ISO/IEC 27002:2022 information security controls published

On 15 February 2022, ISO published ISO/IEC 27002:2022, the first major revision since 2013. The update restructures information security controls from 14 domains into four themes (Organizational, People, Physical, Technological) and introduces 11 new controls addressing threat intelligence, cloud security, data masking, and other contemporary security requirements. The revision directly informs the Annex A controls in ISO/IEC 27001:2022.

Structural changes

ISO 27002:2022 consolidates 114 controls into 93 controls organized across four themes. Organizational controls (37) address policies, governance, and processes. People controls (8) cover human resources security and awareness. Physical controls (14) address premises and equipment. Technological controls (34) cover systems, networks, and applications.

The revision introduces attribute tagging for controls: control types (preventive, detective, corrective), security properties (CIA triad), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities, and security domains. These attributes support setup planning and compliance mapping.

New controls

Eleven new controls address emerging security challenges: Threat intelligence (5.7), Information security for cloud services (5.23), ICT readiness for business continuity (5.30), Physical security monitoring (7.4), Configuration management (8.9), Information deletion (8.10), Data masking (8.11), Data leakage prevention (8.12), Monitoring activities (8.16), Web filtering (8.23), and Secure coding (8.28).

These additions reflect evolving threat landscapes, cloud adoption, data protection requirements, and software development security practices. If you are affected, assess which new controls apply to their context and plan setup as needed.

Factors for implementation

Organizations using ISO 27002:2013 as setup guidance should map existing controls to the 2022 structure. While control objectives remain similar, the reorganization and new controls may reveal gaps. Update control documentation, risk assessments, and statements of applicability to reflect the 2022 framework.

Organizations certified to ISO 27001 should coordinate ISO 27002 adoption with the ISO 27001:2022 transition timeline (deadline: October 2025). The 2022 revision improves alignment with other frameworks including NIST CSF and CIS Controls, helping integrated compliance programs.

Compliance Program Management

Compliance programs should be evaluated against the new requirements to identify gaps and focus on remediation activities. Risk-based approaches help focus resources on the most significant compliance exposures while maintaining proportionate controls across the organization.

Regulatory monitoring should track related developments, enforcement trends, and guidance updates that may affect compliance interpretations or requirements. early engagement with regulatory developments helps organizations anticipate changes and avoid compliance surprises.

Compliance Documentation and Evidence

Your compliance team should document setup activities, policy updates, and control changes as evidence of regulatory compliance efforts. Audit trails should show timely response to regulatory developments and ongoing commitment to compliance requirements. Regular reviews should verify that documented procedures reflect actual operational practices and that evidence collection supports audit and examination processes.

Stakeholder communications should keep relevant parties informed of compliance status, setup progress, and any operational impacts resulting from regulatory changes.

Detailed guidance

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Assurance and verification

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Working with vendors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

What planners should consider

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

How to measure progress

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Strategic impact

This development carries significant strategic implications for organizations across multiple sectors. Business leaders should evaluate how these changes affect their competitive positioning, operational models, and stakeholder relationships. Early adopters who address emerging requirements often gain advantages over competitors who delay action until compliance becomes mandatory.

Strategic planning should incorporate scenario analysis that considers various implementation approaches and their associated costs, benefits, and risks. Organizations should also consider how their response to this development affects relationships with customers, partners, regulators, and other key stakeholders.

Excellence in operations

Achieving operational excellence in response to this development requires systematic attention to process design, technology enablement, and workforce capabilities. Organizations should establish clear operational metrics that track both compliance outcomes and process efficiency, enabling continuous improvement over time.

Operational processes should be designed with appropriate controls, checkpoints, and escalation procedures to ensure consistent execution and timely issue resolution. Automation opportunities should be evaluated and prioritized based on their potential to improve accuracy, reduce costs, and enhance scalability.

How governance applies

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Sustaining progress

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

Immediate steps

• Assessment requirement: Evaluate current practices against the updated requirements outlined in this analysis.
• Documentation update: Review and update relevant policies, procedures, and technical documentation.
• Stakeholder communication: Brief affected teams on timeline implications and resource requirements.
• Compliance verification: Schedule internal review to confirm alignment with guidance.

See also

Selected articles on related subjects.

Compliance · Credibility 88/100 · February 15, 2022

ISO Publishes ISO/IEC 27002:2022 with Modernized Security Controls

ISO and IEC’s publication of ISO/IEC 27002:2022 forces enterprises, auditors, and certification bodies to plan multi-year transition programs, align Annex A mappings, and coordinate sector regulators on the refreshed…

Compliance · Credibility 95/100 · March 8, 2022

Compliance — ISO 27001:2022

ISO/IEC 27001:2022 publishes with updated Annex A controls, organizational context requirements, and cloud security guidance, requiring organizations to transition from the 2013 edition within three years while…

Compliance · Credibility 91/100 · March 31, 2022

PCI DSS version 4.0 released

The PCI Security Standards Council published PCI DSS v4.0 on 31 March 2022, expanding requirements for authentication, e-commerce, and risk-based testing with transition timelines into 2025.

Compliance · Credibility 71/100 · June 10, 2021

China passes Data Security Law

China’s National People’s Congress adopted the Data Security Law on 10 June 2021, establishing data classification, localization, and export review obligations effective 1 September 2021.

Compliance · Credibility 94/100 · October 25, 2022

ISO/IEC 27001:2022 standard published

On 25 October 2022 ISO published ISO/IEC 27001:2022, updating the information security management system standard with restructured controls aligned to ISO/IEC 27002:2022.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

February 15, 2022

Coverage pillar

Compliance

Source credibility

94/100 — high confidence

Topics

ISO 27002 · information security · security controls · compliance

Sources cited

2 sources (iso.org, cvedetails.com)

Reading time

6 min

Cited sources

1. ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — International Organization for Standardization
2. CVE Details - Vulnerability Database — CVE Details