Home Resources Blog March 2022

The Release of ISO 27002 - Updates to the Information Security Standard

08 March 2022
Following the recent release of ISO 27002:2022 NQA's Information Security Assurance Manager, Tim Pinnell, has written a blog to give those who currently hold ISO 27001 certification an update on the changes they can expect.

ISO 27002:2022 was published on the 16th February 2022. It replaces ISO 27002:2017 and is a fundamental change to the structuring of the Information Security Standard. The new control set uses the controls from the previous version whilst also adding new controls which may be considered to reflect current information security practices.

The changes will also have implications for:

  • ISO 27001:2013 – Information security management systems - an emergency change is being made to ISO 27001, in the main to adapt Annex A to the new control set in ISO 27002:2022.

  • ISO 27017:2015 – Code of practice for information security controls based on ISO 27002 for cloud services

  • ISO 27018:2019 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

  • ISO 27701:2019 – Privacy information management


Earlier comment had suggested that a number of controls had been deleted. The mapping tables given in ISO 27002:2021 Annex B demonstrate that there are no deleted controls. However, analysis has shown that some of the controls are very much minimised where they have been merged with other controls.

The changes are:

  • The 12 control groups and objectives no longer exist. They have been replaced with 4 control groups without objectives. The control groups are:

    • Organisational (Clause 5)

    • People (Clause 6)

    • Physical (Clause 7)

    • Technology (Clause 8)

  • There are 93 controls instead of 114

  • 19 controls are consolidated

  • 11 new controls

The control categorisations are referred to as themes, and each control is assigned a set of attributes, for example:

The themes and attributes are provided as a way of organising and structuring controls through user determined views. They have no bearing on the controls themselves.  

Control changes

NQA will publish a web article discussing the changes in more detail, but the mapping demonstrates control movements.



  1. There is no transition to ISO 27002:2021 because it is a guidelines document. An emergency change to ISO 27001 is likely to be published in May this year with a two year transition. But this cannot be confirmed until the IAF publishes the timeline. Clients who transition in advance will still be audited against ISO 27001:2013.

  2. ISO 27001:2013 6.1.3 c) Note 2 states that additional controls may be needed to those in Annex A. The new version of ISO 27002 provides more controls to include in the SoA, although their inclusion must be risk-based.

  3. NQA will be contacting all ISO 27001:2013 clients via email with the transition plan and transition guidance as soon as the IAF timeline is known. Additional information will be available on the NQA Information Assurance Business Unit microsite for updates and advice, including blogs, articles and guides.

  4. Some clients will also have their ISMS extended by PIMS (ISO 27701:2019) and/or ISO 27017 and ISO 27018. There is no information on those standards about whether or not they will be updated in line with ISO 27002:2022 or the emergency change to ISO 27001. Clients will transition to ISO 27001:2022, but their extended SoA will be populated with:

    • Controls that extended ISO 27002:2017 will map directly to ISO 27002:2022, so should change accordingly

    • Additional controls introduced by ISO 27017, ISO 27018 & ISO 27701 that are not affected by the changes to ISO 27002:2022.

If you have any queries or concerns on these updates please feel free to get in touch with us here but rest assured that as soon as we have further information from the IAF we will communicate with you to highlight the relevant changes and updates.