ISO 27002:2022

What is ISO 27002-2022?

ISO 27002:2022 is the international code of practice providing comprehensive guidance for implementing information security controls within an ISMS. The provision of detailed technical guidance for the 93 consolidated controls is the primary implementation requirement, delivering the business benefit of streamlined risk treatment and operational security excellence.

What is ISO 27002-2022?

ISO/IEC 27002:2022 is an international standard that provides a detailed set of information security controls to help organisations implement and manage their Information Security Management System (ISMS). It is a guidance document that supports ISO 27001, which is the certification standard. While ISO 27001 specifies what an organisation must do, ISO 27002 provides the practical guidance on how to do it by offering a comprehensive list of security controls.

Key Changes from Previous Versions

  • New Structure: The standard has been restructured from 14 clauses to 4 themes: Organisational, People, Physical, and Technological controls. This makes the controls easier to organise and manage.
  • Streamlined Controls: The number of controls has been reduced and consolidated from 114 to 93, with 11 new controls added to address emerging threats, such as cloud services and data masking.
  • Attribute-based Tags: Each control now has five attributes (Control Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, and Security Domains) to make them more searchable and easier to map to other frameworks.

ISO 27001 Context

ISO 27002 is not a certifiable standard itself. An organisation is certified against ISO 27001, but they use the guidance in ISO 27002 to select and implement the security controls necessary to meet the requirements of ISO 27001, particularly in Annex A. Organisations should view it as a detailed reference guide for building a strong ISMS.

How to implement ISO 27002:2022

Implementing the ISO 27002:2022 guidance standard is essential for organisations seeking to harden their Information Security Management System (ISMS) using the latest best practices. As a Lead Auditor, I recommend this technical 10-step sequence to align your 93 controls with the modern thematic structure and metadata attributes.

1. Provision a Technical Gap Analysis

Conduct a comprehensive review of your current security framework against the 93 consolidated controls of ISO 27002:2022. This identifies specific deficiencies between your legacy domain structure and the new modern requirements. Technical requirements include:

  • Mapping existing 2013 controls to the four new thematic pillars.
  • Identifying required technical upgrades for the 11 new mandatory controls.
  • Documenting a prioritised remediation roadmap for senior management.

2. Formalise Control Attributes and Metadata

Assign specific attributes to each of your 93 controls to enable advanced filtering and reporting within your ISMS. Using metadata like Control Type and Cybersecurity Concepts allows for 100% visibility of security coverage. Technical actions include:

  • Categorising controls as Preventive, Detective, or Corrective.
  • Mapping controls to NIST Cyber Security Framework (CSF) functions.
  • Linking attributes to your internal GRC reporting dashboard.

3. Provision a Theme-Based Control Framework

Organise your technical and administrative safeguards into the four themes of Organisational, People, Physical, and Technological. This consolidation reduces complexity and ensures better cross-departmental accountability. Requirements involve:

  • Assigning the 37 Organisational controls to relevant governance owners.
  • Delegating the 34 Technological controls to the IT and Security operations teams.
  • Formalising responsibility for the People and Physical pillars.

4. Formalise Information Security Policies

Audit and update your entire policy library to reflect the streamlined language and modern security concepts of the 2022 revision. Policies must be citable and enforceable across the organisation. Necessary actions include:

  • Updating the Acceptable Use Policy to cover modern remote work.
  • Authoring new policies for Threat Intelligence and Cloud Services.
  • Ensuring all policies are version-controlled and centrally accessible.

5. Provision Cloud Service Security Controls

Execute a formal risk assessment for all SaaS, PaaS, and IaaS providers to satisfy the requirements of Control 5.23. Managing the shared responsibility model is critical for mitigating third-party risk. Technical steps involve:

  • Mapping data flows between internal systems and cloud environments.
  • Auditing cloud configuration settings against industry benchmarks.
  • Enforcing encryption and MFA for 100% of cloud administrative access.

6. Implement Technical Detection and Monitoring

Deploy automated monitoring tools to provide early warning signals of unauthorised activity or system failures. ISO 27002:2022 emphasises proactive detection rather than reactive recovery. Implementation requirements include:

  • Configuring SIEM alerts for anomalous network traffic patterns.
  • Implementing endpoint detection and response (EDR) on all workstations.
  • Establishing baseline performance metrics for critical IT infrastructure.

7. Formalise Secure Coding Practices

Provision a secure development lifecycle (SDLC) that mandates security testing at every stage of the software creation process. This reduces the risk of deploying vulnerable applications into production. Technical actions include:

  • Implementing automated Static Application Security Testing (SAST).
  • Enforcing secure coding standards for all internal bespoke development.
  • Auditing the use of third-party libraries and open-source components.

8. Audit Physical Security Monitoring

Deploy physical monitoring systems such as CCTV and alarm sensors to protect the facility perimeter and sensitive internal areas. Physical security is a standalone theme in the 2022 standard. Requirements include:

  • Reviewing server room access logs and biometric entry systems.
  • Auditing the retention periods and secure storage of surveillance footage.
  • Testing the responsiveness of physical security incident playbooks.

9. Provision a Threat Intelligence Process

Formalise a workflow to collect, analyse, and apply threat intelligence to your internal risk management strategy. Understanding emerging threats is a new mandatory requirement under Control 5.7. Implementation involves:

  • Subscribing to industry-specific threat feeds and bulletins.
  • Updating the Risk Register based on new external vulnerability data.
  • Conducting monthly threat briefing sessions for the security team.

10. Audit the Updated Statement of Applicability

Verify that your Statement of Applicability (SoA) correctly references the 93 controls of ISO 27002:2022 rather than the legacy 2013 domains. This is the primary document reviewed during certification audits. Necessary steps are:

  • Justifying the inclusion or exclusion of all 93 modern controls.
  • Linking each applicable control to a specific technical risk owner.
  • Securing formal management approval for the updated SoA.

ISO 27002:2022 FAQ

What is ISO 27002:2022?

ISO 27002:2022 is an international guidance standard that provides a reference set of 93 information security controls designed to support the implementation of an Information Security Management System (ISMS). It provides the detailed “how-to” guidance for the controls listed in Annex A of ISO 27001:2022.

What is the difference between ISO 27001 and ISO 27002?

The primary difference is that ISO 27001 is a requirements standard for certification, while ISO 27002:2022 is a guidance standard for implementation. Organisations are certified against ISO 27001, but they use ISO 27002 to understand the best practices for implementing the 93 mandatory Annex A controls.

What are the four themes in ISO 27002:2022?

ISO 27002:2022 organises its 93 controls into four themes, replacing the previous 14 domains from the 2013 version. This thematic reorganisation ensures 100% coverage across business operations. The themes are:

  • Organisational controls: 37 controls covering policy, roles, and resource management.
  • People controls: 8 controls focused on remote working, screening, and confidentiality agreements.
  • Physical controls: 14 controls regarding secure areas, maintenance, and facility security.
  • Technological controls: 34 controls detailing encryption, network security, and secure coding.

What are attributes in ISO 27002:2022?

Attributes are metadata tags introduced in ISO 27002:2022 to help organisations filter and sort the 93 controls based on specific business views. There are 5 primary attribute categories: Control Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, and Security Domains, enabling 100% alignment with frameworks like NIST.

Guaranteed ISO 27001 Compliance

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top