The complete guide to ISO/IEC 27002:2022

ISO 27002:2022 explained. ISO 27002 controls list and absolutely everything you need to know about the ISO 27002:2022 changes.

Absolutely everything you need to know about the ISO 27002:2022
What is ISO 27002?
What are the main changes to ISO 27002?
ISO 27002 Controls List
ISO 27002:2022 Organisational controls
ISO 27002:2022 People controls
ISO 27002:2022 Physical controls
ISO 27002:2022 Technological controls
ISO 27002:2022 FAQ
ISO 27001 Controls: The 2022 Framework Update Summary
ISO 27002:2022 Statement Of Applicability
Source Material

Absolutely everything you need to know about the ISO 27002:2022

When you go for your ISO 27001 Certification you will choose a set of information security controls.

The list of controls that you will need comes from ISO 27002.

In the ISO 27001 standard it actually refers to it as ISO 27001 Annex A.

So the terms ISO 27002 and ISO 27001 Annex A are, for all intents and purposes, interchangeable. They mean the same thing.

ISO 27002 changed in 2022 and is now formally ISO 27002:2022.

This is everything you need to know about ISO 27002:2022.

What is ISO 27002?

Formally it is called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls.

It provides a reference set of generic information security controls including implementation guidance. It is designed to be used:

within the context of an information security management system (ISMS) based on ISO/IEC27001;
for implementing information security controls based on internationally recognised best practices;
for developing organisation specific information security management guidelines.

What are the main changes to ISO 27002?

They have removed the term ‘Code of Practice’
The structure of the document has changed
Some controls have been merged, some deleted and new controls have been introduced.

Structure

ISO 27002:2022 has 93 controls which have now been structured into 4 domains

Organisational Controls
People Controls
Physical Controls
Technological Controls

From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes.

New Controls

Here are the 11 controls that are new:

ISO 27002 Controls List

In this section we list all of the ISO 27002: 2022 controls and compare it to the previous control set. We show if it is a new control or the control has changed.

