Business Advisory

ISO 27002 Third Edition To Be Published in March

By February 8, 2022 No Comments

The ISO 27002 document –  a guidance document to assist with the implementation of the security controls that are used for the ISO 27001 information security management system – has been updated and approved and this new edition is expected to be published in March 2022.

ISO 27002 is important for organisations that intend to select controls within the process of implementing and maintaining compliance of an Information Security Management System based on ISO/IEC 27001 and who want to implement commonly accepted information security controls and develop their own information security management guidelines.

information security management


The updated document is titled ‘ISO/IEC 27002 information security, cybersecurity and privacy protection – Information security controls’ and has several changes to the previous edition.

11 new controls have been added as per below:

Organisational ControlsPhysical ControlsTechnological Controls
Information security for use of
cloud services
Physical security monitoringConfiguration Management
ICT readiness for business continuityInformation deletion
Threat IntelligenceData masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding


Many of the existing controls have also been amended, and around half of the old controls have now been combined with others where they were inseparable in practice or closely related. As such there are now 24 merged controls and the new standard has 24 controls compared to the previous editions 114. This should allow for easier implementation of the standard.

Each control now has 5 ‘Attributes’ associated with it and each controls attributes have been assigned a particular ‘value’ from a pre-determined selection as shown below.

AttributesValues
Control typePreventative, detective, corrective
Information security propertiesConfidentiality, integrity, availability
Cybersecurity conceptIdentify, protect, detect, respond, recover
Operational capabilitiesAligned to clauses in the 2nd edition
Security domainsGovernance and ecosystem, protection,
defence, resilience


The attributes are simply a guide to help organisations filter and organise controls to suit their requirements, it is not mandatory for them to be used. There will likely be a 2-year transition period following the publication of the new standard.

Contact us now to discuss your Information Security Management requirements.

98fab86012f37e6805ddad33592f0ab6.js