The typical lifespan of an ISO standard is five years. After this period, it is evaluated whether the standard can stay valid, needs revision or should be retracted.
On Februari 15, ISO 27002:2022 was released (source), replacing the 2013 version. To help you determine the impact on your (upcoming) ISO 27001 implementation, we have compiled this page.
Subscribe to our newsletter and you’ll be notified of any changes instantly!
Frequently asked questions
- What’s the difference between ISO 27001 and 27002?
- What’s new in ISO 27002:2022?
- What about ISO 27001?
- What about localized versions?
- What about other standards in the ISO 27000-family?
- When will Instant 27001 be updated?
- How can I update my existing Instant 27001 implementation?
- When does my ISMS need to be updated?
What’s the difference between ISO 27001 and 27002?
ISO 27001 contains the requirements to implement a management system for information security. ISO 27002 contains best practices, in the form of a set of security controls (or “measures”) that you can implement to improve your security.
ISO 27001 makes use of the controls from ISO 27002 in it’s Annex A (but rewritten in the normative form; e.g. it uses “shall” instead of “should”).
ISO 27001 is the standard that you can certify against, while ISO 27002 is “just” a code of practice.
What’s new in ISO 27002:2022?
ISO 27002:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
While some controls from ISO 27001:2013 appear to have been merged in ISO 27002:2022, the following controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:
|ISO 27002:2022||ISO 27002:2013 equivalent|
|A.5.7 Threat intelligence||A.6.1.4 Contact with special interest groups|
|A.5.16 Identity management||A.9.2.1 User registration and de-registration|
|A.5.23 Information security for use of cloud services||A.15.x Supplier relationships|
|A.5.29 Information security during disruption||A.17.1.x Information security continuity|
|A.5.30 ICT readiness for business continuity||A.17.1.3 Verify, review and evaluate information security continuity|
|A.7.4 Physical security monitoring||A.9.2.5 Review of user access rights|
|A.8.9 Configuration management||A.14.2.5 Secure system engineering principles|
|A.8.10 Information deletion||A.18.1.3 Protection of records|
|A.8.11 Data masking||A.14.3.1 Protection of test data|
|A.8.12 Data leakage prevention||A.12.6.1 Management of technical vulnerabilities|
|A.8.16 Monitoring activities||A.12.4.x Logging and monitoring|
|A.8.23 Web filtering||A.13.1.2 Security of network services|
|A.8.28 Secure coding||A.14.2.1 Secure development policy|
Furthermore, to help you identify the relevant controls during risk mitigation, the controls are now tagged by control type (#preventive, #detective, #corrective), classification (#confidentiality, #integrity, #availibility), NIST concept (#identify, #protect, #detect, #respond, #recover) and operational capabilities (#governance, #asset_management, #information_protection, #human_resource_security, #physical_security, #system_and_network_security, #application_security, #secure_configuration, #identity_and_access_management, #threat_and_vulnerability_management, #continuity, #supplier_relationships_security, #legal).
What about ISO 27001?
Against common expectations, ISO is not going to release an ISO 27001:2022. Instead, there will be an amendment to ISO 27001:2013 (source). In this amendment, annex A will be replaced with a normative version of the 93 new controls from ISO 27002:2022.
The only noticeable update to the management system is clause 6.1.3c, where now refers to Annex A as “possible controls” (rather than a “comprehensive list of controls”) opening the door to use other control sets (or, the controls from the 2013 version) if you can deem them more appropriate.
According to ISO, voting has just begun and will finish April 26. We expect the amendment to be released in May or June, 2022, after which it will be possible to (re)certify against it.
We have confirmation that an all-new ISO 27001 is in the works, but is expected to see the light no sooner than 2025. Updates will contain:
– Stakeholder management (clause 4.2) will gain importance
– Change management of the ISMS will be more explicit (analog to clause 6.3 in ISO 9001)
– Requirements for documented information (clause 7.5)
What about localized versions?
We have it on good authority that most localized versions are already under development, based on the released draft-versions. We expect them to be released a few months after the respective English versions.
Fun fact: some countries may still decide to release their localized version of ISO 27001 as 2022, to avoid confusion.
What about other standards in the ISO 27000 family?
Updates of related standards (ISO 27017, 27018, 27701, 27799) largely depends on their initial release date, following the standard 5 year review cycle. Just like 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.
Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.
|ISO 27017:2015||This standard was last reviewed and confirmed in 2021. Therefore this version remains current (source)|
|ISO 27018:2019||Pending review in 2024 (source)|
|ISO 27701:2019||Pending review in 2024 (source)|
|ISO 27799:2016||2022-02-16: New version under development|
|NEN 7510:2017||Pending release of ISO 27799||2025 or 2026|
|BIO||Pending release of ISO 27002:2022 NL||2023|
If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:
- Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
- Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set
When will Instant 27001 be updated?
The English version of Instant 27001 has already been updated, based on ISO 27002:2022 and the recently published draft version of the ISO 27001 amendment, so you can start your implementation based on the 2022 version today!
How can I update my existing Instant 27001 implementation?
Once the ISO 27001 amendment is final, an update kit will be made available for existing customers.
This update kit will contain the following:
- The new Annex A structure containing all 93 controls
- All new and updated policies and procedures (for reference)
- A new Statement of Applicability
- A new Monitoring plan
- A new Internal audit program
- A new Internal audit report template
- Instructions how to merge the contents and update your existing ISMS
The price for the update kit will be € 995.
This update kit is confirmed for the English, Dutch and German versions (pending their releases).
When does my ISMS need to be updated?
Technically, the proposed amendment to ISO 27001 leaves the door open to continue using the 2013 control set, if you deem them more appropriate. In that case, adding just one line of text on your Statement of Applicability indicating so should suffice.
However, most organizations will choose to migrate their implementation prior to their next audit, to be in line with stakeholder expectations.
Subscribe to our newsletter
Would you like to receive updates on the upcoming ISO 27001/27002 releases? Leave your email address below and we’ll keep you posted!
- Please use your professional email address
- Existing customers will be notified automatically when the update kit becomes available
The information you submit will be processed in line with our Privacy statement.