Recently, the International Organization for Standardization (ISO) published the ISO/IEC 27002:2022 standard. This document replaces a version of the same name from 2013. What is interesting is that for the first time the controls include privacy controls and ISO has re-arranged the controls into new categories.
In essence, the document provides controls for information security, cybersecurity, and privacy protection.
Who’s the audience?
ISO/IEC 27002:2022 is for any organisation to use:
- within the context of an information security management system (ISMS) based on ISO/IEC27001;
- for implementing information security controls based on international best practices; and
- for developing information security management guidelines.
Overview of ISO/IEC 27002:2022
The document defines a ‘control’ as ‘a measure that modifies or maintains risk’ within an organisation.
While some of the document’s controls modify risk, other controls maintain risk. ISO provides the example of an information security policy: ‘[a]n information security policy, for example, can only maintain risk, whereas compliance with the information security policy can modify risk.’
Here’s a list of the controls the document’ deals with:
- Organisational controls
- People controls
- Physical controls
- Technological controls
If you want to explore the document more, feel free to buy it from ISO.
Actions you can take
- Stay updated with the latest Information security news by subscribing to our newsletter.
- Assess how information security impacts your organisation by filling in our information security assessment.
- Protect your commercial interests by asking us to draft your information security documents like an incident response policy or information security policy.
- Scale your compliance with information security regulations by joining our information security programme.