Recently, the International Organization for Standardization (ISO) published the ISO/IEC 27002:2022 standard. This document replaces a version of the same name from 2013. What is interesting is that for the first time the controls include privacy controls and ISO has re-arranged the controls into new categories.

In essence, the document provides controls for information security, cybersecurity, and privacy protection.

Who’s the audience?

ISO/IEC 27002:2022 is for any organisation to use:

  1. within the context of an information security management system (ISMS) based on ISO/IEC27001;
  2. for implementing information security controls based on international best practices; and
  3. for developing information security management guidelines.

Overview of ISO/IEC 27002:2022

The document defines a ‘control’ as ‘a measure that modifies or maintains risk’ within an organisation.

While some of the document’s controls modify risk, other controls maintain risk. ISO provides the example of an information security policy: ‘[a]n information security policy, for example, can only maintain risk, whereas compliance with the information security policy can modify risk.’

Here’s a list of the controls the document’ deals with:

  1. Organisational controls
  2. People controls
  3. Physical controls
  4. Technological controls

If you want to explore the document more, feel free to buy it from ISO.

Buy the ISO/IEC 27002:2022

Actions you can take