ISO 27002:2022 Organisational controls

ISO 27002:2022 Organizational Controls (Clause 5) Summary
Control	Title	Status	Purpose	Guide
5.1	Policies for information security	Existing	Ensure suitability, adequacy and effectiveness of managements direction and support for information security.	Read Guide
5.2	Information security roles and responsibilities	Existing	Ensure a defined, approved and understood structure is in place for the implementation and operation of the information security management system.	Read Guide
5.3	Segregation of duties	Existing	Reduce the risk of fraud, error and bypassing of information security controls.	Read Guide
5.4	Management responsibilities	Existing	Require all personnel to apply information security in accordance with the established policy.	Read Guide
5.5	Contact with authorities	Existing	Establish and maintain contact with relevant authorities.	Read Guide
5.6	Contact with special interest groups	Existing	Ensure appropriate flow of information takes place with respect to information security.	Read Guide
5.7	Threat intelligence	NEW	Provide awareness of the organisations threat environment so appropriate mitigation actions can be taken.	Read Guide
5.8	Information security in project management	Existing	Ensure information security risks related to projects are effectively addressed.	Read Guide
5.9	Inventory of information and other associated assets	Changed	Identify the organisations information and associated assets to preserve security.	Read Guide
5.10	Acceptable use of information and other associated assets	Changed	Rules for the acceptable use and procedures for handling information should be identified.	Read Guide
5.11	Return of assets	Existing	Protect the organisations assets during change or termination of employment.	Read Guide
5.12	Classification of information	Existing	Ensure identification and understanding of protection needs of information.	Read Guide
5.13	Labelling of information	Existing	Facilitate the communication of classification of information and support automation.	Read Guide
5.14	Information transfer	Existing	Maintain the security of information transferred within an organisation and with external parties.	Read Guide
5.15	Access control	Existing	Ensure authorised access and prevent unauthorised access to information.	Read Guide
5.16	Identity management	NEW	Allow for the unique identification of individuals and systems accessing information.	Read Guide
5.17	Authentication information	NEW	Ensure proper entity authentication and prevent failures of authentication processes.	Read Guide
5.18	Access rights	Changed	Ensure access to information is defined and authorised according to business requirements.	Read Guide
5.19	Information security in supplier relationships	Existing	Maintain an agreed level of information security in supplier relationships.	Read Guide
5.20	Addressing information security within supplier agreements	Existing	Maintain an agreed level of information security in supplier relationships.	Read Guide
5.21	Managing information security in the ICT supply chain	NEW	Maintain an agreed level of information security in supplier relationships.	Read Guide
5.22	Monitoring, review and change management of supplier services	Changed	Maintain an agreed level of information security and service delivery.	Read Guide
5.23	Information security for use of cloud services	NEW	Specify and manage information security for the use of cloud services.	Read Guide
5.24	Information security incident management planning and preparation	Changed	Ensure quick, effective, consistent and orderly response to information security incidents.	Read Guide
5.25	Assessment and decision on information security events	Existing	Ensure effective categorisation and prioritisation of information security events.	Read Guide
5.26	Response to information security incidents	Existing	Ensure efficient and effective response to information security incidents.	Read Guide
5.27	Learning from information security incidents	Existing	Reduce the likelihood or consequences of future incidents.	Read Guide
5.28	Collection of evidence	Existing	Ensure consistent and effective management of evidence related to information security incidents.	Read Guide
5.29	Information security during disruption	Changed	Protect information and other associated assets during disruption.	Read Guide
5.30	ICT readiness for business continuity	NEW	Ensure the availability of the organisations information and assets during disruption.	Read Guide
5.31	Legal, statutory, regulatory and contractual requirements	Existing	Ensure compliance with legal, statutory, regulatory and contractual requirements.	Read Guide
5.32	Intellectual property rights	Existing	Ensure compliance with requirements related to intellectual property rights.	Read Guide
5.33	Protection of records	Existing	Ensure compliance with requirements related to the protection and availability of records.	Read Guide
5.34	Privacy and protection of PII	Existing	Ensure compliance with requirements related to the protection of PII.	Read Guide
5.35	Independent review of information security	Existing	Ensure the continuing suitability, adequacy and effectiveness of the approach to managing information security.	Read Guide
5.36	Compliance with policies and standards	Existing	Ensure information security is implemented in accordance with policy and rules.	Read Guide
5.37	Documented operating procedures	Existing	Ensure the correct and secure operation of information processing facilities.	Read Guide

ISO 27002:2022 People controls

ISO 27002:2022 People Controls (Clause 6) Summary
Control	Title	Status	Purpose	Guide
6.1	Screening	Existing	Ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible during employment.	Read Guide
6.2	Terms and conditions of employment	Existing	Ensure personnel understand their information security responsibilities for the roles for which they are considered.	Read Guide
6.3	Information security awareness, education and training	Existing	Ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.	Read Guide
6.4	Disciplinary process	Existing	Ensure personnel understand the consequences of information security policy violation and deter such violations.	Read Guide
6.5	Responsibilities after termination or change of employment	Existing	Protect the organisations interests as part of the process of changing or terminating employment or contracts.	Read Guide
6.6	Confidentiality or non-disclosure agreements	Existing	Maintain confidentiality of information accessible by personnel or external parties.	Read Guide
6.7	Remote working	NEW	Ensure the security of information when personnel are working remotely.	Read Guide
6.8	Information security event reporting	Existing	Support timely, consistent and effective reporting of information security events identified by personnel.	Read Guide

