{"id":7823,"date":"2022-02-08T10:01:17","date_gmt":"2022-02-08T10:01:17","guid":{"rendered":"https:\/\/amtivo.com\/uk\/resources\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/"},"modified":"2025-12-15T16:19:47","modified_gmt":"2025-12-15T16:19:47","slug":"iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice","status":"publish","type":"resources-filter","link":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/","title":{"rendered":"ISO News \u2013 Updates Announced to the ISO\/IEC 27002 Code of Practice"},"content":{"rendered":"<p><em>A new edition of ISO 27002, the international standard designed to assist organisations consider controls for an ISO 27001-compliant information management system, has been approved by the International Organisation for Standardization. <\/em><\/p>\r\n<p>The third edition, expected to be published either later this month or in early March, is titled \u2018ISO\/IEC 27002 Information security, cybersecurity and privacy protection &#8211; Information security controls\u2019, and includes significant changes to the previous edition.<\/p>\r\n<h2>Clause Changes<\/h2>\r\n<p>The standard has been significantly reorganised, with the 14 clauses in the second edition being reduced to just four:<\/p>\r\n<ul>\r\n\t<li>Clause 5: Organisational Controls<\/li>\r\n\t<li>Clause 6: People Controls<\/li>\r\n\t<li>Clause 7: Physical Controls<\/li>\r\n\t<li>Clause 8: Technological Controls.<\/li>\r\n<\/ul>\r\n<h2>Control Changes<\/h2>\r\n<p>The new standard contains 93 controls, as opposed to the previous edition\u2019s 114, with the aim of this reduction being to simplify implementation. All of the controls have been thoroughly reviewed and updated with up-to-date guidance and best practice.<\/p>\r\n<p>You will also see the removal of the \u2018Objective\u2019 section which, in the old standard, set out the function of a group of controls within a category; instead, each of the third addition controls has been assigned an individual \u2018Purpose\u2019 in order to simplify and increase the flexibility of the new standard.<\/p>\r\n<h2>New Controls<\/h2>\r\n<p>The controls themselves have also seen extensive changes, with 11 new controls being introduced to align with current technology and best practice. The new controls are shown below:<\/p>\r\n<h3><strong>Organisational Controls<\/strong><\/h3>\r\n<ul>\r\n\t<li>7 Threat intelligence<\/li>\r\n\t<li>23 Information security for use of cloud services<\/li>\r\n\t<li>30 ICT readiness for business continuity<\/li>\r\n<\/ul>\r\n<h3><strong>Physical Controls<\/strong><\/h3>\r\n<ul>\r\n\t<li>4 Physical security monitoring<\/li>\r\n<\/ul>\r\n<h3><strong>Technological Controls<\/strong><\/h3>\r\n<ul>\r\n\t<li>9 Configuration management<\/li>\r\n\t<li>10 Information deletion<\/li>\r\n\t<li>11 Data masking<\/li>\r\n\t<li>12 Data leakage prevention<\/li>\r\n\t<li>16 Monitoring activities<\/li>\r\n\t<li>23 Web filtering<\/li>\r\n\t<li>28 Secure coding<\/li>\r\n<\/ul>\r\n<h2>Merged Controls<\/h2>\r\n<p>Where controls in the previous edition were inseparable in practice or closely related, they have been combined into new \u2018merged controls\u2019. For example, the second edition clause 5.1.1 (Policies for information security) and 5.1.2 (Review of the policies for information security) have been merged into a single clause (5.01 Policies for information management). In total there are 27 merged controls, drawn from 58 second edition controls.<\/p>\r\n<h2>Updated Controls<\/h2>\r\n<p>The controls in the second edition that have not been merged have all been retained from the previous edition, but with new clause numbers.<\/p>\r\n<h2>Attributes<\/h2>\r\n<p>Another notable change is the introduction of \u2018Attributes\u2019. The use of these attributes is not mandatory, they have been designed as a tool to help organisations filter and organise the controls to suit their particular context.<\/p>\r\n<p>Each control has five attributes associated with it, and each control\u2019s attributes have been assigned a particular \u2018value\u2019 from a predetermined selection, as set out in the table below:<\/p>\r\n<table style=\"width: 93.8135%; font-family: 'Montserrat', sans-serif; border-collapse: collapse;\">\r\n<tbody>\r\n<tr>\r\n<td style=\"width: 49.3528%; font-weight: bold; border-bottom: 1px solid #ddd; padding: 8px;\">Attributes<\/td>\r\n<td style=\"width: 72.8155%; font-weight: bold; border-bottom: 1px solid #ddd; padding: 8px;\">Values<\/td>\r\n<\/tr>\r\n<tr>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Control type<\/td>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Preventative, detective, corrective<\/td>\r\n<\/tr>\r\n<tr>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Information security properties<\/td>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Confidentiality, integrity, availability<\/td>\r\n<\/tr>\r\n<tr>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Cyber Security concept<\/td>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Identify, protect, detect, respond, recover<\/td>\r\n<\/tr>\r\n<tr>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Operational capabilities<\/td>\r\n<td style=\"padding: 8px; border-bottom: 1px solid #eee;\">Aligned to clauses in the second edition<\/td>\r\n<\/tr>\r\n<tr>\r\n<td style=\"padding: 8px;\">Security domains<\/td>\r\n<td style=\"padding: 8px;\">Governance and ecosystem, protection, defence, resilience<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<p>It is also open to organisations or industry associations to create their own attributes and values that are specific to their industry should they wish, in order to drive standardisation and consistency within particular contexts.