← Back to all briefings
Governance 8 min read Published Updated Credibility 45/100

Governance Briefing — February 15, 2022

ISO/IEC 27002:2022 radically restructures the information security control catalogue that underpins ISO/IEC 27001. The update reduces the control count from 114 to 93, consolidates 56 legacy controls into broader categories, and introduces 11 net‑new controls for cloud security, threat intelligence, configuration management, secure coding and other modern topics【115303387076474†L171-L221】. For organisations maintaining an ISMS, these changes mean updating risk assessments, statements of applicability and governance structures before the October 2025 transition deadline. This briefing explains the purpose of ISO/IEC 27002, the changes in the 2022 edition and steps for implementing the new controls.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Executive summary. The ISO/IEC 27002:2022 revision overhauls the guidance that supports ISO/IEC 27001 certifications. Whereas the 2013 edition grouped 114 information security controls into 14 domains, the new standard consolidates these into four themes—Organizational, People, Physical, and Technological. It reduces redundancy by merging 56 controls and introduces 11 new controls aligned with today’s cloud‑centric and threat‑intelligence‑driven landscape【115303387076474†L171-L221】. Organisations now have until October 2025 to incorporate these changes into their information security management systems (ISMS) as part of the ISO/IEC 27001:2022 transition.

Background: purpose of ISO/IEC 27002

ISO/IEC 27002 is a supporting standard to ISO/IEC 27001. While ISO/IEC 27001 defines the requirements for establishing and maintaining an ISMS, ISO/IEC 27002 provides a reference set of controls with implementation guidance【400101693286437†L146-L157】. It covers a broad range of information security topics—access control, cryptography, human resource security, physical protection and incident response—and gives organisations a practical blueprint for managing risks【400101693286437†L146-L170】. Applying these controls strengthens risk management, enhances stakeholder trust and supports regulatory compliance【400101693286437†L159-L206】.

From domains to themes: restructuring the controls

The 2013 edition of ISO/IEC 27002 contained 114 controls across 14 domains (e.g., Information Security Policies, Access Control, Cryptography). The 2022 edition introduces a thematic structure with just four categories:

  • Organizational – governance, risk management, supplier relationships, technology acquisition, incident management and business continuity.
  • People – user responsibilities, awareness and training, and human resources.
  • Physical – protection of equipment, secure workspaces, visitor management and physical access control.
  • Technological – technical measures covering network security, identity and authentication, encryption, system configuration and monitoring.

According to Pivot Point Security’s analysis, over 75 percent of the revised control set falls under the Organizational and Technological themes【115303387076474†L171-L176】. The consolidation reduces overlaps—56 controls were merged into 24, with some combinations folding up to four legacy controls into one【115303387076474†L175-L179】. Only one control from the 2013 edition (Removal of assets) was dropped because it is now covered under physical security measures【115303387076474†L186-L190】. Organisations should map their existing controls to these new themes, update their Statements of Applicability (SoA) and consider how the broader categories affect risk ownership and audit documentation.

The eleven new controls: what’s included and why they matter

ISO/IEC 27002:2022 introduces 11 net‑new controls to address evolving threats and technology trends【115303387076474†L194-L221】. Each appears in the list below with a summary of its intent:

  • Threat intelligence (5.7) – Establish processes to gather, analyse and share information about threat actors, tactics and indicators. Integrating threat intelligence into security operations improves situational awareness and helps proactively adjust defences.
  • Information security for use of cloud services (5.23) – Define policies and due diligence requirements for selecting, onboarding and monitoring cloud service providers. As more workloads move to SaaS, IaaS and PaaS, organisations need controls covering data residency, shared responsibility and exit strategies.
  • ICT readiness for business continuity (5.30) – Ensure that information and communication technology (ICT) can support business continuity plans. This includes redundancy, fault tolerance, disaster recovery, and testing to ensure critical services remain available during disruptions.
  • Physical security monitoring (7.4) – Address surveillance and intrusion detection for physical environments (e.g., cameras, alarms, guards) and ensure integration with incident response procedures.
  • Configuration management (8.9) – Require documented processes for establishing, implementing and maintaining secure configurations for systems, networks and applications. Configuration baselines, change control and periodic reviews mitigate misconfiguration risks.
  • Information deletion (8.10) – Provide guidance on securely erasing data when it is no longer needed. This includes sanitisation of storage media, cryptographic erasure and disposal procedures to prevent data remanence.
  • Data masking (8.11) – Introduce requirements for masking or anonymising sensitive data in non‑production environments or when providing data to third parties. Data masking supports privacy compliance and reduces exposure during testing and analytics.
  • Data leakage prevention (8.12) – Define technical and organisational measures to detect and prevent unauthorised data exfiltration. This encompasses monitoring outbound traffic, content inspection and enforcing policies for removable media and cloud storage.
  • Monitoring activities (8.16) – Mandate continuous monitoring of security controls and events. This includes log collection, correlation and analysis to detect anomalies and support incident response.
  • Web filtering (8.23) – Require technologies and policies to control access to web content that may be malicious or inappropriate. Web filtering helps reduce exposure to drive‑by downloads, phishing and productivity threats.
  • Secure coding (8.28) – Emphasise secure software development practices such as input validation, error handling, secure libraries and code reviews. With the rise of supply‑chain attacks, secure coding helps reduce vulnerabilities before deployment.

