+31(0)115-612689 info@we-management.com

Changes ISO 27002

Article publication date: 26-10-2021

The ISO organization aims to review its standards every 5 years and to process new insights. A change is planned for the end of this year for ISO 27002, the standard that is inextricably linked to ISO 27001 – the standard that formulates requirements for implementing an information security management system. This article briefly provides information about which changes these will be and how they can be dealt with.

Changes ISO 27002 – 1st quarter 2022 (expected)

Article publication date: 26-10-2021

Current version: NEN-EN-ISO/IEC 27002:2017 nl (does not differ in content from the 2013 version).
Expected publication: 1st quarter 2022
Impact: Re-check security measures – adjust documentation – possibly introduce new measures
Implementation from publication change: After ISO 27001 adjustment: new certification – immediately; existing certification within 3 years
Recommendation: After adjustment of ISO 27001: implementation during recertification (to avoid extra audit time during audit) – already prepare internally for this change

What does the ISO 27002 cover?

This standard provides guidelines for the implementation of information security measures within an organisation. The measures are included in ISO 27001 in Annex A. When a company has certified its information security management system in accordance with ISO 27001, the company must check, on the basis of a risk analysis and the list of measures stated in Annex A of ISO 27001, which measures ( 114 in total) apply. The company is expected to implement minimum or equivalent measures as stated in this Annex A. This is recorded in a publicly available document (requestable), the so-called “statement of applicability” (ISO 27001 6.1.3 paragraph d).

The changes

Below is a brief overview of the changes.

The layout of the various security measures has been changed, so that the document is structured differently. The measures are now divided into 4 categories (originally 14 categories):

  • Chapter 5 Organization – 37 measures
  • Chapter 6 People – 8 measures
  • Chapter 7 Physical – 14 measures
  • Chapter 8 Technological (Technical) – 34 measures

The new classification leads to a more efficient classification of the measures, for example because measures that were first mentioned in different places but basically mean the same thing now come together in 1 category. In this way, measures from the old standard have been merged or measures have been removed. There are now 93 measures in this new standard instead of 114. 11 new measures, 3 existing measures removed and a number, as indicated earlier, consolidated into existing measures.

The new security measures are more in line with the current digital transformation and the increase in cyber threats. The new measures therefore relate to threat analysis, information security of cloud services and secure programming.

Each measure has now been given a # label in 5 areas.

Where applicable

ISO 27002 is expected to be published in the first quarter of 2022. Certification is not against the ISO 27002 standard, but against the ISO 27001 standard. That is why this standard must first be amended before the new ISO 27002 becomes applicable. The most important change for ISO 27001 will then be that Annex A will be included in accordance with the new classification of measures. It is not yet clear when the ISO 27001 standard will be updated (probably 2022/2023).

What to do

Our advice is to get started with the announced changes. For example, include the announced changes in the planning, discuss the impact in the organization and conduct internal audits with the new proposed measures as the subject. Of course you can approach WE-management to assist you with this!

Below is an overview of the new measures:

ISO 27002:2022 Description
5.7 Threat Intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical Surveillance Monitoring
8.9 Configuration management
8.10 Information removal
8.11 Data masking
8.12 Data breach prevention
8.16 monitoring services
8.22 web filtering
8.28 Secure encryption

The table below shows the measures that have been combined from the old standard into 1 measure:

ISO 27002:2022 ISO 27002:2017
5.1 Policies for information

5.1.1 Information Security Policies
5.1.2 Reviewing the information security policy

5.9 Inventory of information and other associated assets

8.1.1 Inventory of company assets
8.1.2 Ownership of Company Assets

5.14 Information transfer

13.2.1 Information transfer policies and procedures
13.2.2 Information Transport Agreements
13.2.3 Electronic messages

5.15 Access control

9.1.1 Access Security Policy
9.1.2 Access to networks and network services

5.16 Identity management

9.2.1 Registration and deregistration of users
9.4.3 Password Management System

5.17 Authentication information

9.2.4 Management of secret authentication information of users
9.3.1 Using Secret Authentication Information

5.18 Access rights

9.2.2 Granting users access
9.2.5 Assessment of user access rights
9.2.6 Revoke or modify access rights

5.22 Monitoring, review and change management of supplier services

15.2.1 Monitoring and assessment of suppliers’ services
15.2.2 Management of changes in supplier services

5.29 Information security during disruption

17.1.1 Planning Information Security Continuity
17.1.2 Implementing Information Security Continuity
17.1.3 Verifying, assessing and evaluating information security continuity

