2 August 2022

The most important changes to the revised ISO 27001 and ISO 27002

On February 15, 2022, the new version of the ISO 27002 standard was published. The ISO 27002 is an extension of the ISO 27001 standard for information security and specifies the requirements of an Information Security Management System (ISMS). The extension provides best practices for security controls and measures that you can implement to improve your security. Although ISO 27002 is not a certifiable standard, this revision does have consequences for organizations that are or want to become ISO 27001 certified. That is why we share the most important changes with you below.

To keep up with new and evolving risks in areas such as information security, cybersecurity and privacy, standards are being assessed every five years. During these assessments it is determined whether a standard should be withdrawn, confirmed or revised. The last update of ISO 27002 dates back to 2013, with a number of minor adjustments in 2017. However, in 2018 it was decided to revise both ISO 27002 and ISO 27001 again.

In addition, a new structure classification of ISO 27002 should ensure that it is easier to determine who will become the owner of a control measure. The controls are also no longer divided into fourteen, but into four themes: organizational controls, people controls, physical controls and technological controls. Finally, 11 of the 93 control measures are completely new and intended to put a greater focus on the preventive and monitoring part of the ISMS.

Timeline revision ISO 27001 and ISO 27002 - February 2023.png

Download the timeline ISO 27001:2022 (version 24 Feb 2023).

Initially announced as an amendment, the updated ISO 27002 now appears to be a new version. This revision is scheduled to be published around October 2022. The text in the standard is aligned with the harmonized structure for management system standards. The official transition period is expected to be set as part of the publication of the revised certification standard and set at the usual three years. This means that organizations that want to be or remain certified in the long term will have to comply with any changed or additional requirements no later than three years after the publication of the ISO 27001:2022 standard.