ISO 27002:2022 explained. ISO 27002 controls list and absolutely everything you need to know about the ISO 27002:2022 changes.
Table of contents
Introduction
When you go for your ISO 27001 Certification you will choose a set of information security controls.
The list of controls that you will need comes from ISO 27002.
In the ISO 27001 standard it actually refers to it as ISO 27001 Annex A.
So the terms ISO 27002 and ISO 27001 Annex A are, for all intents and purposes, interchangeable. They mean the same thing.
ISO 27002 changed in 2022 and is now formally ISO 27002:2022.
This is everything you need to know about ISO 27002:2022.
What is ISO 27002?
Formally it is called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls.
It provides a reference set of generic information security controls including implementation guidance. It is designed to be used:
- within the context of an information security management system (ISMS) based on ISO/IEC27001
- for implementing information security controls based on internationally recognised best practices
- for developing organisation specific information security management guidelines.
What are the main changes to ISO 27002?
- They have removed the term ‘Code of Practice’
- The structure of the document has changed
- Some controls have been merged, some deleted and new controls have been introduced.
Structure
ISO 27002:2022 has 93 controls which have now been structured into 4 domains
- Oraganisational Controls
- People Controls
- Physical Controls
- Technological Controls
From the previous 14 sections, ISO 27002:2022 now has only four sections, along with two annexes.
New Controls
Here are the 11 controls that are new:
- ISO 27002:2022 control 5.7 Threat intelligence
- ISO 27002:2022 control 5.23 Information security for use of cloud services
- ISO 27002:2022 control 5.30 ICT readiness for business continuity
- ISO 27002:2022 control 7.4 Physical security monitoring
- ISO 27002:2022 control 8.9 Configuration management
- ISO 27002:2022 control 8.10 Information deletion
- ISO 27002:2022 control 8.11 Data masking
- ISO 27002:2022 control 8.12 Data leakage prevention
- ISO 27002:2022 control 8.16 Monitoring activities
- ISO 27002:2022 control 8.23 Web filtering
- ISO 27002:2022 control 8.28 Secure coding
ISO 27002 Controls List
In this section we list all of the ISO 27002: 2022 controls and compare it to the previous control set. We show if it is a new control or the control has changed.
ISO 27002:2022 Organisational controls
ISO 27002 5.1 Policies for Information Security
Purpose: Annex A 5.1 is a preventive control that ensures the suitability, adequacy and effectiveness of managements direction and support for information security.
View the ultimate certification guide to: ISO 27002:2022 5.1 Policies for information security
ISO 27002 5.2 Information security roles and responsibilities
Purpose: Annex A 5.2 is a preventive control that ensures a defined, approved and understood structure is in place for the implementation and operation of the information security management system.
View the ultimate certification guide to: ISO 27002:2022 5.2 Information security roles and responsibilities
ISO 27002 5.3 Segregation of Duties
Purpose: To reduce the risk of fraud, error and bypassing of information security controls.
View the ultimate certification guide to: ISO 27002:2022 5.3 Segregation of duties
ISO 27002 5.4 Management Responsibilities
Purpose: Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation
View the ultimate certification guide to: ISO 27002:2022 5.4 Management responsibilities
ISO 27002 5.5 Contact with authorities
Purpose: The organisation should establish and maintain contact with relevant authorities.
View the ultimate certification guide to: ISO 27002:2022 5.5 Contact with authorities
ISO 27002 5.6 Contact with special interest groups
Purpose: To ensure appropriate flow of information takes place with respect to information security.
View the ultimate certification guide to: ISO 27002:2022 5.6 Contact with special interest groups
ISO 27002 5.7 Threat Intelligence – NEW
Purpose: To provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.
View the ultimate certification guide to: ISO 27002:2022 5.7 Threat intelligence
ISO 27002 5.8 Information security in project management
Purpose: To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
View the ultimate certification guide to: ISO 27002:2022 5.8 Information security in project management
ISO 27002 5.9 Inventory of information and other associated assets – CHANGE
Purpose: To identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.
View the ultimate certification guide to: ISO 27002:2022 5.9 Inventory of information and other associated assets
ISO 27002 5.10 Acceptable use of information and other associated assets
Purpose: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
View the ultimate certification guide to: ISO 27002:2022 5.10 Acceptable use of information and other associated assets – CHANGE
ISO 27002 5.11 Return of assets
Purpose: To protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.
View the ultimate certification guide to: ISO 27002:2022 5.11 Return of assets
ISO 27002 5.12 Classification of information
Purpose: To ensure identification and understanding of protection needs of information in accordance with its importance to the organisation.
