The publication of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 marks the most significant update to the ISO 27000 series since 2013. These revisions modernize global information security expectations and reflect today’s evolving landscape, including cloud adoption, digital transformation, automation, and emerging threats.
ISO 27001 continues to define the requirements for an Information Security Management System (ISMS), while ISO 27002 serves as its companion, offering detailed implementation guidance for Annex A controls. The 2022 updates refine the structure, reduce redundancy, and bring clearer alignment with widely used cybersecurity frameworks, such as the NIST CSF.
This guide consolidates the essentials you need to understand the key updates.
1. What Changed in ISO 27002:2022 and Its Impact on ISO 27001
ISO/IEC 27002:2022 was released on February 15, 2022, replacing the 2013 edition. Because ISO 27001 Annex A is derived from ISO 27002, these changes flow directly into ISO 27001:2022.
1.1 New Structure: From 14 Sections to 4 Categories
The previous 14 control domains have been reorganized into four high-level control categories:
- Organizational controls – 37
- People controls – 8
- Physical controls – 14
- Technological controls – 34
This restructuring provides a clearer, more modern view of security responsibilities and eliminates outdated groupings that no longer reflect how organizations implement controls.
Two annexes supplement the new structure:
- Annex A — Using attributes
- Annex B — Mapping to ISO/IEC 27002:2013
1.2 Updated Control Set: 114 Controls Reduced to 93
ISO 27002:2022 consolidates and streamlines the control library:
- Total controls reduced from 114 to 93
- Many controls were merged or reworded
- Some were renamed to reflect current best practices
- 34 controls remain substantively similar but have new reference numbers
The 11 New Controls
These new controls address modern security risks and technologies:
- Threat intelligence
- Information security for cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
These additions ensure ISO 27002 remains relevant to cloud-centric, digitally integrated environments.
1.3 Introduction of Control Attributes
One of the most useful updates is the introduction of attributes, a tagging system that offers alternative ways to organize controls.
Attributes include:
Control Type
- Preventive
- Detective
- Corrective
Information Security Properties
- Confidentiality
- Integrity
- Availability
Cybersecurity Concepts
- Identify
- Protect
- Detect
- Respond
- Recover
Operational Capabilities
Examples include Governance, Asset Management, Application Security, Identity & Access Management, Vulnerability Management, Continuity, Supplier Management, and others.
Security Domains
- Governance & Ecosystem
- Protection
- Defense
- Resilience
These attributes make it easier to map ISO controls to other frameworks (e.g., NIST CSF), filter controls by purpose, and integrate them into tooling and workflows.
Ready to simplify your ISO 27001:2022 transition?
TrustNet’s certified experts can guide you through updating your controls, documentation, and ISMS strategy.
2. How ISO 27001:2022 Aligns with the Updated Controls
ISO 27001’s core management clauses (4–10) remain largely consistent with the 2013 version. The primary change is the update to Annex A, which now reflects the restructured ISO 27002:2022 control set.
Organizations must:
- Review and update their Statement of Applicability (SoA)
- Ensure risk assessments reflect the updated control library
- Update control references in policies, procedures, and documentation
- Implement any newly applicable controls based on risk
- Train teams on updated terminology and expectations
The standard still follows a risk-based approach, meaning organizations implement the controls relevant to their context — not all 93 controls.
3. Transition Timeline and Certification Impact
If an organization is already certified to ISO 27001, its certification remains valid during the recognized transition period defined by accreditation bodies.
During the transition window, organizations must:
- Update their SoA
- Conduct a refreshed risk assessment
- Align their ISMS documentation with the new Annex A
- Update policies, procedures, and evidence
- Prepare for the transition audit
The transition is not automatic and requires planning, but it is manageable—especially for organizations with mature ISMS programs.
4. What Organizations Should Do Now
1. Review ISO 27001:2022 and ISO 27002:2022 standards
Understand the updated structure and control requirements.
2. Conduct or update your ISMS risk assessment
Map risks to the new control structure.
3. Update your risk treatment plan
Reflect the new controls and any changed control intent.
4. Update the Statement of Applicability (SoA)
Re-map controls to the new numbering and structure.
5. Revise policies and procedures
Ensure alignment with Annex A’s updated requirements.
6. Evaluate the 11 new controls for applicability
Implement and document them where needed.
7. Update internal audit programs
Ensure audits reflect the revised control framework.
8. Train stakeholders
Awareness and competence are essential for a smooth transition.
Taking these steps early reduces the workload during the transition audit and strengthens your ISMS overall.
Final Thoughts
The ISO 27001:2022 and ISO 27002:2022 updates bring clarity, modern relevance, and improved alignment with today’s cybersecurity ecosystem. While the restructuring and new controls require effort, they also provide organizations with a more intuitive and robust toolset for managing information security.
