ISO 27002 Update 2022 – Summary of Changes

Author: Tony McCutcheon – GRC Consultant

The Final Draft of ISO 27002 was released in late 2021 and the final version is expected to be released around 18th February 2022, with the release of the revised version of ISO 27001 following shortly thereafter.

Summary of Changes to ISO 27002

The title of ISO 27002 has been changed to incorporate more focus on cyber security and privacy.

There are not only significant changes to the structure and controls, but also changes relating to how to organise and use all controls. This will make it easier to integrate ISO 27002 controls with other similar security frameworks.

Here are some statistics, which compare the current version to the revised version:

Details20132022 release
Chapters14 (numbered 5 to 18)4 (numbered 5 to 8)
Chapter No.Chapter TitleNo. of Controls
5Organisational Controls37
6People Controls8
7Physical Controls14
8Technological Controls34

The following table shows the entirely new controls:

Control No.Name
5.7Threat intelligence
5.23Information security for use of cloud services
5.30ICT readiness for business continuity
7.4Physical security monitoring
8.9Configuration management
8.10Information deletion
8.11Data masking
8.12Data leakage prevention
8.16Monitoring activities
8.22Web filtering
8.28Secure coding

The following table shows a control which has been removed:

2013 ControlName
11.2.5Removal of assets

There are two new elements of each control as follows:

  • Attributes
  • Purpose of applying the control

Organisations will typically have around two years to migrate to the revised standard, so after the revisions have been formally released, Dionach will post additional blogs containing more specific mapping comparisons between the revisions, as well as factors which organisations should consider in planning transition to the revised versions.

Contact Dionach to discuss how we can help you plan transition to the 2022 version of ISO 27001.

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]

Related Posts


Dynamic Cybersecurity: Latest Trends and Updates

In today’s interconnected digital world, the field of cybersecurity is constantly evolving to keep up with emerging threats and vulnerabilities. Staying updated with the latest developments is crucial for individuals and organisations alike to protect their sensitive information from malicious actors. In this blog post, we will explore some of the most significant updates and […]

Why an Internal Penetration Test Delivers Results

Why an Internal Penetration Test Delivers Results The CISO of a large  organisation with multiple regional offices approached Dionach requesting an internal penetration test. The organisation used a hybrid IT infrastructure with systems located across two data centres and Azure. The test was conducted from the context of an unauthenticated user with physical access to […]
The difference between Penetration Testing and Red Teaming engagements

Penetration Testing vs. Red Teaming engagements: Key Distinction

Finding the right security service to assess your organisation is a critical aspect of any security program. Each security service has its benefits and fits a specific purpose, and it is important to therefore understand the differences between these services to maximise the results of a security engagement. Two of the most popular security services […]
Contact Us

Contact Us React out to one of our cyber experts and we will arrange a call