The complete guide to ISO 27002 changes 2022

The complete guide to ISO 27002 Changes 2022

ISO/IEC DIS 27002 – Information security, cybersecurity and privacy protection — Information security controls

Fay Barker - The complete guide to ISO 27002 changes 2022

There are changes coming to the ISO 27002 / Annex Controls section of ISO 27001 with an expected date of 2022. I am a big fan of Annex A but it is good to see that it is having a timely refresh and update. It has been some time since it was last updated. This third edition cancels and replaces the second edition (ISO/IEC 27002:2013 +Corr 1:2014 +Corr2:2015), which has been technically revised.

Hargobind -The complete guide to ISO 27002 changes 2022

What are the main changes to ISO 27002?

  • They have removed the term ‘Code of Practice’
  • The structure of the document has changed
  • Some controls have been merged, some deleted and new controls have been introduced.

The controls have now been structured into 4 domains

  • Oraganisational Controls
  • People Controls
  • Physical Controls
  • Technological Controls

The list of the ISO 27002 Controls

ISO 27002 5 Organizational controls

ISO 27002 5.1 Policies for information security

ISO 27002 5.2 Information security roles and responsibilities

ISO 27002 5.3 Segregation of duties

ISO 27002 5.4 Management responsibilities

ISO 27002 5.5 Contact with authorities

ISO 27002 5.6 Contact with special interest groups

ISO 27002 5.7 Threat intelligence – new

ISO 27002 5.8 Information security in project management

ISO 27002 5.9 Inventory of information and other associated assets – change

ISO 27002 5.10 Acceptable use of information and other associated assets – change

ISO 27002 5.11 Return of assets

ISO 27002 5.12 Classification of information

ISO 27002 5.13 Labelling of information

ISO 27002 5.14 Information transfer

ISO 27002 5.15 Access control

ISO 27002 5.16 Identity management ISO 27002 5.17 Authentication information – new

ISO 27002 5.18 Access rights – change

ISO 27002 5.19 Information security in supplier relationships

ISO 27002 5.20 Addressing information security within supplier agreements

ISO 27002 5.21 Managing information security in the ICT supply chain new

ISO 27002 5.22 Monitoring, review and change management of supplier services – change

ISO 27002 5.23 Information security for use of cloud services new

ISO 27002 5.24 Information security incident management planning and preparation – change

ISO 27002 5.25 Assessment and decision on information security events

ISO 27002 5.26 Response to information security incidents

ISO 27002 5.27 Learning from information security incidents

ISO 27002 5.28 Collection of evidence

ISO 27002 5.29 Information security during disruption – change

ISO 27002 5.30 ICT readiness for business continuity new

ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27002 5.32 Intellectual property rights

ISO 27002 5.33 Protection of records

ISO 27002 5.34 Privacy and protection of PII

ISO 27002 5.35 Independent review of information security

ISO 27002 5.36 Compliance with policies and standards for information security

ISO 27002 5.37 Documented operating procedures

ISO 27002 6 People controls

ISO 27002 6.1 Screening

ISO 27002 6.2 Terms and conditions of employment

ISO 27002 6.3 Information security awareness, education and training

ISO 27002 6.4 Disciplinary process

ISO 27002 6.5 Responsibilities after termination or change of employment

ISO 27002 6.6 Confidentiality or non-disclosure agreements

ISO 27002 6.7 Remote working new

ISO 27002 6.8 Information security event reporting

ISO 27002 7 Physical controls

ISO 27002 7.1 Physical security perimeter

ISO 27002 7.2 Physical entry controls

ISO 27002 7.3 Securing offices, rooms and facilities

ISO 27002 7.4 Physical security monitoring

ISO 27002 7.5 Protecting against physical and environmental threats

ISO 27002 7.6 Working in secure areas

ISO 27002 7.7 Clear desk and clear screen

ISO 27002 7.8 Equipment siting and protection

ISO 27002 7.9 Security of assets off-premises

ISO 27002 7.10 Storage media new

ISO 27002 7.11 Supporting utilities

ISO 27002 7.12 Cabling security

ISO 27002 7.13 Equipment maintenance

ISO 27002 7.14 Secure disposal or re-use of equipment

ISO 27002 8 Technological controls

ISO 27002 8.1 User endpoint devices new

ISO 27002 8.2 Privileged access rights

ISO 27002 8.3 Information access restriction

ISO 27002 8.4 Access to source code

ISO 27002 8.5 Secure authentication

ISO 27002 8.6 Capacity management

ISO 27002 8.7 Protection against malware

ISO 27002 8.8 Management of technical vulnerabilities

ISO 27002 8.9 Configuration management

ISO 27002 8.10 Information deletion new

ISO 27002 8.11 Data masking new

ISO 27002 8.12 Data leakage prevention new

ISO 27002 8.13 Information backup

ISO 27002 8.14 Redundancy of information processing facilities

ISO 27002 8.15 Logging

ISO 27002 8.16 Monitoring activities

ISO 27002 8.17 Clock synchronization

ISO 27002 8.18 Use of privileged utility programs

ISO 27002 8.19 Installation of software on operational systems

ISO 27002 8.20 Network controls

ISO 27002 8.21 Security of network services

ISO 27002 8.22 Web filtering new

ISO 27002 8.23 Segregation in networks

ISO 27002 8.24 Use of cryptography

ISO 27002 8.25 Secure development lifecycle

ISO 27002 8.26 Application security requirements new

ISO 27002 8.27 Secure system architecture and engineering principles new

ISO 27002 8.28 Secure coding

ISO 27002 8.29 Security testing in development and acceptance

ISO 27002 8.30 Outsourced development

ISO 27002 8.31 Separation of development, test and production environments

ISO 27002 8.32 Change management

ISO 27002 8.33 Test information

ISO 27002 8.34 Protection of information systems during audit and testing new

ISO 27001 Templates Toolkit

ISO 27001 Template Toolkit

The ISO 27001 Toolkit gives you all the pre populated, pre written information security policies and the complete information security management system to hit the ground running. 

Source Material

This document is an opinion article based on the publicly available information provided here. It is noted the document is under preparation for final publication and is subject to changes.

ISO 27001 Certification

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Shopping Cart