ISO 27002:2022 Physical controls

ISO 27002:2022 Physical Controls (Clause 7) Summary
Control	Title	Status	Purpose	Guide
7.1	Physical security perimeter	Existing	Ensure physical security is in place to stop unauthorised people from gaining physical access to property and assets.	Read Guide
7.2	Physical entry	Existing	Ensure only authorised physical access to the organisations information and other associated assets occurs.	Read Guide
7.3	Securing offices, rooms and facilities	Existing	Prevent unauthorised physical access, damage and interference to information and assets in offices.	Read Guide
7.4	Physical security monitoring	Existing	Ensure you detect and deter unauthorised physical access.	Read Guide
7.5	Protecting against physical and environmental threats	Existing	Prevent or reduce the consequences of events originating from physical and environmental threats.	Read Guide
7.6	Working in secure areas	Existing	Protect information and assets in secure areas from damage and unauthorised interference.	Read Guide
7.7	Clear desk and clear screen	Existing	Address risks of unauthorised access, loss of and damage to information on desks and screens.	Read Guide
7.8	Equipment siting and protection	Existing	Reduce the risks from physical and environmental threats, and from unauthorised access and damage.	Read Guide
7.9	Security of assets off-premises	Existing	Prevent loss, damage, theft or compromise of off-site devices and interruption to operations.	Read Guide
7.10	Storage media	NEW	Ensure only authorised disclosure, modification, removal or destruction of information on storage media.	Read Guide
7.11	Supporting utilities	Existing	Prevent loss, damage or compromise of information and assets due to failure of supporting utilities.	Read Guide
7.12	Cabling security	Existing	Prevent loss, damage, or compromise of information and interruption related to power and communications cabling.	Read Guide
7.13	Equipment maintenance	Existing	Prevent loss, damage, or interruption caused by lack of maintenance.	Read Guide
7.14	Secure disposal or re-use of equipment	Existing	Prevent leakage of information from equipment to be disposed or re-used.	Read Guide

ISO 27002:2022 Technological controls

ISO 27002:2022 Technological Controls (Clause 8) Summary
Control	Title	Status	Purpose	Guide
8.1	User endpoint devices	NEW	Protect information against the risks introduced by using user endpoint devices.	Read Guide
8.2	Privileged access rights	Existing	Ensure only authorised users, software components and services are provided with privileged access rights.	Read Guide
8.3	Information access restriction	Existing	Ensure only authorised access and to prevent unauthorised access to information and other associated assets.	Read Guide
8.4	Access to source code	Existing	Prevent the introduction of unauthorised functionality and maintain the confidentiality of valuable intellectual property.	Read Guide
8.5	Secure authentication	Existing	Ensure a user or an entity is securely authenticated when access to systems is granted.	Read Guide
8.6	Capacity management	Existing	Ensure the required capacity of information processing facilities, human resources, offices and other facilities.	Read Guide
8.7	Protection against malware	Existing	Ensure information and other associated assets are protected against malware.	Read Guide
8.8	Management of technical vulnerabilities	Existing	Ensure information and other associated assets are protected from the exploitation of technical vulnerabilities.	Read Guide
8.9	Configuration management	Existing	Ensure hardware, software, services and networks function correctly with required security settings.	Read Guide
8.10	Information deletion	NEW	Prevent unnecessary exposure of sensitive information and comply with deletion requirements.	Read Guide
8.11	Data masking	NEW	Limit the exposure of sensitive data including PII and comply with legal and regulatory requirements.	Read Guide
8.12	Data leakage prevention	NEW	Detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.	Read Guide
8.13	Information backup	Existing	Enable recovery from loss of data or systems.	Read Guide
8.14	Redundancy of information processing facilities	Existing	Ensure the continuous operation of information processing facilities.	Read Guide
8.15	Logging	Existing	Record events, generate evidence, ensure log integrity and support investigations.	Read Guide
8.16	Monitoring activities	Existing	Detect anomalous behaviour and potential information security incidents.	Read Guide
8.17	Clock synchronisation	Existing	Enable the correlation and analysis of security-related events and support investigations.	Read Guide
8.18	Use of privileged utility programs	Existing	Ensure the use of utility programs does not harm system and application controls.	Read Guide
8.19	Installation of software on operational systems	Existing	Ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.	Read Guide
8.20	Network security	Existing	Protect information in networks and supporting facilities from compromise via the network.	Read Guide
8.21	Security of network services	Existing	Ensure security in the use of network services.	Read Guide
8.22	Segregation of networks	Existing	Split the network in security boundaries and control traffic between them based on business needs.	Read Guide
8.23	Web filtering	NEW	Protect systems from being compromised by malware and prevent access to unauthorised web resources.	Read Guide
8.24	Use of cryptography	Existing	Ensure proper and effective use of cryptography to protect confidentiality, authenticity or integrity.	Read Guide
8.25	Secure development life cycle	Existing	Ensure information security is designed and implemented within the secure development life cycle.	Read Guide
8.26	Application security requirements	NEW	Ensure all information security requirements are identified and addressed when developing or acquiring.	Read Guide
8.27	Secure systems architecture and engineering principles	NEW	Ensure information systems are securely designed, implemented and operated within the development life cycle.	Read Guide
8.28	Secure coding	Existing	Ensure software is written securely reducing the number of potential vulnerabilities.	Read Guide
8.29	Security testing in development and acceptance	Existing	Validate if information security requirements are met when applications are deployed to production.	Read Guide
8.30	Outsourced development	Existing	Ensure information security measures required by the organisation are implemented in outsourced development.	Read Guide
8.31	Separation of development, test and production environments	Existing	Protect the production environment and data from compromise by development and test activities.	Read Guide
8.32	Change management	Existing	Preserve information security when executing changes.	Read Guide
8.33	Test information	Existing	Ensure relevance of testing and protection of operational information used for testing.	Read Guide
8.34	Protection of information systems during audit testing	NEW	Minimise the impact of audit and other assurance activities on operational systems and business processes.	Read Guide

