ISO 27002 is a supporting document to provide further detail, clarification, and guidance on Annex A in ISO 27001:2022. It should be noted that ISO 27002 is not a certification or a quality mark - it is simply a guideline for how your organisation can implement Information Security best practices.
Many clients have asked us how they can prepare and transition to the latest version of ISO 27001. We know that many companies will be taking a phased approach to implementation, so we have produced a series of articles explaining how specific controls work and guidance on how they should be implemented.
The new ISO 27001:2022 now only has 93 controls instead of 114; they have been grouped into four categories: People (8 controls), Organisational (37 controls), Technological (34 controls), and Physical (14 controls). Many of the previous 114 controls have been merged with 11 new controls added.
In general, you can expect a more streamlined approach to implementing your information security policies and procedures.
Each control is associated with attributes to help filter, sort, and present the controls in different views for different audiences. These attributes are provided in a table right before the statement of each control. Attributes are:
The changes that have been made as part of the new ISO27001:2022 version of the information security standard are somewhat moderate. Whilst the initial format, structure, and feel for the Annex A controls look to be substantially different, on deeper analysis, it becomes evident that the changes introduced have not been very significant. Inmost cases controls have stayed as they were previously (35 controls); have been renamed (23 controls) and a large section have been merged (57 controls). Whilst the number of controls and how they are structured has changed, the fundamental requirements of the standard itself and the control areas focused on remain largely consistent with the old version we are familiar with. Overall, the changes bring about a new, improved, better structured, and streamlined version of Annex A and some small changes to Clauses 4-10.
If you would like to know more about ISO Standards, Certification and the value of a good management system you can add to your business we would love to hear from you: Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk
ISO 27002:2022 is a guideline for information security controls, supporting ISO 27001:2022 Annex A by providing further detail and clarification. There are now four domains (Organisational, People, Physical and Technological) instead of the previous 14. At AvISO, we have put together a page on all 93 controls with an explained purpose and implementation guidance.
As part of ISO 27001:2022, Annex A lays out a set of security controls that organisations can use to demonstrate compliance internationally and best practices. In ISO 27001:2022, a Statement of Applicability (SoA) is a document that lists the Annex A controls an organisation will implement to meet the requirements of the standard.This will include a list of the controls that are necessary for your organisation, a statement outlining why the chosen controls have been included and excluded and the confirmation of implementation.
