Author: Tony McCutcheon – GRC Consultant

The Final Draft of ISO 27002 was released in late 2021 and the final version is expected to be released around 18th February 2022, with the release of the revised version of ISO 27001 following shortly thereafter.

Summary of Changes to ISO 27002

The title of ISO 27002 has been changed to incorporate more focus on cyber security and privacy.

There are not only significant changes to the structure and controls, but also changes relating to how to organise and use all controls. This will make it easier to integrate ISO 27002 controls with other similar security frameworks.

Here are some statistics, which compare the current version to the revised version:

Details	2013	2022 release
Chapters	14 (numbered 5 to 18)	4 (numbered 5 to 8)
Controls	114	93

 

Chapter No.	Chapter Title	No. of Controls
5	Organisational Controls	37
6	People Controls	8
7	Physical Controls	14
8	Technological Controls	34

The following table shows the entirely new controls:

Control No.	Name
5.7	Threat intelligence
5.23	Information security for use of cloud services
5.30	ICT readiness for business continuity
7.4	Physical security monitoring
8.9	Configuration management
8.10	Information deletion
8.11	Data masking
8.12	Data leakage prevention
8.16	Monitoring activities
8.22	Web filtering
8.28	Secure coding

The following table shows a control which has been removed:

2013 Control	Name
11.2.5	Removal of assets

There are two new elements of each control as follows:

• Attributes
• Purpose of applying the control

Organisations will typically have around two years to migrate to the revised standard, so after the revisions have been formally released, Dionach will post additional blogs containing more specific mapping comparisons between the revisions, as well as factors which organisations should consider in planning transition to the revised versions.

Contact Dionach to discuss how we can help you plan transition to the 2022 version of ISO 27001.