The emergence of these controls demonstrates the standard’s increasing focus on cloud governance, continuous monitoring and development lifecycle security. They also complement existing extension standards (ISO 27017 for cloud services, ISO 27018 for privacy in the cloud), prompting questions about future consolidation【115303387076474†L222-L230】.

Attributes and tagging: enhancing control context

Another major innovation in ISO/IEC 27002:2022 is the introduction of attributes (also called hashtags) that provide additional context. Every control is tagged with characteristics such as #preventive, #detective, #corrective, #people, #physical or #technological. These tags help organisations sort and map controls according to purpose, ownership and implementation maturity. They also aid in building cross‑walks to frameworks like the NIST Cybersecurity Framework or SOC 2, which use similar functional groupings (e.g., Identify, Protect, Detect, Respond, Recover).

Transitioning to ISO/IEC 27001:2022

On 25 October 2022, ISO/IEC 27001:2022 was published, incorporating the revised Annex A control set derived from ISO/IEC 27002:2022. Organisations certified to ISO/IEC 27001:2013 have until 31 October 2025 to complete the transition. Key steps include:

  • Gap assessment. Compare existing ISMS controls and SoA to the 93 revised controls. Identify missing controls, redundancies and areas requiring policy or procedure updates.
  • Update risk assessment. Re‑evaluate threats and vulnerabilities in light of the new controls (e.g., cloud service risk, secure coding practices). This may involve expanding risk registers and treatment plans.
  • Revise documentation. Update policies, procedures and process documentation to reflect the new themes, controls and attributes. Ensure that each new control is implemented appropriately and documented.
  • Train stakeholders. Provide awareness training for security teams, developers and business owners on the new controls and attributes. Emphasise the importance of secure coding, data leakage prevention and continuous monitoring.
  • Engage auditors. Work with certification bodies to understand their expectations for the transition. Plan for intermediate surveillance audits or incorporate the transition into recertification cycles.
  • Leverage automation. Use tools and platforms to manage configuration baselines, monitor activity logs, enforce data masking and track vulnerability remediation. Automation helps maintain compliance and reduces manual effort.

Since the new controls focus heavily on cloud, monitoring and development practices, organisations may need to expand their technical toolkits—investing in cloud security posture management (CSPM), data leak prevention platforms, secure code scanning tools and SIEM solutions. Aligning with these controls can also support compliance with other frameworks, such as GDPR, SOC 2 and state privacy laws.

Implications and benefits for organisations

The ISO/IEC 27002:2022 update offers several benefits:

  • Modern relevance. By consolidating outdated controls and adding new ones for cloud and secure development, the standard better reflects today’s threat landscape. Organisations adopting the new controls will be better prepared for cloud security, DevSecOps and advanced persistent threats.
  • Streamlined management. Fewer controls and the thematic structure simplify implementation and audit processes. This helps SMEs and large enterprises alike to maintain a clear view of their control environment.
  • Alignment with other standards. The new attributes and themes make it easier to map ISO controls to frameworks like NIST CSF, CIS Controls and the Cybersecurity Maturity Model Certification (CMMC). Organisations operating in multiple regulatory environments can leverage these mappings to reduce duplication.
  • Better decision‑making. Tags and consolidated controls make it easier for executives and risk committees to prioritise investments, assign accountability and evaluate control effectiveness.
  • Enhanced supply‑chain security. With new controls on threat intelligence and cloud services, the update prompts organisations to scrutinise third‑party providers and implement continuous monitoring for vendor risks.

Zeph Tech analysis and recommendations

For organisations relying on ISO/IEC 27001 certification, the 2022 revision of ISO/IEC 27002 is more than a minor update. It signals a shift toward proactive, intelligence‑driven security, cloud governance and secure software development. Zeph Tech recommends that clients:

  • Start now. Begin gap assessments and planning in 2025 rather than waiting for the transition deadline. This will ensure smoother audits and prevent last‑minute compliance issues.
  • Integrate threat intelligence. Develop a structured threat intelligence program and connect it to incident response workflows. Leverage information from industry ISACs, government advisories and commercial feeds.
  • Harden cloud environments. Use the new cloud security control (5.23) to formalise due diligence, shared responsibility agreements, and exit strategies with SaaS and IaaS providers. Consider multi‑cloud governance tools for visibility.
  • Invest in secure development practices. Establish a secure development lifecycle (SDLC) that incorporates code scanning, dependency management and developer training. Adopt guidelines from OWASP and SANS to complement the new secure coding control.
  • Monitor continuously. Implement robust logging and monitoring solutions to fulfil the monitoring activities control (8.16). Use security analytics and automation to detect anomalous behaviour and generate evidence for audits.
  • Use the attributes strategically. Tag each control in your ISMS with preventive, detective and corrective attributes. This helps cross‑map to other frameworks and demonstrates maturity to stakeholders.

The 2022 update to ISO/IEC 27002 ensures that information security controls remain relevant and actionable in an era of rapid technological change. Organisations that embrace the new structure and implement the additional controls will position themselves to better manage risks, support digital transformation and strengthen stakeholder confidence.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • ISO 27002
  • Information security controls
  • Cloud security
  • Secure coding
Back to curated briefings