<\/p>\r\n<h2>Transition<\/h2>\r\n<p>There is likely to be a two year transition period following publication of the new standard, but this has yet to be confirmed, with Annex A of ISO\/IEC 27001 being updated to reflect these changes in due course.<\/p>\r\n<p>While ISO 27002 is not a management standard and therefore cannot be certified against, it is a useful code of practice that can support an <a href=\"\/uk\/standards\/iso-27001\/certification\/\">ISO 27001-compliant management system<\/a>. If you are considering ISO 27001 but you\u2019re not sure of the requirements British Assessment Bureau offers a range of training courses covering all levels of expertise. <a href=\"\/uk\/standards\/iso-27001\/training\/\">Click here for more information on all of our ISO 27001 training<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"A new edition of the international standard ISO 27002 has been approved by the International Organization for Standardization.","protected":false},"author":24,"featured_media":7497,"template":"","resource":[59],"resource-tag":[],"class_list":["post-7823","resources-filter","type-resources-filter","status-publish","has-post-thumbnail","hentry","resource-insights"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Updates announced to the ISO\/IEC 27002 code of practice<\/title>\n<meta name=\"description\" content=\"The International Organisation for Standardization has revealed updates to ISO\/IEC 27001 code of practice. This article explains what to expect.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ISO News \u2013 Updates Announced to the ISO\/IEC 27002 Code of Practice\" \/>\n<meta property=\"og:description\" content=\"The International Organisation for Standardization has revealed updates to ISO\/IEC 27001 code of practice. This article explains what to expect.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo UK\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-15T16:19:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/ISO-27002-Updates-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"294\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Updates announced to the ISO\/IEC 27002 code of practice","description":"The International Organisation for Standardization has revealed updates to ISO\/IEC 27001 code of practice. This article explains what to expect.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/","og_locale":"en_GB","og_type":"article","og_title":"ISO News \u2013 Updates Announced to the ISO\/IEC 27002 Code of Practice","og_description":"The International Organisation for Standardization has revealed updates to ISO\/IEC 27001 code of practice. This article explains what to expect.","og_url":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/","og_site_name":"Amtivo UK","article_modified_time":"2025-12-15T16:19:47+00:00","og_image":[{"width":500,"height":294,"url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/ISO-27002-Updates-1.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/","url":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/","name":"Updates announced to the ISO\/IEC 27002 code of practice","isPartOf":{"@id":"https:\/\/amtivo.com\/uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/ISO-27002-Updates-1.png","datePublished":"2022-02-08T10:01:17+00:00","dateModified":"2025-12-15T16:19:47+00:00","description":"The International Organisation for Standardization has revealed updates to ISO\/IEC 27001 code of practice. This article explains what to expect.","breadcrumb":{"@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/#primaryimage","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/ISO-27002-Updates-1.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/ISO-27002-Updates-1.png","width":500,"height":294,"caption":"ISO27002 Code of practice update"},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/uk\/resources\/insights\/iso-news-updates-announced-to-the-iso-iec-27002-code-of-practice\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/uk\/"},{"@type":"ListItem","position":2,"name":"Resources","item":"https:\/\/amtivo.com\/uk\/resources\/"},{"@type":"ListItem","position":3,"name":"Insights","item":"https:\/\/amtivo.com\/uk\/resources\/insights\/"},{"@type":"ListItem","position":4,"name":"ISO News \u2013 Updates Announced to the ISO\/IEC 27002 Code of Practice"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/uk\/#website","url":"https:\/\/amtivo.com\/uk\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/uk\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/uk\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/uk\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","width":371,"height":203,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resources-filter\/7823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resources-filter"}],"about":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/types\/resources-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":2,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resources-filter\/7823\/revisions"}],"predecessor-version":[{"id":8972,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resources-filter\/7823\/revisions\/8972"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media\/7497"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media?parent=7823"}],"wp:term":[{"taxonomy":"resource","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resource?post=7823"},{"taxonomy":"resource-tag","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/resource-tag?post=7823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}