ISO Publishes ISO/IEC 27002:2022 with Modernized Security Controls
ISO released ISO/IEC 27002:2022 on February 15, 2022, restructuring Annex A security controls into four themes with new attributes for zero trust, cloud, and threat intelligence to align with modern risk management expectations.
Executive briefing: The International Organization for Standardization (ISO) published ISO/IEC 27002:2022 on , replacing the 2013 edition that organizations use to implement Annex A of ISO/IEC 27001. The update consolidates 114 controls into 93, introduces five new controls, and adds control attributes for cloud, data classification, and threat intelligence to better support zero trust and digital operations.
Key control changes
- Four control themes. Controls are regrouped into Organisational, People, Physical, and Technological domains to streamline governance mapping.
- New controls. Additions include threat intelligence, information security for cloud services, ICT readiness for business continuity, and secure configuration requirements.
- Attribute model. Each control now carries attributes such as control type, information security properties, and security domains to facilitate risk-based selection.
Implementation guidance
- Update ISO/IEC 27001 Annex A Statement of Applicability mappings to reflect the renumbered controls and the five new requirements.
- Incorporate the attribute model into control catalogs and tooling so security, privacy, and resilience teams can filter controls by zero trust, cloud, and supplier relevance.
- Plan transition projects aligned with certification bodies’ two-year migration window once ISO/IEC 27001:2022 audits commence.