What's Inside

Clocking in at 152 pages, ISO 27002:2022 reads and feels like an entirely different document than ISO 27002:2013. ISO 27002:2022’s changes highlight the International Organization for Standardization’s (ISO’s) shifting mindset. 

While most of the controls themselves remain the same, the document's organization and explanations highlight ISO’s shifting mindset around the way companies should view security. Here’s a peek at the changes between ISO 27002:2002 and ISO 27002:2013. 

First, What Is ISO 27002:2022?

ISO 27002:2022 provides a set of generic information security controls that organizations use when establishing and maintaining an ISMS. Since the information security controls are based on internationally recognized best practices, organizations can implement them as listed or use them to develop organization-specific information security management controls. 

Similarly, organizations can choose to use a completely different control set when implementing ISO 27001:2022 rather than using or customizing the controls listed in ISO 27002:2022.

A High-Level View of the Table of Contents

The table of contents and the introduction help you understand the goals ISO has within the larger changes. 

Before you even get into the meat of ISO 27002:2022, you notice a fundamental change within the table of contents. Whereas ISO 27002:2013 consisted of 14 control categories referred to as “domains”, ISO 27002:2022 streamlines this into four buckets, called “themes”:

• Organizational: everything not concerning people, physical, or technological controls

• People: concerning individuals

• Physical: concerning physical objects

• Technical: concerning technology

Introduction

While a large portion of the introduction remains the same, you can start to see where ISO’s going by looking at some of the language changes:

• Background and context: Focus on the risk treatment requiring careful planning and attention rather than just the controls themselves.

• Controls: A new section defining a control as “a measure that modified or maintains risk” with an example that a policy maintains while compliance to a policy modifies.

• Determining controls: Greater focus on risk assessment and the need to balance resources/investments with a control’s business impact.

Unlike the 2013 publication, ISO 27002:2022 highlights that organizations need to focus their attention on risk mitigation and management. 

Understanding the New ISO 27002:2022 Control Format

By focusing on control themes and attributes, ISO enables organizations to look at the same controls through multiple lenses. 

Control Attributes

ISO associates each control with five attributes:

• Control type: Focused on when and how it modifies risk across Preventive, Detective, and Corrective.

• Information security properties: Defined by information characteristic(s) that it preserves across Confidentiality, Integrity, and Availability.

• Cybersecurity concepts: Aligned to the ISO TS 27110 cybersecurity framework across Identify, Protect, Detect, Respond, and Recover.

• Operational capabilities: Based on the practitioner's perspective of information security capabilities.

• Security domains: Viewed from the four information security domains across Governance and Ecosystem, Protection, Defense, and Resilience.

Control Layout

Based on the changes to the organization, ISO also created a new layout for each control consisting of:

• Control title: Control’s short name

• Attribute table: Values for a control’s assigned attributes

• Control: What the control is

• Purpose: Why the control matters

• Guidance: How to implement the control

• Other information: Additional text or references to related documents 

The primary change that shows ISO’s shifting mindset is that ISO 27002:2022 focuses on a control’s “purpose” rather than outlining a “control objective.” An “objective” is an aim, something toward which you direct effort. Meanwhile, a “purpose” is the reason something exists or a goal to be obtained. By switching this language, ISO focuses on achieving and implementing a control for a reason rather than just something you put effort into or hope to do in the future. 

What Are the New Controls Listed in ISO 27002:2022?

While there is significant overlap between the 2013 version and the 2022 version ISO added 11 net new controls to the publication, mostly ones that respond to digital transformation and the evolving landscape of privacy regulations. 

Organizational Controls

The new controls that ISO added are:

• 5.7 Threat intelligence: Collecting and analyzing information related to information security threats. 

• 5.23 Information security for use of cloud services: establishing processes for the acquisition, use, management, and exit from cloud services.

• 5.30 ICT readiness for business continuity: ICT readiness should be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

Physical Controls

The new controls ISO included is:

• 7.4 Physical security monitoring: Continuously monitoring for unauthorized physical premises access.

Technological Controls

The new technological controls primarily respond to new privacy law requirements and risks arising from new types of technologies:

• 8.9 Configuration management: Configurations, including security configurations, of hardware, software, services, and networks should be established, documented, implemented, monitored, and reviewed.

• 8.10 Information deletion: Deleting information stored in information systems, devices, or other storage media when it’s no longer needed.

• 8.11 Data masking: Masking data according to access control and other topic-specific policies and business requirements while considering all applicable legislation.

• 8.12 Data leakage prevention: Applying prevention measures to all systems, networks, and any other devices that process, store, or transmit sensitive information.

• 8.16 Monitoring activities: Networks, systems, and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.

• 8.23 Web filtering: Reducing exposure to malicious content by managing access to external websites.

• 8.28 Secure coding: Applying secure coding principles to software development.

Enabling Continuous Monitoring for ISO 27002:2002 Controls

ISO 27002:2022 helps you implement the ISO 27001:2022 framework controls. While the changes appear dramatic, the number of new controls is limited. ISO’s reorganization and repositioning are the underlying changes. 

Drata enables you to accelerate your audit readiness by providing controls pre-mapped across multiple frameworks, giving you the speed and agility needed for a robust ISO compliance program. 

With our automated asset inventory, pre-built risk self-assessments, endpoint monitoring tool, and built-in security training, you can streamline and document all your ISO compliance activities, reducing costs and time by eliminating manual tasks. 

Our platform continuously monitors your environment, giving you real-time visibility into your compliance posture. Using our single source of audit documentation, you have on-demand access to everything you need, including formal documentation, employee acceptance, version history, evidence collection, asset and personnel tracking, and access control workflow automation. 

Additionally, you have access to our compliance experts who can help you navigate these changes so that you get compliant and can stay compliant.