ISO 27002:2022 Explained: What Changed and Why It Matters for ISO 27001

The ISO 27002:2022 revision was the most significant update to the standard in nearly a decade — and its ripple effects on ISO 27001 certification are still being felt. Understanding what changed helps you prepare for your next surveillance audit or initial certification.

ISO/IEC 27002:2022 represents a fundamental restructuring of the information security controls that organizations worldwide rely on for their ISO 27001 implementations. The revision reduced 114 controls across 14 domains to 93 controls across 4 themes, added 11 entirely new controls reflecting modern security challenges, and introduced attribute-based tagging for more flexible control classification. If you are certified or pursuing ISO 27001, this revision directly affects your Annex A controls, Statement of Applicability, and certification audit.

This guide explains what ISO 27002 is and its relationship to ISO 27001, the major changes in the 2022 revision, the impact on ISO 27001 certification, a spotlight on the 11 new controls, and a migration guide for organizations transitioning from the 2013 version.

What Is ISO 27002?

ISO 27002 is the implementation guidance standard that accompanies ISO 27001. While ISO 27001 defines the requirements for an Information Security Management System (ISMS) and lists security controls in Annex A, ISO 27002 provides detailed guidance on how to implement each control — including purpose, guidance, and other information for each control.

Think of the relationship this way: ISO 27001 Annex A is the "what" (which controls to consider), and ISO 27002 is the "how" (implementation guidance for each control). During certification, auditors assess whether your controls meet the intent described in ISO 27002's guidance, even though the formal certification is to the ISO 27001 standard.

Why the Revision Matters

The previous version (ISO 27002:2013) organized 114 controls into 14 clauses that reflected the security landscape of over a decade ago. Since then, cloud computing, remote work, DevOps, threat intelligence, and data privacy regulations have fundamentally changed how organizations manage information security. The 2022 revision modernizes the control catalog to reflect these realities.

Major Changes in the 2022 Revision

Structural Reorganization: 14 Domains → 4 Themes

The most visible change is the complete reorganization of the control structure:

2013 Structure	2022 Structure
14 control clauses (A.5 through A.18)	4 themes
114 controls	93 controls
Domain-based organization (e.g., "Human Resource Security", "Cryptography")	Theme-based organization

The four themes in the 2022 version:

Theme	Controls	Scope
Organizational	37	Policies, roles, asset management, access control, supplier management, incident management, business continuity, compliance
People	8	Screening, employment terms, awareness and training, disciplinary process, termination, remote working
Physical	14	Perimeters, entry controls, office security, monitoring, environmental threats, equipment
Technological	34	Endpoints, access rights, authentication, capacity, malware, vulnerability management, configuration, networks, coding

Control Count Changes

The reduction from 114 to 93 controls does not mean less security — the revision merged overlapping controls, split some that were too broad, and added new ones:

• 11 new controls added to address modern security challenges
• 24 controls merged from multiple 2013 controls into single combined controls
• 58 controls updated and reorganized but fundamentally similar
• 1 control split into multiple new controls

Attribute Tagging

The 2022 version introduces five attribute types for each control, enabling more flexible categorization:

Attribute	Values
Control type	Preventive, Detective, Corrective
Information security property	Confidentiality, Integrity, Availability
Cybersecurity concept	Identify, Protect, Detect, Respond, Recover
Operational capability	Governance, Asset management, etc. (15 categories)
Security domain	Governance and ecosystem, Protection, Defence, Resilience

These attributes allow organizations to filter and view controls through different lenses — for example, viewing all detective controls, or all controls related to confidentiality.

Impact on ISO 27001 Certification

ISO 27001:2022 updated its Annex A to align exactly with ISO 27002:2022. This means:

For New Certifications

All new ISO 27001 certifications must use the 2022 version. Your Statement of Applicability must reference the 93 controls organized in the four themes. Auditors assess your controls against the updated ISO 27002:2022 guidance.