View the ultimate certification guide to: ISO 27002:2022 5.12 Classification of information
ISO 27002 5.13 Labelling of information
Purpose: To facilitate the communication of classification of information and support automation of information processing and management.
View the ultimate certification guide to: ISO 27002:2022 5.13 Labelling of information
ISO 27002 5.14 Information transfer
Purpose: To maintain the security of information transferred within an organisation and with any external interested party.
View the ultimate certification guide to: ISO 27002:2022 5.14 Information transfer
ISO 27002 5.15 Access Control
Purpose: To ensure authorised access and to prevent unauthorised access to information and other associated assets.
View the ultimate certification guide to: ISO 27002:2022 5.15 Access control
ISO 27002 5.16 Identity Management – NEW
Purpose: To allow for the unique identification of individuals and systems accessing the organisations information and other associated assets and to enable appropriate assignment of access rights.
View the ultimate certification guide to: ISO 27002:2022 5.16 Identity management
ISO 27002 5.17 Authentication Information – NEW
Purpose: To ensure proper entity authentication and prevent failures of authentication processes.
View the ultimate certification guide to: ISO 27002:2022 5.17 Authentication information
ISO 27002 5.18 Access rights – CHANGE
Purpose: To ensure access to information and other associated assets is defined and authorised according to the business requirements.
View the ultimate certification guide to: ISO 27002:2022 5.18 Access rights
ISO 27002 5.19 Information security in supplier relationships
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27002:2022 5.19 Information security in supplier relationships
ISO 27002 5.29 Addressing information security within supplier agreements
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27002:2022 5.20 Addressing information security within supplier agreements
ISO 27002 5.21 Managing information security in the ICT supply chain – NEW
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27002:2022 5.21 Managing information security in the ICT supply chain
ISO 27002 5.22 Monitoring, review and change management of supplier services – CHANGE
Purpose: To maintain an agreed level of information security and service delivery in line with supplier agreements.
View the ultimate certification guide to: ISO 27002:2022 5.22 Monitoring, review and change management of supplier services
ISO 27002 5.23 Information security for use of cloud services – NEW
Purpose: To specify and manage information security for the use of cloud services.
View the ultimate certification guide to: ISO 27002:2022 5.23 Information security for use of cloud services
ISO 27002 5.24 Information security incident management planning and preparation – CHANGE
Purpose: To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.
View the ultimate certification guide to: ISO 27002:2022 5.24 Information security incident management planning and preparation
ISO 27002 5.25 Assessment and decision on information security events
Purpose: To ensure effective categorisation and prioritisation of information security events.
View the ultimate certification guide to: ISO 27002:2022 5.25 Assessment and decision on information security events
ISO 27002 5.26 Response to information security incidents
Purpose: To ensure efficient and effective response to information security incidents.
View the ultimate certification guide to: ISO 27002:2022 5.26 Response to information security incidents
ISO 27002 5.27 Learning from information security incidents
Purpose: To reduce the likelihood or consequences of future incidents.
View the ultimate certification guide to: ISO 27002:2022 5.27 Learning from information security incidents
ISO 27002 5.28 Collection of evidence
Purpose: To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
View the ultimate certification guide to: ISO 27002:2022 5.28 Collection of evidence
ISO 27002 5.29 Information security during disruption – CHANGE
Purpose: To protect information and other associated assets during disruption.
View the ultimate certification guide to: ISO 27002:2022 5.29 Information security during disruption
ISO 27002 5.30 ICT readiness for business continuity – NEW
Purpose: To ensure the availability of the organisations information and other associated assets during disruption.
View the ultimate certification guide to: ISO 27002:2022 5.30 ICT readiness for business continuity
ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.
View the ultimate certification guide to: ISO 27002:2022 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27002 5.32 Intellectual Property Rights
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
View the ultimate certification guide to: ISO 27002:2022 5.32 Intellectual property rights
ISO 27002 5.33 Protection of records
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.
View the ultimate certification guide to: ISO 27002:2022 5.33 Protection of records
ISO 27002 5.32 Privacy and protection of PII
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.
View the ultimate certification guide to: ISO 27002:2022 5.34 Privacy and protection of PII
ISO 27002 5.35 Independent review of information security
Purpose: To ensure the continuing suitability, adequacy and effectiveness of the organisations approach to managing information security.
