The new ISO27002 was published earlier in 2022. This new guidance formally entitled: Information security, cybersecurity and privacy protection – information security controls provide structured support to the selection of security controls under four new headings.

The new set of headings is much simpler than previous models and aligns with the security layers normally deployed within organisations.

• Organisational controls

• People controls

• Physical controls

• Technological controls

ISO27002 2022 provides easier navigation to the selection of control areas and has an introduction section which is set in the format below:

E.g. Responsibilities after termination of employment

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveConfidentialityIntegrityAvailabilityProtectHuman resource securityAssetsGovernance and Ecosystem

By using the format above the reader can better understand the appropriateness of security controls and the security mitigations that selection may bring about.

In the previous iterations of the guidance frameworks this introductory framework was not in place.

There are now ninety-three controls within ISO27002 2022. In addition, there are now elevennew controls. These cover 5.7 threat intelligence, 5.23 information security use of cloud services, 5.30 ICT business continuity, 7.4 physical security monitoring, 8.9 configuration management, 8.10 information deletion, 8.11 data masking, 8.12 data leakage control, 8.16 monitoring activities, 8.23 web filtering, 8.28 secure coding.

No controls have been withdrawn from previous versions, just an element of merging has taken place.

The new ISO27001 2022 is due out later this year and will compliment this guidance framework.

For further information and to book your ISO27001 survey please contact: Marcus J Allen at Thamer James Ltd.

Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified.