ARInnovate is a specialised consulting firm providing organisations with bespoke software development and cyber security services.

tab1 home6 - AR Innovations

In the wake of the current pandemic and other geopolitical developments, regardless of the size of the organisation, it has become crucial that organisations must safeguard themselves against activities which can adversely impact security such as ransomware, misconfiguration of an asset, etc.

To safeguard from such activities, organisations adopt standards and framework which can help them build a robust and secure business, one such widely recognised standard is the ISO 27000 series and more specifically ISO 27001 which organisation can certify against and 27002, guidance on how to implement ISMS (Information Security Management System).

Up until February of 2022, organisations and auditors were following the guidance from ISO 27002 which was released back in 2013 initially and revised twice in 2014 and 2015, which are now withdrawn with the establishment of the new ISO 27002:2022 edition.


Let’s take a look at what has changed in the new version of ISO 27002






Information Technology, Security Techniques, Code of Practice for Information Security Controls

Information Security, Cybersecurity and Privacy Protection – Information Security Controls

Controls – Total


93 (11 New)



4 (Organisational, People, Physical, Technical)

Control Structure

Implementation Guidance
Other Information

Attribute Table
Other Information

Document Structure

Control categories

Themes and Attributes
Controls Layout


Other notable changes –

  • 56 controls from the ISO 27002:2013 were merged into 24 controls in the new edition
  • There is also a minor change in the Introduction section, formerly known as “Selecting Controls” has now been separated into 2 sections; “Controls” which defines what are controls and “Determining Controls” which is essentially the same as “Selecting Controls” of ISO 27002:2013.
  • Each control now has 2 additional sections, an “Attributes table” and a “Purpose” section. The attribute table is specific to each control comprising of all 5 attribute categories.
  • Apart from the new inclusions and merging of controls, the new edition has dedicated attributes for each control.



Control Type

Preventive, Detective, Corrective

Information Security Property

Confidentiality, Integrity, Availability

Cybersecurity concepts

Identify, Protect, Detect, Respond, Recover

Operational Capabilities

Governance, Asset Management, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, Information Security Assurance

Security Domain and Scope

Governance and Eco System, Protection, Defense, Resilience


With organisations adopting new technologies at a higher rate such as cloud services, an update to the 2013 standard was long awaited, yet ISO 27001 and 27002 did not adapt to such changes for the last few years. The new edition however includes many such areas covered and updated to suit the current needs in cybersecurity.


What does implementing 27002:2022 mean to organisations

Organisations were quick to realise that there was a need for getting certified against controls that can validate their security posture which is aligned with the current threat landscape. As consultants, we at AR Innovate have many clients ranging from different sizes and business models, for a long time we were not able to audit or give guidance in alignment with ISO 27002 but had to rely on other standards for clients who have an architecture which is completely serverless on cloud service security, but the narrative has changed from the new edition. We are now able consult and audit them specifically for their business model, slowly integrating this to their existing ISO 27001 certification process as well.


For organisations already certified against ISO 27001:2013, things to consider,

  • Identify which old controls have been merged into which new controls and implement the new controls as guided (According to your Statement of Applicability) to further enhance their security posture.


  • Recognise ID changes in Clauses – as opposed to 2 additional level in ISO 27002:2013, there is only one additional level for each clause.

E.g., ISO 27001:2013 – A5 -> 5.1 -> 5.1.1, 5.1.2

ISO 27002:2022 – A5 -> 5.1, 5.2, 5.3

  • Since the hard work is already done, you can start implementing the new controls within the next year or two, making your organisation ready to get certified against the new ISO 27001:2022.


For organisations implementing ISO 27001:2022 in future, there are multiple benefits,

  • Business requirements to comply with other standards, e.g., NIST CSF, in the initial stages of implementing ISMS itself you have the opportunity to align your security posture categorically.
    • For example, when you implement ISMS according to ISO 27002:2022, you can easily map your controls to NIST CSF taking into consideration Cybersecurity concepts attribute and satisfy both the requirements.
    • Since ISO 27002:2022 covers major domains in cybersecurity it is safe to say that, if you are compliant with ISO 27001, you have built the foundation to comply with other industry specific compliance requirements as well.


  • With the introduction of attributes, organisations can now customise their approach from the beginning itself, reducing the overhead after implementation.
    • For example, you can categorise controls based on Control type or information Security Policy and assign duties accordingly and focus on areas which matters the most in critical times. After an incident you can quickly sort and analyse the detective, and corrective controls to see their effectiveness and update.