Here are the changes to ISO27001 and ISO27002:
- ISO 27002:2013 contains 114 controls spread across 14 domains. The 2022 version includes 93 controls spread across four control domains. The new version has all the existing controls, but many merged to reduce the quantity.
- The following four control domains replace the 14 in ISO 27002:2013:
- Organisational (37)
- People (8)
- Physical (14)
- Technology (34)
- ISO 27002:2022 includes 11 new controls:
- Threat Intelligence
- Information Security for Cloud Services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration Management
- Information Deletion
- Data Masking
- Data Leakage Prevention
- Monitoring Activities
- Web Filtering
- Secure Coding
- Due to the control changes in ISO 27002 and the controls listed in Annexe A within ISO 27001, this section will need updating to fully align ISO 27001 with ISO 27002. There may be additional changes to ISO 27001, so it will require a careful review when formulating a transition plan.
These changes simplify the control set and remove significant overlaps between controls across multiple domains.