employees on security practices.
6.4Disciplinary ProcessAddress security breaches through disciplinary actions.
6.5Responsibilities after Termination or Change of EmploymentManage security responsibilities after employment changes.
CategoryControl NumberControl TitleDescription
Physical controls7.1Physical Security PerimeterEstablish secure boundaries for sensitive areas.
7.2Physical Entry ControlsControl physical access to secure areas.
7.3Securing Offices, Rooms, and FacilitiesEnsure security of offices, rooms, and facilities.
7.4Physical Security for EquipmentProtect physical equipment from security threats.
7.5Secure Disposal or Reuse of EquipmentEnsure secure disposal or reuse of equipment.
7.6Cabling SecurityProtect cabling from interception or damage.
7.7Security of Supporting UtilitiesEnsure the security of utilities supporting information systems.
7.8Security of Equipment Off-premisesProtect off-premises equipment.
7.9Clear Desk and Clear Screen PolicyImplement clear desk and screen policies to protect information.
CategoryControl NumberControl TitleDescription
Technological controls8.1Operational Procedures and ResponsibilitiesDefine and document operational procedures and responsibilities.
8.2Change ManagementManage changes to information systems securely.
8.3Capacity ManagementManage capacity to ensure performance and security.
8.4Separation of Development, Testing, and Operational EnvironmentsSeparate environments to reduce risk.
8.5Protection from MalwareImplement measures to protect against malware.
8.6Management of Technical VulnerabilitiesManage technical vulnerabilities.
8.7Information BackupEnsure regular backups of critical information.
8.8Logging and MonitoringImplement logging and monitoring of activities.
8.9Control of Operational SoftwareControl installation of software on operational systems.
8.10Management of Technical DocumentationManage technical documentation securely.
8.11Monitoring and Control of ICT NetworksMonitor and control ICT networks.
8.12Web FilteringControl access to web resources to enhance security.
8.13Management of Removable MediaControl the use of removable media.
8.14Information TransferProtect information during transfer across networks.
8.15Control of Mobile Devices and TeleworkingSecure mobile devices and teleworking arrangements.

Out of these 93 controls, here are some new controls that weren’t there in the list in the previous iteration. 

Threat intelligence involves collecting, analyzing, and contextualizing data regarding such risks. By doing so, companies can acquire comprehensive insights into potential threats—ultimately making them better prepared against attacks.

A.5.23 Information security for cloud services

Businesses of all sizes embrace the advantages of cloud services, but with their growing popularity comes the heightened risk of information security. To mitigate risks the 5.23 is the way to go and it is a game-changer that proactively creates processes for the acquisition, use, management, and exit from cloud services. 

This helps ensure that businesses have the procedures to protect their data and optimally manage their security posture when using these services. 

A.5.30 ICT Readiness for Business Continuity

The importance of maintaining ICT platforms and services cannot be understated to ensure business continuity in the face of disruption or a critical event. 

Control 5.30 guides organizations on managing and optimizing ICT systems in light of this, outlining the processes for a response, recovery, and restoration that should be adhered to, as well as analyzing key metrics such as RTOs and BIA results. 

This assists organizations in ensuring their ICT readiness is sufficient for maintaining continuous operation throughout severe episodes.

A.7.4 Physical security monitoring

Ensuring physical security is of utmost importance for organizations wishing to protect their critical data. Physical security monitoring offers a cost-effective solution for safeguarding premises and deterring any unauthorized access to restricted areas. 

This includes deploying CCTV cameras, motion sensors, and even tamper-proof locks to monitor security around buildings with confidential information. 

A.8.9 Configuration management

Configuration management is a critical element of any organization’s security infrastructure. It enables hardware, software, and entire networks to be configured with the appropriate policies to protect an organization from unwanted outside influences. 

Configuration files can dictate network security measures like block lists, port forwarding, virtual LANs, and VPN information among others. Also, it can help organizations meet compliance standards that are important for the security audit processes. 

A.8.10 Information deletion

Information deletion is essential in mitigating data risk, as it can reduce the impact of a potential security breach or failure to comply with legal standards. Control 8.10 ensures organizations comply with relevant laws and regulations regarding data erase strategies by providing a complementary approach designed around the company’s current data retention practices.

A.8.11 Data masking

Data masking is an effective method to protect PII stored within an organization’s systems. Data masking takes access control measures further, ensuring that sensitive data stored within systems is obfuscated or encrypted so that it is not readily accessible. 

This goes beyond the scope of regular access controls and can be required due to statutory or regulatory compliance

A.8.12 Data leakage prevention

Data leakage prevention is vital to protecting and limiting organizations’ vulnerabilities. Implementing Control 8.12 – a dual-purpose preventive and detective control measure supports proactively detecting, preventing, and responding to data leakage from internal and external sources. 

A.8.16 Monitoring activities

Network monitoring is a critical part of the IT support and information security process, constituting an integral layer of the organization’s defense-in-depth security strategy. 