View the ultimate certification guide to: ISO 27002:2022 5.35 Independent review of information security
ISO 27002 5.36 Compliance with policies and standards for information security
Purpose: To ensure that information security is implemented and operated in accordance with the organisation’s information security policy, topic-specific policies, rules and standards.
View the ultimate certification guide to: ISO 27002:2022 5.36 Compliance with policies and standards for information security
ISO 27002 5.37 Documented Operations Procedures
Purpose: To ensure the correct and secure operation of information processing facilities.
View the ultimate certification guide to: ISO 27002:2022 5.37 Documented operating procedures
ISO 27002:2022 People controls
ISO 27001:2022 6.1 Screening
Purpose: To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.
View the ultimate certification guide to: ISO 27002:2022 6.1 Screening
ISO 27001:2022 6.2 Terms and Condition of Employment
Purpose: To ensure personnel understand their information security responsibilities for the roles for which they are considered.
View the ultimate certification guide to: ISO 27002:2022 6.2 Terms and conditions of employment
ISO 27001:2022 6.3 Information security awareness, education and training
Purpose: To ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.
View the ultimate certification guide to: ISO 27002:2022 6.3 Information security awareness, education and training
ISO 27001:2022 6.4 Disciplinary Process
Purpose: To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.
View the ultimate certification guide to: ISO 27002:2022 6.4 Disciplinary process
ISO 27001:2022 6.5 Responsibilities after termination or change of employment
Purpose: To protect the organisations interests as part of the process of changing or terminating employment or contracts.
View the ultimate certification guide to: ISO 27002:2022 6.5 Responsibilities after termination or change of employment
ISO 27001:2022 6.6 Confidentiality or non disclosure agreements
Purpose: To maintain confidentiality of information accessible by personnel or external parties.
View the ultimate certification guide to: ISO 27002:2022 6.6 Confidentiality or non-disclosure agreements
ISO 27002:2022 6.7 Remote working – NEW
Purpose: To ensure the security of information when personnel are working remotely.
View the ultimate certification guide to: ISO 2002:2022 6.7 Remote Working
ISO 27002:2022 6.8 Information security event reporting
Purpose: To support timely, consistent and effective reporting of information security events that can be identified by personnel.
View the ultimate certification guide to: ISO 27002:2022 6.8 Information Security Event Reporting
ISO 27002:2022 Physical controls
ISO 27002:2022 7.1 Physical Security Perimeter
Purpose: To ensure physical security is in place to stop unauthorised people from gaining physical access to property and assets.
View the ultimate certification guide to: ISO 27002:2022 7.1 Physical security perimeter
ISO 27002:2022 7.2 Physical Entry
Purpose: To ensure only authorised physical access to the organisations information and other associated assets occurs.
View the ultimate certification guide to: ISO 27002:2022 7.2 Physical entry controls
ISO 27002:2022 7.3 Securing Offices, Rooms And Facilities
Purpose: To ensure you prevent unauthorised physical access, damage and interference to the organisations information and other associated assets in offices, rooms and facilities.
View the ultimate certification guide to: ISO 27002:2022 7.3 Securing offices, rooms and facilities
ISO 27002:2022 7.4 Physical Security Monitoring
Purpose: To ensure you detect and deter unauthorised physical access.
View the ultimate certification guide to: ISO 27002:2022 7.4 Physical security monitoring
ISO 27002:2022 7.5 Protecting Against Physical and Environmental Threats
Purpose: To ensure you prevent or reduce the consequences of events originating from physical and environmental threats.
View the ultimate certification guide to: ISO 27002:2022 7.5 Protecting against physical and environmental threats
ISO 27002:2022 7.6 Working In Secure Areas
Purpose: To ensure you protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.
View the ultimate certification guide to: ISO 27002:2022 7.6 Working in secure areas
ISO 27002:2022 7.7 Clear Desk And Clear Screen ISO 27002:2022
Purpose: To ensure you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
View the ultimate certification guide to: ISO 27002:2022 7.7 Clear desk and clear screen
ISO 27002:2022 7.8 Equipment Siting And Protection
Purpose: To reduce the risks from physical and environmental threats, and from unauthorised access and damage.
View the ultimate certification guide to: ISO 27002:2022 7.8 Equipment siting and protection
ISO 27002:2022 7.9 Security Of Assets Off-Premises
Purpose: To prevent loss, damage, theft or compromise of off-site devices and interruption to the organisations operations.
View the ultimate certification guide to: ISO 27002:2022 7.9 Security of assets off-premises
ISO 27002:2022 7.10 Storage Media
Purpose: To ensure only authorised disclosure, modification, removal or destruction of information on storage media.
