ISO/IEC 27002:2022 is published

The new 2022 version of ISO/IEC 27002 has been published.

---

The standard provides a set of generic Cybersecurity and Privacy controls including implementation guidance. It should be used by organizations having an information security management system (ISMS) adhering to ISO/IEC27001 for implementing controls that are based on internationally recognized best practices and for developing organization-specific information security management guidelines.

The new standard changes its name to cover Cybersecurity and Privacy, with a controls structure built on 4 domains:

1. Organizational Controls
2. People Controls
3. Physical Controls
4. Technological Controls

Each control is associated with five attributes with corresponding attribute values (preceded by "#" to make them searchable):

1. Control type (Preventive, Detective, Corrective);
   
2. Information security properties (Confidentiality, Integrity, Availability);
   
3. Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover);
   
4. Operational capabilities (Security capabilities);
   
5. Security domains (Governance and Ecosystem, Protection, Defense, Resilience).

The layout for each control contains the following:

1. Control title: Short name of the control;
2. Attribute table: A table shows the value(s) of each attribute for the given control;
3. Control: What the control is;
4. Purpose: Why the control should be implemented;
5. Guidance: How the control should be implemented;
6. Other information: Explanatory text or references to other related documents.

A specific new Threat intelligence control-set is introduced as 27002 5.7.

---

The link to the ISO 27002:2022 standard