ISO/IEC 27002:2022 is published

The new 2022 version of ISO/IEC 27002 has been published.

The standard provides a set of generic Cybersecurity and Privacy controls including implementation guidance. It should be used by organizations having an information security management system (ISMS) adhering to ISO/IEC27001 for implementing controls that are based on internationally recognized best practices and for developing organization-specific information security management guidelines.

The new standard changes its name to cover Cybersecurity and Privacy, with a controls structure built on 4 domains:

  1. Organizational Controls
  2. People Controls
  3. Physical Controls
  4. Technological Controls
Each control is associated with five attributes with corresponding attribute values (preceded by "#" to make them searchable):
  1. Control type (Preventive, Detective, Corrective);
  2. Information security properties (Confidentiality, Integrity, Availability);
  3. Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover);
  4. Operational capabilities (Security capabilities);
  5. Security domains (Governance and Ecosystem, Protection, Defense, Resilience).
The layout for each control contains the following:
  1. Control title: Short name of the control;
  2. Attribute table: A table shows the value(s) of each attribute for the given control;
  3. Control: What the control is;
  4. Purpose: Why the control should be implemented;
  5. Guidance: How the control should be implemented;
  6. Other information: Explanatory text or references to other related documents.

A specific new Threat intelligence control-set is introduced as 27002 5.7.

The link to the ISO 27002:2022 standard