ISO/IEC 27002:2022 – What has changed?
ISO/IEC 27002:2022 is designed for all types of organisations. It is to be used as a reference in determining and implementing controls for information security risk treatment in information security management system (ISMS) based on ISO/IEC 27001.
Other specific requirements can be determined through risk assessment as necessary. From the previous version of the standard, the main changes include:
- Modified title
- Simplified structure of the controls using a simple taxonomy and associated attributes
- Correspondence between previous and new controls can be found in Annex B of ISO/IEC 27002:2022
This document provides a generic mixture of organizational, people, physical and technological information security controls derived from internationally recognized best practices. Determining controls is dependent on the organisation’s decisions following a risk assessment, with a clearly defined scope and decisions to the organisation (business needs and impact, availability of resources, regulations, etc).
As such, a methodology for categorising organisation’s specific controls, based on themes and attributes is provided in the document. An example is available in Annex A of ISO/IEC 27002:2022.
ISO 27002:2013 comparison with ISO 27002:2022