View the ultimate certification guide to: ISO 27001 Annex A 7.10 Storage media – NEW
ISO 27002:2022 7.11 Supporting Utilities
Purpose: To prevent loss, damage or compromise of information and other associated assets, or interruption to the organisations operations due to failure and disruption of supporting utilities
View the ultimate certification guide to: ISO 27002:2022 7.11 Supporting utilities
ISO 27002:2022 7.12 Cabling Security
Purpose: To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations related to power and communications cabling.
View the ultimate certification guide to: ISO 27002:2022 7.12 Cabling security
ISO 27002:2022 7.13 Equipment Maintenance
Purpose: To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.
View the ultimate certification guide to: ISO 27002:2022 7.13 Equipment maintenance
ISO 27002:2022 7.14 Secure Disposal Or Re-Use Of Equipment
Purpose: To prevent leakage of information from equipment to be disposed or re-used.
View the ultimate certification guide to: ISO 27002:2022 7.14 Secure disposal or re-use of equipment
ISO 27002:2022 Technological controls
ISO 27002:2022 8.1 User Endpoint Devices
Purpose: To protect information against the risks introduced by using user endpoint devices.
View the ultimate certification guide to: ISO 27002:2022 8.1 User endpoint devices – NEW
ISO 27002:2022 8.2 Privileged Access Rights
Purpose: To ensure only authorised users, software components and services are provided with privileged access rights.
View the ultimate certification guide to: ISO 27002:2022 8.2 Privileged access rights
ISO 27002:2022 8.3 Information Access Restriction
Purpose: To ensure only authorised access and to prevent unauthorised access to information and other associated assets.
View the ultimate certification guide to: ISO 27002:2022 8.3 Information access restriction
ISO 27002:2022 8.4 Access To Source Code
Purpose: To prevent the introduction of unauthorised functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.
View the ultimate certification guide to: ISO 27002:2022 8.4 Access to source code
ISO 27002:2022 8.5 Secure Authentication
Purpose: To ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted.
View the ultimate certification guide to: ISO 27002:2022 8.5 Secure authentication
ISO 27002:2022 8.6 Capacity Management
Purpose: To ensure the required capacity of information processing facilities, human resources, offices and other facilities.
View the ultimate certification guide to: ISO 27002:2022 8.6 Capacity management
ISO 27002:2022 8.7 Protection Against Malware
Purpose: To ensure information and other associated assets are protected against malware.
View the ultimate certification guide to: ISO 27002:2022 8.7 Protection against malware
ISO 27002:2022 8.8 Management of Technical Vulnerabilities
Purpose: To ensure information and other associated assets are protected from the exploitation of technical vulnerabilities.
View the ultimate certification guide to: ISO 27002:2022 8.8 Management of technical vulnerabilities
ISO 27002:2022 8.9 Configuration Management
Purpose: To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes.
View the ultimate certification guide to: ISO 27002:2022 8.9 Configuration management
ISO 27002:2022 8.10 Information Deletion
Purpose: To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
View the ultimate certification guide to: ISO 27002:2022 8.10 Information deletion – NEW
ISO 27002:2022 8.11 Data Masking
Purpose: To ensure you limit the exposure of sensitive data including PII, and you comply with legal, statutory, regulatory and contractual requirements.
View the ultimate certification guide to: ISO 27002:2022 8.11 Data masking – NEW
ISO 27002:2022 8.12 Data Leakage Prevention
Purpose: To detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.
View the ultimate certification guide to: ISO 27002:2022 8.12 Data leakage prevention – NEW
ISO 27002:2022 8.13 Information Backup
Purpose: To enable recovery from loss of data or systems.
View the ultimate certification guide to: ISO 27002:2022 8.13 Information backup
ISO 27002:2022 8.14 Redundancy of information processing facilities
Purpose: To ensure the continuous operation of information processing facilities.
View the ultimate certification guide to: ISO 27002:2022 8.14 Redundancy of information processing facilities
ISO 27002:2022 8.15 Logging
Purpose: To record events, generate evidence, ensure the integrity of log information, prevent against unauthorised access, identify information security events that can lead to an information security incident and to support investigations.
View the ultimate certification guide to: ISO 27002:2022 8.15 Logging
ISO 27002:2022 8.16 Monitoring Activities
Purpose: To detect anomalous behaviour and potential information security incidents.
