ISO/IEC 27002:2022 is a genuine rewrite, not a tidy-up. It reflects how security actually works now: cloud by default, faster-moving threats, and tighter regulation. The control count drops from 114 to 93, the old fourteen groups become four, and eleven controls are new. Here is what changed, and what each new control actually asks of you.
Four domains instead of fourteen
The control groups now map to how teams really run security:
- Organizational: direction, structure, risk and supplier relationships
- People: staff security, training and remote work
- Physical: premises, secure areas and monitoring
- Technological: systems, development, networks and monitoring
The eleven new controls
Every one of these came from real attack patterns, not committee theory.
- Threat intelligence (5.7). Collect threat data from government advisories, vendor feeds and your own incidents, then actually analyse it and feed it into risk decisions. Sharing intelligence with suppliers lines up with guidance from NCSC, ENISA and CISA.
- Cloud services (5.23). Treat cloud as the default it now is. Build security into how you buy, onboard, run and offboard cloud services.
- ICT readiness for business continuity (5.30). Go past backups to real resilience: recovery planning, redundancy, incident simulation and recovery testing. It lines up closely with ISO 22301.
- Physical security monitoring (7.4). Watch sensitive sites for things like tailgating and hardware theft, with surveillance and procedural checks tied into your access records.
- Configuration management (8.9). Misconfigurations are among the most exploited weaknesses, so the standard now wants documented baselines, change control, automated checks and audit trails.
- Information deletion (8.10). Delete data securely once you no longer need it, using techniques like overwriting, degaussing or physical destruction, and keep it auditable. This maps to GDPR and similar laws.
- Data masking (8.11). Protect sensitive data outside production with pseudonymisation, anonymisation and field-level masking.
- Data leakage prevention (8.12). Combine tooling (DLP, encryption, egress controls) with process (classification, policy, monitoring) to reduce exposure.
- Monitoring activities (8.16). Run continuous monitoring across systems, networks and user activity, with baselines and threshold alerts.
- Web filtering (8.23). Restrict access to dangerous or unsuitable sites, with technical controls and user training, to cut phishing and drive-by malware.
- Secure coding (8.28). A dedicated control for secure development: code review, input validation, safe error handling and dependency management, drawing on the OWASP Top 10 and NIST SP 800-53.
How it shows up in an audit
Each new control comes with its rationale, not just a requirement, which pushes you toward real resilience rather than box-ticking. Auditors expect the controls scoped to your actual risk, with evidence behind them, not a generic checklist applied wholesale.
Where Singahi fits
We run ISO 27001 and ISO 27002 work end to end, from the gap assessment through the controls and evidence to audit support. If your certification predates the 2022 controls, we map the gap and bring you current. See our ISO 27001 service.