ISO/IEC 27002: What you need to know | CQI | IRCA Skip to main content

ISO/IEC 27002: What you need to know

Published: 28 Jan 2022

ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection has been published. Learn about what the changes involve, and what this revision means for ISO/IEC 27001:2013 – Information security management. 

The International Standards Organization (ISO) has published a revised version of ISO/IEC 27002 – Information security, cybersecurity and privacy protection. The standard, produced by the ISO/ International Electrotechnical Commission (IEC) Joint Technical Committee JTC1/SC 27, was published on 15 February 2022.  

ISO/IEC 27002:2022 provides guidelines for information security standards and information security management practices including the selection, implementation, and management of controls. This update is important to all organisations which are operating information security management systems (ISMS) using ISO 27001:2013 – Information security management, the information security management systems requirements standard.  

ISO/IEC 27001:2013, the requirements standard for information security management systems, was created with the intention of protecting an organisation’s information assets, including the likes of project records, operational and financial data, and marketing media. It seeks this outcome through the application of a management system and a set of controls. These controls appear in both ISO/IEC 27002:2013 and ISO/IEC 27001:2013.  

The changes to ISO/IEC 27002 

However, the new iteration of ISO/IEC 27002 contains significant changes to both the number and nature of the controls. ISO/IEC 27002:2022 reduces the number of IS controls from 114 in 14 categories to 93 in four categories. There are also 11 new controls, 24 controls merged from existing 2013 controls, and 58 of the controls from 2013 have been updated.  

What does this mean for ISO/IEC 27001: 2013? 

Due to these changes, it is likely that ISO/IEC 27001:2013 will have to be revised in order to maintain consistency, as it contains reference to the controls described in ISO/IEC 27002 in its normative Annex A.  

The potential revision of ISO/IEC 27001:2013 will have a number of implications for organisations operating ISMS using ISO 27001:2013, training organisations, auditors and quality professionals.  

Check the latest update on ISO/IEC 27002:2022.