The complete guide to ISO/IEC 27002:2022

Absolutely everything you need to know about the ISO 27002:2022

When you go for your ISO 27001 Certification you will choose a set of information security controls.

The list of controls that you will need comes from ISO 27002.

In the ISO 27001 standard it actually refers to it as ISO 27001 Annex A.

So the terms ISO 27002 and ISO 27001 Annex A are, for all intents and purposes, interchangeable. They mean the same thing.

ISO 27002 changed in 2022 and is now formally ISO 27002:2022.

This is everything you need to know about ISO 27002:2022.

What is it?

Formally it is called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls.

It provides a reference set of generic information security controls including implementation guidance. It is designed to be used:

• within the context of an information security management system (ISMS) based on ISO/IEC27001;
• for implementing information security controls based on internationally recognised best practices;
• for developing organisation specific information security management guidelines.

What are the main changes to ISO 27002?

• They have removed the term ‘Code of Practice’
• The structure of the document has changed
• Some controls have been merged, some deleted and new controls have been introduced.

Structure

ISO/IEC 27002:2022 has 93 controls which have now been structured into 4 domains

• Oraganisational Controls
• People Controls
• Physical Controls
• Technological Controls

From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes.

New Controls

Here are the 11 controls that are new:

• ISO 27002:2022 control 5.7 Threat intelligence
• ISO 27002:2022 control 5.23 Information security for use of cloud services
• ISO 27002:2022 control 5.30 ICT readiness for business continuity
• ISO 27002:2022 control 7.4 Physical security monitoring
• ISO 27002:2022 control 8.9 Configuration management
• ISO 27002:2022 control 8.10 Information deletion
• ISO 27002:2022 control 8.11 Data masking
• ISO 27002:2022 control 8.12 Data leakage prevention
• ISO 27002:2022 control 8.16 Monitoring activities
• ISO 27002:2022 control 8.23 Web filtering
• ISO 27002:2022 control 8.28 Secure coding

The new list of ISO 27002:2022 Controls

In this section we list all of the ISO 27002: 2022 controls and compare it to the previous control set. We show if it is a new control or the control has changed.

ISO 27002:2022 5 Organisational controls

ISO 27002 5.1 Policies for Information Security

Purpose: Annex A 5.1 is a preventive control that ensures the suitability, adequacy and effectiveness of managements direction and support for information security.

View the ultimate certification guide to: ISO 27002:2022 5.1 Policies for information security

ISO 27002 5.2 Information security roles and responsibilities

Purpose: Annex A 5.2 is a preventive control that ensures a defined, approved and understood structure is in place for the implementation and operation of the information security management system.

View the ultimate certification guide to: ISO 27002:2022 5.2 Information security roles and responsibilities

ISO 27002 5.3 Segregation of Duties

Purpose: To reduce the risk of fraud, error and bypassing of information security controls. 

View the ultimate certification guide to: ISO 27002:2022 5.3 Segregation of duties

ISO 27002 5.4 Management Responsibilities

Purpose: Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation

View the ultimate certification guide to: ISO 27002:2022 5.4 Management responsibilities

ISO 27002 5.5 Contact with authorities

Purpose: The organisation should establish and maintain contact with relevant authorities.

View the ultimate certification guide to: ISO 27002:2022 5.5 Contact with authorities

ISO 27002 5.6 Contact with special interest groups

Purpose: To ensure appropriate flow of information takes place with respect to information security. 

View the ultimate certification guide to: ISO 27002:2022 5.6 Contact with special interest groups

ISO 27002 5.7 Threat Intelligence – NEW

Purpose: To provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.

View the ultimate certification guide to: ISO 27002:2022 5.7 Threat intelligence

ISO 27002 5.8 Information security in project management

Purpose: To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.

View the ultimate certification guide to: ISO 27002:2022 5.8 Information security in project management

ISO 27002 5.9 Inventory of information and other associated assets – CHANGE

Purpose: To identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.

View the ultimate certification guide to: ISO 27002:2022 5.9 Inventory of information and other associated assets

ISO 27002 5.10 Acceptable use of information and other associated assets

Purpose: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

View the ultimate certification guide to: ISO 27002:2022 5.10 Acceptable use of information and other associated assets – CHANGE

ISO 27002 5.11 Return of assets

Purpose: To protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.

View the ultimate certification guide to: ISO 27002:2022 5.11 Return of assets

ISO 27002 5.12 Classification of information

Purpose: To ensure identification and understanding of protection needs of information in accordance with its importance to the organisation.

View the ultimate certification guide to: ISO 27002:2022 5.12 Classification of information

ISO 27002 5.13 Labelling of information

Purpose: To facilitate the communication of classification of information and support automation of information processing and management.

View the ultimate certification guide to: ISO 27002:2022 5.13 Labelling of information

ISO 27002 5.14 Information transfer

Purpose: To maintain the security of information transferred within an organisation and with any external interested party.

