ISO 27001 vs ISO 27002

ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization. 
ISO 27002 is an international standard used as a reference, with guidance on the best practices in implementing the requirements and controls of ISO 27001.
An organization can get a certification against ISO 27001, but not against ISO 27002.

Main changes to ISO 27002:2022

ISO 27002:2022 has been released by ISO on Feb 15, 2022. The number of information security controls decrease from 114 controls to 93 controls, covered in 4 sections instead of 14 sections in the former version.

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)

With 11 new controls, the new version of ISO 27002 didn’t delete any former controls, but some of them were merged.

Impact to ISO 27001 from ISO 27002:2022

An amendment to ISO 27001:2013 is in progress, which is expected to release in 2022.

  • The changes to ISO 27002:2022 will be reflected in Annex A of ISO/IEC 27001.
  • The main part of ISO 27001 (i.e. Clauses 4 to 10) will remain no change.
  • Number of controls decrease from 114 to 93.
  • Controls are categorized into 4 sections instead of previous 14.
  • There are 11 new controls, while none of the controls was deleted, and some controls were merged.

You can click here to learn more about ISO 27001 and ISO 27002 and their recent changes.


After release of ISO 27001:2022 later, a transition period will be anticipated, for the ISO 27001:2013 certified organizations to update and implement their ISMS against the revised standard.

Support by DQS

Blog Author of DQS HK