How Will ISO/IEC 27002:2022 Update Impact Businesses in Australia?

27/04/2022by admin0Read: 4 minutes

Confirming the year-long buzz, ISO27001:2013 is finally updated to ISO/IEC 27002:2022 in March this year. It is essential to know how will ISO/IEC 27002:2022 update impact businesses in Australia. The noteworthy change has grabbed the eyeballs from the business world.

But, before hopping on to the new standards and specifications, let’s have a quick recap on ISO27001:2013.


ISO27001:2013 upgrade was initially introduced in 2013.  International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) had jointly released it in 2005. It has been the first choice of businesses for providing security via Information Security Management Systems. The standard secured the business information of an organisation. It included sensitive information, intellectual property and financial information, employee information, and third-party client data.

ISO/IEC 27002:2022  update

With the dropping of the ‘code of practice’ phrase, the purpose of ISO/IEC 27002:2022 has been clearly demonstrated. It is a reference set of information security controls and has some new inclusions and deletions.

Old to new phrase transition

The old phrases replaced are Information Technology, Security Techniques, and Code of Practice for information security management, have been replaced. The new phrases are Information Security, Cyber Security, and privacy protection.

What’s new?

The new ISO 27002:2022 has 93 controls contrary to the 114 controls from the former version. The changes are listed below, and its detailed procedures can be found in Annexure A

 ‘Themes’ for New controls

  • Organizational (37 controls)
  • People (8 controls)
  • Technological (34 controls)
  • Physical (14 controls)

Each theme has been listed below with its controls as per ISO27002:2022. Businesses can refer to Annexure A for detailed procedures.

Organisational controls

ISO 27002 5.1 Policies for information security
ISO 27002 5.2 Information security roles and responsibilities
ISO 27002 5.3 Segregation of duties
ISO 27002 5.4 Management responsibilities
ISO 27002 5.5 Contact with authorities
ISO 27002 5.6 Contact with special interest groups
ISO 27002 5.7 Threat intelligence
ISO 27002 5.8 Information security in project management
ISO 27002 5.9 Inventory of information and other associated assets
ISO 27002 5.10 Acceptable use of information and other associated assets
ISO 27002 5.11 Return of assets
ISO 27002 5.12 Classification of information
ISO 27002 5.13 Labelling of information
ISO 27002 5.14 Information transfer
ISO 27002 5.15 Access control
ISO 27002 5.16 Identity management ISO 27002 5.17 Authentication information
ISO 27002 5.18 Access rights
ISO 27002 5.19 Information security in supplier relationships
ISO 27002 5.20 Addressing information security within supplier agreements
ISO 27002 5.21 Managing information security in the ICT supply chain
ISO 27002 5.22 Monitoring, review and change management of supplier services
ISO 27002 5.23 Information security for use of cloud services
ISO 27002 5.24 Information security incident management planning and preparation
ISO 27002 5.25 Assessment and decision on information security events
ISO 27002 5.26 Response to information security incidents
ISO 27002 5.27 Learning from information security incidents
ISO 27002 5.28 Collection of evidence
ISO 27002 5.29 Information security during disruption
ISO 27002 5.30 ICT readiness for business continuity
ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27002 5.32 Intellectual property rights
ISO 27002 5.33 Protection of records
ISO 27002 5.34 Privacy and protection of PII
ISO 27002 5.35 Independent review of information security
ISO 27002 5.36 Compliance with policies and standards for information security
ISO 27002 5.37 Documented operating procedures

ISO 27002 6 People controls

ISO 27002 6.1 Screening
ISO 27002 6.2 Terms and conditions of employment
ISO 27002 6.3 Information security awareness, education and training
ISO 27002 6.4 Disciplinary process
ISO 27002 6.5 Responsibilities after termination or change of employment
ISO 27002 6.6 Confidentiality or non-disclosure agreements
ISO 27002 6.7 Remote working
ISO 27002 6.8 Information security event reporting