Control 8.16 provides protective and corrective capabilities in mitigating risks through careful observance and examination of unusual activities, allowing for a speedy resolution to incidents and events. This, in turn, results in improved systems performance and safeguarding of valuable assets from malicious cyber attacks.

A.8.23 Web filtering

Web filtering is a critical control that organizations must use to guard against security risks and ensure the safety of their information systems. By using web filtering technology, organizations can restrict access to malicious websites, helping to protect their networks from malware attacks and data breaches. 

This process also reduces staff distraction and potential waste of resources as users cannot access external sites that do not offer any business value. Implementing effective web filtering is essential to guarantee corporate networks’ health and integrity.

A.8.28 Secure coding

Secure coding practices protect information systems against today’s sophisticated cyber threats. Without secure coding, organizations risk exposing vulnerabilities and running the risk of compromise to their critical assets. 

To prevent this, implementing Control 8.28 ensures that applications and networks are designed with security throughout the entire process by eliminating potential risks before they become an issue. 

This preventive control can protect your company from cyber attacks associated with poor coding practices, such as weak key generation and improper input validation.

Specific ISO 27002 Control Changes

Here is a detailed overview of ISO 27002:2022 control changes:

ChangesDetails
New Controls11
Domains13 down to 4
Split controls1 divided into 2
Merged controls56 reduced to 24
Overall114 down to  just 93

The latest update of ISO/IEC 27002 significantly improves how it structures control sets. Previously, 14 control domains were established, but now all those domains have been consolidated into just four security categories that are streamlined, organized, and easier to understand. 

ISO 27002 security categories

These include:

  • Organizational
  • People
  • Physical
  • Technological

The standard now consists of 93 controls and an additional 11 new ones. To improve navigation, 24 controls have been merged from 2, 3, or more security controls from the 2013 version, streamlining the entire framework and making it easier to navigate. 

This upgrade can attest to the fact that users are now unrestricted by complications in following basic Information Security practices – they are now free to explore a range of new-and-improved navigation options with assured security being maintained at all times.

Annex A was created to guide for applying these attributes, along with Annex B, allowing for an easier reference suite for on-demand information about control numbers/identifiers. 

It goes beyond simply telling users what is different from ISO/IEC 27001 2013 by creating two tables that cross-reference this information, providing clarity and a better understanding of how cyber security has changed over time.

Difference between ISO 27001 and ISO 27002

The main difference between ISO 27001 and ISO 27002 is that – ISO 27001 presents a broad framework for effective information security management, while ISO 27002 provides the necessary details to turn that framework into practice.

As an in-depth supplement to ISO 27001, it shows how to choose and implement controls according to best practices, giving organizations the tools they need for secure data protection.

The 114 security controls listed in Appendix A are divided into 14 categories for referencing in ISO 27001 documents. Thanks to this complementary relationship between ISO 27001 and ISO 27002, organizations can ensure that their information security practices are up to industry standards.

Organizations can use ISO 27002 security controls as a guiding beacon on how to meet the requirements of ISO 27001. However, it is not a certification standard in itself.

As such, an assessment against ISO 27001 outlines the accomplishments needed for organizational approval and verification that the ISMS is secure and meets internationally accepted standards.

What’s Next?

Complying with ISO 27001 can be a daunting prospect due to the length of requirements.  By understanding the requirements and mapping out a plan, you can ensure your organization takes the necessary steps to protect its data. 

And if you need help, Sprinto’s compliance automation makes it much simpler. Our continuous monitoring solution and employee training module helps speed up the process. 

At the same time, the internal audit feature allows for improved visibility in existing systems and helps identify areas for improvement. With Sprintos’s intuitive tools and comprehensive resources, you can be certain that your organization is ISO 27001 compliant in no time.

We hope this guide has helped get you started on your compliance journey. What other questions do you have about ISO 27002 controls? Talk to us to know more!

FAQs

Is ISO 27002 A control framework?

The ISO 27002 framework offers extensive guidance and industry expertise on incorporating the essential controls listed in Annex A of ISO 27001. An invaluable resource to ensure optimal security measures are taken, this should be read alongside its sister standard – ISO27001.

What is ISO 27002 used for?

ISO 27002 provides comprehensive guidance on selecting information security controls, giving organizations all they need to protect their data. Annex A in ISO 27001 outlines a number of potential tools and strategies that companies can use to ensure secure operations. Information security experts leverage these resources when crafting sound cybersecurity initiatives for businesses everywhere.

How many controls does 27002:2022 have?

ISO 27002 2022 has 93 controls to address their information security needs. Compared with its 2013 predecessor, this new standard is longer and more robust – some controls are merged or removed while others were added for additional support.

How many ISO 27001 controls are there?

ISO 27001 compliance involves following a comprehensive set of controls to ensure the security and integrity of your organization’s data. This includes 114 distinct controls spread across 14 domains that must be satisfied for ISO certification.

Meeba Gracy

Meeba Gracy

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

How useful was this post?

5/5 - (1 votes)