Embedded Files
Detailed explanation of 11 new security controls in ISO 27001:2022 (These controls are about release in mid 2022)
This year on February 15, 2022, the ISO organisations released a new edition of ISO 27002:2022. There are fewer controls in this edition, 93 instead of 114. However, every control of the 2013 edition remains required. The merging of controls is the reason behind this. In essence, to comply with ISO 27001:2022 requires more effort. This new standard is set to be released later in 2022.
Changes to ISO 27001:2022 in a Nutshell
The core of ISO 27001, meaning the clauses 4 through 10, will not change.
Expect an updated security controls list in Annex A of ISO 27001.
The 11 controls that are new are:
5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
What are the Changes to ISO 27002:2022?
57 controls of the 2013 edition of the standard merged into 24 controls. A very useful Annex of the new ISO 27002 is Annex B. It maps the controls of the 2013 edition to the 2022 edition of ISO 27001 and 27002.
Furthermore, Annex A of ISO 27002 is also a very helpful implementation tool. For each control it lists:
Name of the control
Type of control
Preventative, Corrective, Detective
Information security property
Confidentiality, Integrity, Availability
Cyber security concept
Identify, Protect, Detect, Respond, Recover
Operational capability
for example, Governance, Asset Management, etc.
Security domain
Annex A of ISO 27001:2022 will require 93 controls instead of 114 controls in the 2013 edition of the standard.
There are 4 control areas in Annex A of ISO 27001:2022. The 2013 edition used to have 14 control areas.
There are 11 new controls. All controls of the 2013 edition are still present. And many controls are merged.
What are the Changes to ISO 27001:2022?
The core structure of ISO 27001, meaning the clauses 4 through 10 will not change. These clauses continue to include:
4. Context of the Organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance Evaluation
10. Improvement
Annex A
What are the Changes to ISO 27001:2022 and ISO 27002:2022?
Expect an update to the list of security controls in Annex A of ISO 27001:2022. They will reflect the new ISO 27002 edition.
In general, the changes to the controls are moderate. The changes made, simplify the implementation.
The four control areas in Annex A of ISO 27001 and in ISO 27002 are:
5. Organisational controls with 37 controls
6. People controls with 8 controls
7. Physical controls with 14 controls
8. Technological controls with 34 controls
Obviously, the changes in Annex A of ISO 27001:2022 must fully align with the changes in ISO 27002:2022.
The 11 controls that are new are:
5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
What are the Changes to ISO 27002:2022?
57 controls of the 2013 edition of the standard merged into 24 controls. A very useful Annex of the new ISO 27002 is Annex B. It maps the controls of the 2013 edition to the 2022 edition of ISO 27001 and 27002.
Furthermore, Annex A of ISO 27002 is also a very helpful implementation tool. For each control it lists:
Name of the control
Type of control
Preventative, Corrective, Detective
Information security property
Confidentiality, Integrity, Availability
Cyber security concept
Identify, Protect, Detect, Respond, Recover
Operational capability
for example, Governance, Asset Management, etc.
Security domain
Defence, Resilience, Protection, Governance, and ecosystem
ISO 27K:2013 standard family simplified:
Page updated
Google Sites
Report abuse