7.10 Storage media

8.3.1 Removable Media Management
8.3.2 Removing Media
8.3.3 Physically transferring media

8.1 User endpoint devices

6.2.1 Mobile Device Policy
11.2.8 Unattended User Equipment

8.8 Management of technical vulnerabilities

12.6.1 Technical Vulnerability Management
18.2.3 Assessment of technical compliance

8.15 Logging

12.4.1 Log events
12.4.2 Protecting information in log files
12.4.3 Administrator and Operator Logs

8.24 Use of cryptography

10.1.1 Policy on the use of cryptographic controls
10.1.2 Key management
18.1.5 Regulations for the use of cryptographic controls

8.25 Secure development life cycle

14.1.1 Analysis and specification of information security requirements
14.2.1 Secure Development Policy

8.26 Application security requirements

14.1.2 Securing Application Services on Public Networks
14.1.3 Protecting Application Services Transactions

8.29 Security testing in development and acceptance

14.2.8 Testing System Security
14.2.9 System Acceptance Tests

8.31 Separation of development, test and production environments

12.1.4 Separation of development, test and production environments
14.2.2 Change management procedures related to systems
14.2.3 Technical review of applications after changes
operating platform
14.2.4 Restrictions on changes to software packages

8.32 Change management

12.1.2 Change management
14.2.2 Change management procedures related to systems
14.2.3 Technical review of applications after changes
operating platform
14.2.4 Restrictions on changes to software packages

The following measures from ISO 27002:2017 have been removed:

8.2.3 Handling Company Assets
11.2.5 Disposal of Company Assets
16.1.3 Reporting Information Security Vulnerabilities


Each measure in the new standard has been assigned a #, divided into 5 categories:

How to categorize #preventative, #detective, #corrective
Information security properties #confidentiality, #integrity, #availability
Cyber security concepts #identify, #protect, #detect, #respond, #recover
Operational capabilities #Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, #System_and_network_security, #Application_security, #Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_compliance_security_management_security_management
Security domains #governance_and_ecosystem, #protection, #defence, #resilience

Table of contents new standard:

0 Introduction
1 scope
2 Normative reference
3 Terms, definitions and abbreviated terms
4 Structure of this document
4.1 Clauses
4.2 Themes and attributes
4.3 Control layout

5 Organizational controls
5.1 Policies for information security
5.2 Information security roles and responsibilities
5.3 Segregation of duties
5.4 Management responsibilities
5.5 Contact with authorities
5.6 Contact with special interest groups
5.7 Threat intelligence
5.8 Information security in project management
5.9 Inventory of information and other associated assets
5.10 Acceptable use of information and other associated assets
5.11 Return of assets
5.12 Classification of information
5.13 Labeling of information
5.14 Information transfer
5.15 Access control
5.16 Identity management
5.17 Authentication information
5.18 Access rights
5.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the IT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incident management planning and preparation
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.27 Learning from information security incidents
5.28 Collection of evidence
5.29 Information on security during disruption
5.30 IT readiness for business continuity
5.31 Identification of legal, statutory, regulatory and contractual requirements
5.32 Intellectual property rights
5.33 Protection of records
5.34 Privacy and protection of PII
5.35 Independent review of information security
5.36 Compliance with policies and standards for information security
5.37 Documented operating procedures
6 people controls
6.1 Screening
6.2 Terms and conditions of employment
6.3 Information security awareness, education and training
6.4 Disciplinary process
6.5 Responsibilities after termination or change of employment
6.6 Confidentiality or non-disclosure agreements
6.7 Remote working
6.8 Information security event reporting

7 Physical controls
7.1 Physical security perimeter
7.2 Physical entry controls
7.3 Securing offices, rooms and facilities
7.4 Physical security monitoring
7.5 Protecting against physical and environmental threats
7.6 Working in secure areas
7.7 Clear desk and clear screen
7.8 Equipment sitting and protection
7.9 Security of assets off-premises
7.10 Storage media
7.11 Supporting utilities
7.12 Cabling security
7.13 Equipment maintenance
7.14 Secure disposal or re-use of equipment

8 Technological controls
8.1 User endpoint devices
8.2 Privileged access rights
8.3 Information access restriction
8.4 Access to source code
8.5 Secure authentication
8.6 Capacity management
8.7 Protection against malware
8.8 Management of technical vulnerabilities
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.13 Information backup
8.14 Redundancy of information processing facilities
8.15 Logging
8.16 Monitoring activities
8.17 Clock synchronization
8.18 Use of privileged utility programs
8.19 Installation of software on operational systems
8.20 Network controls
8.21 Security or network services
8.22 Web filtering
8.23 Segregation in networks
8.24 Use of cryptography
8.25 Secure development life cycle
8.26 Application security requirements
8.27 Secure system architecture and engineering principles
8.28 Secure coding
8.29 Security testing in development and acceptance
8.30 Outsourced Development
8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information
8.34 Protection of information systems during audit and testing

Annex A Using attributes
A.1 Introduction
A.2 Organizational views
Annex B Correspondence with ISO/IEC 27002:2013



Contact us!


Terneuzen, Zeeland, NL