ISO 27002:2022 Update

In February 2022, the ISO/IEC 27002 Standard was updated by the International Organisation for Standardisation (ISO).  ISO 27002:2022 provides a reference set and guidance on information security, cybersecurity and privacy protection controls.  URM’s Lisa Dargan presents a short video where she answers the following questions:

What are the key changes from the 2013 version of the Standard?  

Lisa looks at the statistics in term of the number of information security controls to be merged and updated, as well as the new ISO 27002 controls.  With ISO 27002:2022, controls are now grouped together in 4 themes or categories, rather than 14 clauses and Lisa examines these categories as well as the potentially significant introduction of 5 attributes, where you can assign hashtags to controls to enable you to filter, sort or present controls in different ways.

Why have the changes been made?

Here, Lisa reflects on some of the factors that have led to the changes in ISO 27002 controls (and what will be ISO 27001 controls) such as evolving threat landscape, changing work patterns and the introduction of legislation.  Lisa discusses how these factors have influenced not just the type of controls being introduced, but the way the Standard has been structured.

What about the implications for ISO 27001?

ISO 27001 the Specification or Requirements Standard which is used by organisations to certify against is naturally expected to adopt the ISO 27002:2022 controls in full, as part of its Annex A, when it is updated later in 2022.  For those organisations already certified, Lisa suggests several key things you should be doing in response to the update of ISO 27002:2022 and the introduction of new ISO 27002/ ISO 27001 controls.

Find out more in our blog: ISO 27002: 2022 Update

ISO 27002:2022 Control Migration Online Course

If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course. There are no prerequisites for attending this course.  The course is aimed at anyone who needs to understand the changes associated with ISO 27002 and which will be adopted as  Annex A of ISO 27001.


Please note, we can only process business email addresses.

Great presentation, thanks. I enjoyed the interaction between lead speaker and support person.
Webinar 'Planning Your ISO 27001 Audit Programme'