ISO 27002 7 Physical controls

ISO 27002 7.1 Physical security perimeter
ISO 27002 7.2 Physical entry controls
ISO 27002 7.3 Securing offices, rooms, and facilities
ISO 27002 7.4 Physical security monitoring
ISO 27002 7.5 Protecting against physical and environmental threats
ISO 27002 7.6 Working in secure areas
ISO 27002 7.7 Clear desk and clear screen
ISO 27002 7.8 Equipment siting and protection
ISO 27002 7.9 Security of assets off-premises
ISO 27002 7.10 Storage media
ISO 27002 7.11 Supporting utilities
ISO 27002 7.12 Cabling security
ISO 27002 7.13 Equipment maintenance
ISO 27002 7.14 Secure disposal or re-use of equipment

ISO 27002 8 Technological controls

ISO 27002 8.1 User endpoint devices
ISO 27002 8.2 Privileged access rights
ISO 27002 8.3 Information access restriction
ISO 27002 8.4 Access to source code
ISO 27002 8.5 Secure authentication
ISO 27002 8.6 Capacity management
ISO 27002 8.7 Protection against malware
ISO 27002 8.8 Management of technical vulnerabilities
ISO 27002 8.9 Configuration management
ISO 27002 8.10 Information deletion
ISO 27002 8.11 Data masking
ISO 27002 8.12 Data leakage prevention
ISO 27002 8.13 Information backup
ISO 27002 8.14 Redundancy of information processing facilities
ISO 27002 8.15 Logging
ISO 27002 8.16 Monitoring activities
ISO 27002 8.17 Clock synchronization
ISO 27002 8.18 Use of privileged utility programs
ISO 27002 8.19 Installation of software on operational systems
ISO 27002 8.20 Network controls
ISO 27002 8.21 Security of network services
ISO 27002 8.22 Web filtering
ISO 27002 8.23 Segregation in networks
ISO 27002 8.24 Use of cryptography
ISO 27002 8.25 Secure development lifecycle
ISO 27002 8.26 Application security requirements
ISO 27002 8.27 Secure system architecture and engineering principles
ISO 27002 8.28 Secure coding
ISO 27002 8.29 Security testing in development and acceptance
ISO 27002 8.30 Outsourced development
ISO 27002 8.31 Separation of development, test and production environments
ISO 27002 8.32 Change management
ISO 27002 8.33 Test information
ISO 27002 8.34 Protection of information systems during audit and testing


Highlighting New controls

Threat intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention

Attributes for better categorisation:

  • Control type (preventive, detective and corrective)
  • Information security properties (confidentiality, integrity and availability)
  • Cybersecurity concepts (identify, protect, detect, respond and recover)
  • Operational capabilities (governance and asset management, etc.)
  • Security domains (governance and ecosystem, protection, defence and resilience)

Impact on businesses already certified with ISO 27001:2013

Businesses pre-certified with ISO27001:2013 will be provided a transition period of two-three years. The organisations will have to modify their management system to comply with this new version. We advise businesses to complete their renewal, audits etc., for ISO27002:2022 much prior to their certification date. Businesses must note that all future renewals will happen as per the new controls.

Instructions for new businesses implementing ISO/IEC 27002:2022

Earlier, businesses were allowed to select applicable controls as per ISO 27001:2013. This selection is a part of the risk management process. Now, the Statement of Applicability for organisations, will continue to be as per Annex A of ISO 27001:2013. But for the controls, the new ISO/IEC 27002:2022 update will play a key role.

How can Anitech help?

Having a reputation for helping businesses for over 15 years, Anitech is a leading advisory security provider. We have a team of ISO 27001 experts who understand the ISM principles and ISO standards. Our team had seen the update coming and was prepared in advance!

We follow a risk management framework, and a well-planned strategy. This will help companies meet the new set of controls required in the updated version. Our consultancy has industry experience in aiding businesses, to meet ISO27001:2013 certification requirements.

So, why wait for tomorrow? Speak to our experts, call us now on 1300 802 163 or e-mail us at – info@anitechgroup.com or enquire here.

You can take a quick self-assessment test by clicking here.



Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest news, product updates and Event updates.

Copyright @ 2023. All Rights reserved.