ISO 27002:2022 Control Mapping Guide

The revised version of ISO 27002:2022 creates a more straightforward structure by rearranging, merging, and adding new controls to the standard



2 years ago | 2 min read

ISO 27002:2013 has been updated and changed to ISO 27002:2022, and was released in February 2022.

The revised version of ISO 27002:2022 creates a more straightforward structure by rearranging, merging, and adding new controls to the standard.

ISO 270002 is a reference set of generic information security controls and guidance on their implementation. It’s a supplementary guide to ISO/IEC 27001 that helps users to identify and implement the information security controls that are most appropriate to their organization’s needs and which in turn can help strengthen the way in which information is protected.

Previously ISO 27002:2013 had 114 controls across 14 control domains; the updated 2022 edition has been reorganised into 93 different controls and now has a revised 4 different categories instead of the 14 different domains. There are 11 brand new controls in the 2022 edition whilst 24 controls have been merged and 58 have been updated.

The 4 different categories (clauses) that have been revised in the 2022 edition are as follows:

  1. Organisational
  2. People
  3. Physical
  4. Technological

These new controls have been added to reflect the current information security, physical security and cyber security landscape.

The new controls listed in the 27002:2022 scope are:

  1. Threat Intelligence
  2. Information Security for the use of Cloud Services
  3. ICT readiness for Business Continuity
  4. Physical Security Monitoring
  5. Configuration Management
  6. Information Deletion
  7. Data Masking
  8. Data Leakage prevention
  9. Monitoring Activities
  10. Web Filtering
  11. Secure Coding

Also, the guidance section for each of the new controls has been updated to reflect more up-to-date cyber security practices. Each control has also been equipped with a “set of attributes” and a “purpose statement” that relates to different cyber security concepts. The phrase “code of practice” has been omitted to reflect better its purpose of being a reference set of information security controls

Eventually, these changes to ISO 27002:2022 will be coupled with a reconfigured version of ISO 27001:2013 and it is expected that this change will come around October 2022

As an ISO 27001 certification lasts for 3 years, if an organisation is currently certified, no immediate action needs to be taken. However, upon renewal or re-certification of ISO 27001, the revised version of ISO 27002:2022 may be applicable.

For more information, or to see how we can help you implement ISO 27002:2022, get in touch with us.

Click the below link for simple mapping guides between the standard versions:


Created by


Organisational geek helping companies improve their cybersecurity one step at a time







Related Articles