March 15, 2022

Last Updated on January 15, 2024

The new ISO 27002:2022 moves from 114 controls across 14 domains to 93 controls grouped into 4 themes. Does that mean you can stop executing 21 controls? Not likely! The change reflects considerable consolidation, along with the addition of new controls.

To share a “what’s new” overview of ISO 27002:2022, we invited Danny Manimbo and Ryan Mackie, ISO certification practice co-leads at Schellman, to join a recent episode of The Virtual CISO Podcast. Hosting the show is Pivot Point Security’s CISO and Managing Partner, John Verry.

The mile-high overview

Danny shares some high-level points about the new control set:

  • Over 75% of the new control set is concentrated in the Organizational and Technological themes, with the remaining 25% divided among Physical and People.
  • 56 controls were consolidated into what is now 24 controls. In some cases, up to 4 controls from the 2013 version are now combined to make one new control.
  • 11 controls are “net new,” reflecting changes in the technology landscape (e.g., increasing use of cloud services)

“I think a lot of people will applaud that [consolidation] because you go through some of those domains, like A.9, A.12, A.14… There’s not a whole lot of difference in some of those controls,” notes Danny.

Only one control, Removal of assets, formerly 11.2.5, did not survive the 2022 update. It’s not that removal of assets isn’t still an issue, but it’s now covered under one of the other physical security controls. But in ISO 27002’s Annex B, which shows the mappings from the 2013 to 2022 editions, this is the only control that isn’t mapped elsewhere.

What about the 11 new controls?

One of the biggest changes with ISO 27001:2022 is the addition of eleven new controls, reflecting changes over the past eight years in what ISO 27001 calls “context”: threat agents, technology, regulations, etc.

The eleven new controls are:

5.7     Threat intelligence

5.23   Information security for use of cloud services

5.30   ICT readiness for business continuity

7.4     Physical security monitoring

8.9     Configuration management

8.10   Information deletion

8.11   Data masking

8.12   Data leakage prevention

8.16   Monitoring activities

8.23   Web filtering

8.28   Secure coding

 

Several of the new controls, such as 5.7, 5.23 and 8.12, relate to ISO “extension standards” like ISO 27017 (cloud services) and ISO 27018 (processing personal data in the cloud). It’s not yet clear how the new ISO 27002 will impact—or possibly even eliminate—future updates to those extensions.

For example, the ISO 27701 data privacy extension to ISO 27001, covers almost all the controls in ISO 27018. Plus, ISO 27701 is a management system standard that you can be certified against, not just an extended set of controls. Is ISO 27018 still needed? We’ll find out what ISO thinks when it’s time to revise it.

What’s next?

To catch the full podcast episode ISO 27002:2022 with experts from Schellman, click here.

What will the coming ISO 27001 update mean for your organization? John Verry shares his view in this blog post: What the New ISO 27001:2021 Release Will Mean to You