National Standards Authority of Ireland New Standards Shop

Buy Irish Standards Online

Skip to content

ISO/IEC 27002:2022 – What has changed?

ISO/IEC 27002:2022 is designed for all types of organisations. It is to be used as a reference in determining and implementing controls for information security risk treatment in information security management system (ISMS) based on ISO/IEC 27001.

Other specific requirements can be determined through risk assessment as necessary. From the previous version of the standard, the main changes include:

  • Modified title
  • Simplified structure of the controls using a simple taxonomy and associated attributes
  • Correspondence between previous and new controls can be found in Annex B of ISO/IEC 27002:2022

This document provides a generic mixture of organizational, people, physical and technological information security controls derived from internationally recognized best practices. Determining controls is dependent on the organisation’s decisions following a risk assessment, with a clearly defined scope and decisions to the organisation (business needs and impact, availability of resources, regulations, etc).

As such, a methodology for categorising organisation’s specific controls, based on themes and attributes is provided in the document. An example is available in Annex A of ISO/IEC 27002:2022.

ISO 27002:2013 comparison with ISO 27002:2022


Related Standards

Sector specific standards for additional controls