View the ultimate certification guide to: ISO 27002:2022 8.16 Monitoring activities
ISO 27002:2022 8.17 Clock Synchronisation
Purpose: To enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
View the ultimate certification guide to: ISO 27002:2022 8.17 Clock synchronisation
ISO 27002:2022 8.18 Use of Privileged Utility Programs
Purpose: To ensure the use of utility programs does not harm system and application controls for information security.
View the ultimate certification guide to: ISO 27002:2022 8.18 Use of privileged utility programs
ISO 27002:2022 8.19 Installation of Software on Operational Systems
Purpose: To ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.
View the ultimate certification guide to: ISO 27002:2022 8.19 Installation of software on operational systems
ISO 27002:2022 8.20 Network Security
Purpose: To protect information in networks and its supporting information processing facilities from compromise via the network.
View the ultimate certification guide to: ISO 27002:2022 8.20 Network controls
ISO 27002:2022 8.21 Security of Network Services
Purpose: To ensure security in the use of network services.
View the ultimate certification guide to: ISO 27002:2022:2022 8.21 Security of network services
ISO 27002:2022 8.22 Segregation of Networks
Purpose: To split the network in security boundaries and to control traffic between them based on business needs.
View the ultimate certification guide to: ISO 27002:2022 8.22 Segregation in networks
ISO 27002:2022 8.23 Web Filtering
Purpose: To protect systems from being compromised by malware and to prevent access to unauthorised web resources.
View the ultimate certification guide to: ISO 27002:2022 8.23 Web filtering – NEW
ISO 27002:2022 8.24 Use of Cryptography
Purpose: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
View the ultimate certification guide to: ISO 27002:2022 8.24 Use of cryptography
ISO 27002:2022 8.25 Secure Development Life Cycle
Purpose: To ensure information security is designed and implemented within the secure development life cycle of software and systems.
View the ultimate certification guide to: ISO 27002:2022 8.25 Secure development lifecycle
ISO 27002:2022 8.26 Application Security Requirements
Purpose: To ensure all information security requirements are identified and addressed when developing or acquiring
View the ultimate certification guide to: ISO 27002:2022 8.26 Application security requirements – NEW
ISO 27002:2022 8.27 Secure Systems Architecture and Engineering Principles
Purpose: To ensure information systems are securely designed, implemented and operated within the development life cycle.
View the ultimate certification guide to: ISO 27002:2022 8.27 Secure system architecture and engineering principles – NEW
ISO 27002:2022 8.28 Secure Coding
Purpose: To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
View the ultimate certification guide to: ISO 27002:2022 8.28 Secure coding
ISO 27002:2022 8.29 Security Testing in Development and Acceptance
Purpose: To validate if information security requirements are met when applications or code are deployed to the production environment.
View the ultimate certification guide to: ISO 27002:2022 8.29 Security testing in development and acceptance
ISO 27002:2022 8.30 Outsourced Development
Purpose: To ensure information security measures required by the organisation are implemented in outsourced system development.
View the ultimate certification guide to: ISO 27002:2022 8.30 Outsourced development
ISO 27002:2022 8.31 Separation of Development, Test and Production Environments
Purpose: To protect the production environment and data from compromise by development and test activities.
View the ultimate certification guide to: ISO 27002:2022 8.31 Separation of development, test and production environments
ISO 27002:2022 8.32 Change Management
Purpose: To preserve information security when executing changes.
View the ultimate certification guide to: ISO 27002:2022 8.32 Change management
ISO 27002:2022 8.33 Test Information
Purpose: To ensure relevance of testing and protection of operational information used for testing.
View the ultimate certification guide to: ISO 27002:2022 8.33 Test information
ISO 27002:2022 8.34 Protection of information systems during audit testing
Purpose: To minimise the impact of audit and other assurance activities on operational systems and business processes.
View the ultimate certification guide to:ISO 27002:2022 8.34 Protection of information systems during audit and testing – NEW
ISO 27001:2022 FAQ
The new ISO 27002 2022 revision went live and was published on the 15th of February 2022.
There are 93 controls in ISO 27002:2022. Previously there 114 controls. This is a reduction of 21 controls.
There are 4 sections in ISO 27002:2022. Previously there were 14 sections. This is reduction of 10 sections.
ISO 27001:2022 Statement Of Applicability
You can download the new ISO 27001:2002 controls in the the Statement of Applicability.
As a bonus you get a copy of the 2013 version of the controls as well.
Allowing you to easily compare the two and assess the new requirements.
Source Material
This document is an opinion article based on the publicly available information provided here. It is noted the document is under preparation for final publication and is subject to changes.