View the ultimate certification guide to: ISO 27002:2022 5.14 Information transfer

ISO 27002 5.15 Access Control

Purpose: To ensure authorised access and to prevent unauthorised access to information and other associated assets.

View the ultimate certification guide to: ISO 27002:2022 5.15 Access control

ISO 27002 5.16 Identity Management – NEW

Purpose: To allow for the unique identification of individuals and systems accessing the organisations information and other associated assets and to enable appropriate assignment of access rights.

View the ultimate certification guide to: ISO 27002:2022 5.16 Identity management

ISO 27002 5.17 Authentication Information – NEW

Purpose: To ensure proper entity authentication and prevent failures of authentication processes.

View the ultimate certification guide to: ISO 27002:2022 5.17 Authentication information

ISO 27002 5.18 Access rights – CHANGE

Purpose: To ensure access to information and other associated assets is defined and authorised according to the business requirements.

View the ultimate certification guide to: ISO 27002:2022 5.18 Access rights

ISO 27002 5.19 Information security in supplier relationships

Purpose: To maintain an agreed level of information security in supplier relationships.

View the ultimate certification guide to: ISO 27002:2022 5.19 Information security in supplier relationships

ISO 27002 5.29 Addressing information security within supplier agreements

Purpose: To maintain an agreed level of information security in supplier relationships.

View the ultimate certification guide to: ISO 27002:2022 5.20 Addressing information security within supplier agreements

ISO 27002 5.21 Managing information security in the ICT supply chain – NEW

Purpose: To maintain an agreed level of information security in supplier relationships.

View the ultimate certification guide to: ISO 27002:2022 5.21 Managing information security in the ICT supply chain

ISO 27002 5.22 Monitoring, review and change management of supplier services – CHANGE

Purpose: To maintain an agreed level of information security and service delivery in line with supplier agreements.

View the ultimate certification guide to: ISO 27002:2022 5.22 Monitoring, review and change management of supplier services

ISO 27002 5.23 Information security for use of cloud services – NEW

Purpose: To specify and manage information security for the use of cloud services.

View the ultimate certification guide to: ISO 27002:2022 5.23 Information security for use of cloud services

ISO 27002 5.24 Information security incident management planning and preparation – CHANGE

Purpose: To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.

View the ultimate certification guide to: ISO 27002:2022 5.24 Information security incident management planning and preparation

ISO 27002 5.25 Assessment and decision on information security events

Purpose: To ensure effective categorisation and prioritisation of information security events.

View the ultimate certification guide to: ISO 27002:2022 5.25 Assessment and decision on information security events

ISO 27002 5.26 Response to information security incidents

Purpose: To ensure efficient and effective response to information security incidents.

View the ultimate certification guide to: ISO 27002:2022 5.26 Response to information security incidents

ISO 27002 5.27 Learning from information security incidents

Purpose: To reduce the likelihood or consequences of future incidents.

View the ultimate certification guide to: ISO 27002:2022 5.27 Learning from information security incidents

ISO 27002 5.28 Collection of evidence

Purpose: To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.

View the ultimate certification guide to: ISO 27002:2022 5.28 Collection of evidence

ISO 27002 5.29 Information security during disruption – CHANGE

Purpose: To protect information and other associated assets during disruption.

View the ultimate certification guide to: ISO 27002:2022 5.29 Information security during disruption

ISO 27002 5.30 ICT readiness for business continuity – NEW

Purpose: To ensure the availability of the organisations information and other associated assets during disruption.

View the ultimate certification guide to: ISO 27002:2022 5.30 ICT readiness for business continuity

ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements

Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.

View the ultimate certification guide to: ISO 27002:2022 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27002 5.32 Intellectual Property Rights

Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.

View the ultimate certification guide to: ISO 27002:2022 5.32 Intellectual property rights

ISO 27002 5.33 Protection of records

Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.

View the ultimate certification guide to: ISO 27002:2022 5.33 Protection of records

ISO 27002 5.32 Privacy and protection of PII

Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.

View the ultimate certification guide to: ISO 27002:2022 5.34 Privacy and protection of PII

ISO 27002 5.35 Independent review of information security

Purpose: To ensure the continuing suitability, adequacy and effectiveness of the organisations approach to managing information security.

View the ultimate certification guide to: ISO 27002:2022 5.35 Independent review of information security

ISO 27002 5.36 Compliance with policies and standards for information security

Purpose: To ensure that information security is implemented and operated in accordance with the organisation’s information security policy, topic-specific policies, rules and standards.

View the ultimate certification guide to: ISO 27002:2022 5.36 Compliance with policies and standards for information security

ISO 27002 5.37 Documented Operations Procedures

Purpose: To ensure the correct and secure operation of information processing facilities.