For Existing Certifications

Organizations certified under the 2013 version had a transition deadline. Transition requirements include:

1. Update your Statement of Applicability — Map your existing controls to the new 93-control structure and address the 11 new controls
2. Address new controls — Determine applicability of each new control and implement those that are relevant (or justify exclusion)
3. Update documentation — Policies, procedures, and risk treatment plans should reference the new control numbering
4. Transition audit — Your certification body conducts a transition audit during your next surveillance or recertification visit

What Auditors Look For During Transition

Auditors assess whether you have genuinely mapped your controls to the new structure (not just renumbered references), addressed the new controls through your risk assessment process, updated your SoA with justification for new control applicability/exclusion, and maintained continuity of your existing controls during the transition.

For full ISO 27001 requirements, see our ISO 27001 requirements checklist.

New Controls Spotlight

The 11 new controls in ISO 27002:2022 reflect modern security challenges:

A.5.7 — Threat Intelligence

Collect and analyze information about information security threats to produce actionable threat intelligence. This is new because the 2013 version did not explicitly require threat intelligence capabilities. Implementation includes subscribing to threat feeds, participating in information sharing communities, and integrating threat intelligence into risk assessment and incident response processes.

A.5.23 — Information Security for Use of Cloud Services

Establish processes for acquisition, use, management, and exit from cloud services. This addresses the reality that most organizations now rely heavily on cloud infrastructure and SaaS platforms. Implementation includes cloud security policies, shared responsibility documentation, and cloud service provider assessment.

A.5.30 — ICT Readiness for Business Continuity

Ensure ICT readiness to support business operations during disruptions. This goes beyond traditional backup and recovery to address ICT infrastructure resilience, recovery testing, and technology contingency planning.

A.7.4 — Physical Security Monitoring

Monitor physical premises to detect unauthorized physical access. This covers CCTV, sensors, alarms, and monitoring of physical access points — previously implicit but now explicitly required.

A.8.9 — Configuration Management

Establish, document, implement, monitor, and review configurations of hardware, software, services, and networks. This addresses security misconfigurations, one of the most common attack vectors.

A.8.10 — Information Deletion

Delete information stored in information systems, devices, or any other storage media when no longer required. This supports data minimization and privacy compliance.

A.8.11 — Data Masking

Implement data masking in accordance with access control policies and business requirements. This supports privacy protection and reduces risk from unauthorized data exposure in development, testing, and analytics environments.

A.8.12 — Data Leakage Prevention

Apply data leakage prevention measures to systems, networks, and endpoints to detect and prevent unauthorized disclosure of sensitive information. DLP was previously addressed indirectly; this makes it an explicit control.

A.8.16 — Monitoring Activities

Monitor systems and networks for anomalous behavior and take appropriate actions to evaluate potential security incidents. This formalizes the need for continuous security monitoring.

A.8.23 — Web Filtering

Manage access to external websites to reduce exposure to malicious content. This addresses the risk of malware delivery and data exfiltration through web browsing.

A.8.28 — Secure Coding

Establish and apply secure coding principles to software development. This covers secure SDLC practices, code review, and security testing in development pipelines.

For a deep dive on specific Annex A controls, see our guide on ISO 27001 Annex A Control 5.23 and ISO 27001 risk register explained.

Migration Guide

Step 1: Map Existing Controls (2-4 Weeks)

Create a mapping between your current 2013-version controls and the 2022 structure. Use the mapping table published in ISO 27002:2022 Annex B as your reference. Identify which of your existing controls map to new control numbers and which are consolidated.

Step 2: Address New Controls (2-4 Weeks)

For each of the 11 new controls, conduct a risk-based applicability assessment. If the control is applicable, determine your current implementation status (you may already be doing it informally) and formalize the implementation. If not applicable, document the justification for exclusion in your SoA.

Step 3: Update Documentation (2-4 Weeks)

Update your Statement of Applicability, risk treatment plan, policies, and procedures to reference the new control numbering and structure. This is primarily a documentation exercise if your actual controls have not changed.

Step 4: Verify with Your CB (1-2 Weeks)

Coordinate with your certification body on the transition audit timing and requirements. Most CBs accommodate the transition during scheduled surveillance audits.

Need help transitioning to ISO 27002:2022 or preparing for ISO 27001 certification? Contact Agency for expert guidance on the transition and implementation of new controls. For cost planning, see our ISO 27001 certification cost guide.