Skip to content
All posts

4 Key Changes in the New ISO 27002:2022 Revision

ISO 27002:2022 is out! It’s official – cybersecurity is the name of the game

At surface level, this new update is daunting – a whole new approach towards structuring the beloved Annex A of ISO 27001:2013. However, after delving a little deeper, the changes appear to be welcome additions to a standard that was due a small refresh – and at a practical level, the workload implications for organizations undergoing audits against the new standard are not immensely significant, supposing best-practice measures are already in place.

Four Key Changes

1. The title has been modified. Before, the standard addressed ‘information technology – security techniques’ and now it addresses ‘information security, cybersecurity and privacy protection.’

2. Before, we dealt with 14 different control objectives, each with various controls, totaling 114 controls. We now talk in terms of ‘themes,’ with the controls divided into four different ‘themes’:

    • Organization controls
    • People controls
    • Physical controls
    • Technological controls

3. Certain controls have been merged, and there is the addition of 11 new controls of which 3 are organizational, 1 is physical, and 7 are technical. 4. Each and every control is now categorized in terms of ‘attributes,’ with a small table for each control. There are 5 ‘attribute’ groups – control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

Now that we have the changes aligned in general, let’s get into further detail.

At its core, ISO 27002:2022 structures each control in much the same way as before; we first get the title, followed by the control itself, followed by the implementation guidance. However, this is now interspersed with greater detail – as we now get the addition of the ‘attributes,’ as well as a short explanation of the purpose of the control. At a first glance, this updated version looks vastly different from its predecessor. Having said that, the fundamental underpinnings of the standard remain unchanged, and the structural changes serve only to assist in the organizational approach towards adopting the framework. Our sincere belief is that it shall do so.

So what will the cost be to organizations already certified?

At a minimum, the Statement of Applicability (SoA) will look vastly different going forward. Implementation of new controls may also be required. As for organizations looking for first-time certification – perhaps this new standard paves the way for a more organized company policy structure. Now, instead of opting for upwards of 15 policies, organizations may wish to have an overarching information security policy, accompanied by lengthier, more detailed policies for each of the ‘themes,’ as well as several other topic-specific policies.

As always, we will remain at the forefront of GRC consultancy – ensuring that all of our customers are prepared for the changes to the standard and can rest assured that it shall have no negative bearing on their certification status going forward. We are already drafting an all new SoA template and are in close contact with relevant certification bodies to ensure we know exactly when the switchover will begin! If you still have any further questions or want to get updates from us on the switchover, fill in your details below and we’ll reach out to you shortly.