ISO standards tend to be long-lived. If they are revised when that happens, there will be an impact. As is the case with ISO 27002:2022. Not only ISO 27002:2013 will be completely replaced, but indirectly also Annex A of ISO 27001, because this originates from ISO 27002.
In the medium term, this will have a substantial impact on ISO 27001 compliance and on the organization-specific ISMS (Information Security Management System) in use today. The extent of the adaptation requirement depends on the design of the respective ISMS.
What has changed?
Both the organization of the controls and the scope are affected. Both quantitatively and qualitatively. Instead of 114 controls in 14 categories, there are now 93 controls in 4 categories. Of these, 11 are new.
There are now only four categories for the controls:
(5) Organizational Controls
(6) People Controls
(7) Physical Controls
(8) Technical Controls
This is much tidier in the 2022 edition than in the 2013 edition.
The following controls are new:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The reduction to four categories has led to many changes and shifts. Mapping tables between ISO 27002:2013 and ISO 27002:2022 in both directions make it easier to find your way around.
Who is concerned?
Anyone who is involved with ISO 27001. Be it because the ISMS is based on ISO 27001 or because the organization is ISO 27001 certified. In the medium term, i.e. within the next 12-36 months, there is no way around an adaptation.