View the ultimate certification guide to: ISO 27002:2022 5.37 Documented operating procedures

ISO 27002:2022 6 People controls

ISO 27001:2022 6.1 Screening

Purpose: To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.

View the ultimate certification guide to: ISO 27002:2022 6.1 Screening

ISO 27001:2022 6.2 Terms and Condition of Employment

Purpose: To ensure personnel understand their information security responsibilities for the roles for which they are considered.

View the ultimate certification guide to: ISO 27002:2022 6.2 Terms and conditions of employment

ISO 27001:2022 6.3 Information security awareness, education and training

Purpose: To ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.

View the ultimate certification guide to: ISO 27002:2022 6.3 Information security awareness, education and training

ISO 27001:2022 6.4 Disciplinary Process

Purpose: To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

View the ultimate certification guide to: ISO 27002:2022 6.4 Disciplinary process

ISO 27001:2022 6.5 Responsibilities after termination or change of employment

Purpose: To protect the organisations interests as part of the process of changing or terminating employment or contracts.

View the ultimate certification guide to: ISO 27002:2022 6.5 Responsibilities after termination or change of employment

ISO 27001:2022 6.6 Confidentiality or non disclosure agreements

Purpose: To maintain confidentiality of information accessible by personnel or external parties.

View the ultimate certification guide to: ISO 27002:2022 6.6 Confidentiality or non-disclosure agreements

ISO 27002:2022 6.7 Remote working – NEW

Purpose: To ensure the security of information when personnel are working remotely.

View the ultimate certification guide to: ISO 2002:2022 6.7 Remote Working

ISO 27002:2022 6.8 Information security event reporting

Purpose: To support timely, consistent and effective reporting of information security events that can be identified by personnel.

View the ultimate certification guide to: ISO 27002:2022 6.8 Information Security Event Reporting

ISO 27002:2022 7 Physical controls

ISO 27002:2022 7.1 Physical security perimeter

ISO 27002:2022 7.2 Physical entry controls

ISO 27002:2022 7.3 Securing offices, rooms and facilities

ISO 27002:2022 7.4 Physical security monitoring

ISO 27002:2022 7.5 Protecting against physical and environmental threats

ISO 27002:2022 7.6 Working in secure areas

ISO 27002:2022 7.7 Clear desk and clear screen

ISO 27002:2022 7.8 Equipment siting and protection

ISO 27002:2022 7.9 Security of assets off-premises

ISO 27002:2022 7.10 Storage media – NEW

ISO 27002:2022 7.11 Supporting utilities

ISO 27002:2022 7.12 Cabling security

ISO 27002:2022 7.13 Equipment maintenance

ISO 27002:2022 7.14 Secure disposal or re-use of equipment

ISO 27002:2022 8 Technological controls

ISO 27002:2022 8.1 User endpoint devices – NEW

ISO 27002:2022 8.2 Privileged access rights

ISO 27002:2022 8.3 Information access restriction

ISO 27002:2022 8.4 Access to source code

ISO 27002:2022 8.5 Secure authentication

ISO 27002:2022 8.6 Capacity management

ISO 27002:2022 8.7 Protection against malware

ISO 27002:2022 8.8 Management of technical vulnerabilities

ISO 27002:2022 8.9 Configuration management

ISO 27002 8.10:2022 Information deletion – NEW

ISO 27002:2022 8.11 Data masking – NEW

ISO 27002:2022 8.12 Data leakage prevention – NEW

ISO 27002:2022 8.13 Information backup

ISO 27002:2022 8.14 Redundancy of information processing facilities

ISO 27002:2022 8.15 Logging

ISO 27002:2022 8.16 Monitoring activities

ISO 27002:2022 8.17 Clock synchronisation

ISO 27002:2022 8.18 Use of privileged utility programs

ISO 27002:2022 8.19 Installation of software on operational systems

ISO 27002 8.20 Network controls

ISO 27002:2022:2022 8.21 Security of network services

ISO 27002:2022 8.22 Segregation in networks

ISO 27002:2022 8.23 Web filtering – NEW

ISO 27002:2022 8.24 Use of cryptography

ISO 27002:2022 8.25 Secure development lifecycle

ISO 27002:2022 8.26 Application security requirements – NEW

ISO 27002:2022 8.27 Secure system architecture and engineering principles – NEW

ISO 27002:2022 8.28 Secure coding

ISO 27002:2022 8.29 Security testing in development and acceptance

ISO 27002:2022 8.30 Outsourced development

ISO 27002:2022 8.31 Separation of development, test and production environments

ISO 27002:2022 8.32 Change management

ISO 27002:2022 8.33 Test information

ISO 27002:2022 8.34 Protection of information systems during audit and testing – NEW

ISO 27001:2022 FAQ

ISO 27001:2022 Statement Of Applicability

Source Material

This document is an opinion article based on the publicly available information provided here. It is noted the document is under preparation for final publication and is subject to changes.