ISO 27002:2022 FAQ

What are the main changes in ISO 27002:2022?

The ISO/IEC 27002:2022 standard consolidates the previous 114 controls into 93, introduces 11 completely new controls, and restructures the 14 domains into 4 logical themes. While the number of controls has decreased due to merging 57 redundant items, the rigorousness of the standard remains high. The update focuses on modernising information security practices, specifically introducing concepts like Threat Intelligence and Cloud Security to address the current threat landscape.

What are the 4 themes of ISO 27002:2022?

ISO 27002:2022 abandons the previous 14-domain structure in favour of 4 distinct themes designed to simplify categorisation and ownership. These themes are:

Organisational Controls (37 controls): Policies, rules, and structural frameworks found in Clause 5.
People Controls (8 controls): Human resources, screening, and awareness measures found in Clause 6.
Physical Controls (14 controls): Security perimeters, entry controls, and equipment protection found in Clause 7.
Technological Controls (34 controls): Secure coding, network security, and cryptography found in Clause 8.

What are the 11 new controls in ISO 27002:2022?

To address evolving digital risks, the 2022 update introduces 11 brand-new controls that organisations must include in their Statement of Applicability (SoA) or justify excluding:

5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding

How does ISO 27002:2022 affect current ISO 27001 certification?

Organisations currently certified to ISO 27001:2013 generally have a 3-year transition period (ending October 2025) to align with the 2022 amendments. You do not need to recertify immediately; however, you must update your Statement of Applicability (SoA) to map your existing controls against the new 93 controls mandated by Annex A. Failure to transition by the deadline will result in a major non-conformity during your next surveillance or recertification audit.

What are attributes in ISO 27002:2022?

ISO 27002:2022 introduces “attributes,” which function like hashtags to help organisations create different views of their controls. Each control is tagged with five attribute types: Control Type (e.g., Preventive, Detective), Information Security Properties (Confidentiality, Integrity, Availability), Cybersecurity Concepts (Identify, Protect, Detect), Operational Capabilities, and Security Domains. This allows security managers to filter and report on controls more effectively for different stakeholders.

ISO 27001 Controls: The 2022 Framework Update Summary

ISO 2700 Controls - The 2022 Control Framework Update — ISO 2700 Controls – The 2022 Control Framework Update

ISO 27002:2022 Statement Of Applicability

You can download the new ISO 27002:2002 controls in the the Statement of Applicability.

As a bonus you get a copy of the 2013 version of the controls as well.

Allowing you to easily compare the two and assess the new requirements.

ISO 27001 Statement of Applicability Template

Source Material

This document is an opinion article based on the publicly available information provided here. It is noted the document is under preparation for final publication and is subject to changes.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents