Skip to main content
TRECCERT GmbH logoTRECCERT GmbH logo

Navigating the Updates: ISO/IEC 27001:2022 & 27002:2022 Standards for Information Security Professionals

Created by Don Agaj & Fabrice De Paepe |

The ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards have been updated to reflect the evolving nature of information security threats and to provide guidance on how organizations can best protect themselves from these threats. These standards provide the requirements and guidance in implementing, maintaining and improving an Information Security Management System (ISMS).

The ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards have been updated to reflect the evolving nature of information security threats and to provide guidance on how organizations can best protect themselves from these threats. These standards provide the requirements and guidance in implementing, maintaining and improving an Information Security Management System (ISMS). The ISO/IEC 27001 ISMS is framework for managing and protecting sensitive information and has been adopted by organizations around the world to ensure that their information security practices are effective and up-to-date.

General Changes in ISO/IEC 27001:2022 Standard

On a first look, clearly the majority of changes in the new version are in the information security controls. There are very few changes on the requirements. Aside from some small modifications that generally make the requirements more precise and comprehensive, there is the also a new requirement that has been added to all ISO management system standards. This requirement requires organizations to consider whether climate change is a relevant issue for their ISMS.

As for the controls, the updated ISO/IEC 27001 standard provides a revised and expanded set of controls for protecting information assets, with a greater emphasis on incident management and crisis communication. 

One of the key changes in the new ISO/IEC 27001:2022 standard is the emphasis on a risk-based approach to information security management. This means that organizations are encouraged to identify, evaluate, and prioritize risks to their sensitive information, and then implement controls and procedures to mitigate those risks. This risk-based approach is intended to make it easier for organizations to focus their efforts on the areas that are most critical to their security, rather than trying to implement a one-size-fits-all solution.

Another significant change in the new ISO/IEC 27001:2022 standard is the inclusion of new requirements for the management of third-party relationships. Many organizations rely on third-party service providers to handle sensitive information, and the new standard includes specific requirements for assessing and managing risks associated with these relationships. This includes requirements for conducting due diligence on third-party service providers, and for implementing measures to protect sensitive information that is shared with them.

General Changes in ISO/IEC 27002:2022 Standard

The ISO/IEC 27002:2022 provides a code of practice for information security management and replaces the 27002:2013. It highlights an overall framework for how an organization should establish, implement, maintain, and continually improve an information security management system. This standard is closely aligned with the ISO/IEC 27001:2022, so many of the changes in the new standard are reflected in this document as well.

The updated ISO/IEC 27002:2022 standard provides guidance on how organizations can implement the controls outlined in ISO/IEC 27001:2022. The number of controls has been reduced from 114 in the 2013 version to 93 in the 2022 version. This reduction is achieved by consolidating some controls and also adding new ones. In addition, controls are structured into four main themes: Organizational, People, Physical, and Technological. This restructuring is intended to simplify the framework and make it more accessible.

This new structure, however, is aligned with the high-level structure of ISO 9001:2015 and ISO 14001:2015, which is intended to make it easier for organizations to integrate their information security management system with their quality and environmental management systems.

ISO/IEC 27001 and ISO/IEC 27002 Individual Certifications

Individuals can pursue certification related to ISO/IEC 27001:2022, which specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO/IEC 27002:2022, on the other hand, offers guidance for implementing controls outlined in ISO/IEC 27001:2022. Some certification bodies may offer programs related to it, however, it's important to note that ISO/IEC 27001:2022 certification is typically the primary focus for individuals seeking certification in information security management. This is because ISO/IEC 27001:2022 certification programs are based on an MS standard and encompass the controls outlined in ISO/IEC 27002.

What Certified Individuals Need to Know

Considering all the changes and the fact that certified organizations are required to transition to the updated standards, it is imperative that certified individuals also achieve the necessary competence and update their certificates. There are many alternatives to chose from when it comes to acquiring the necessary competence for the updates standard, including but not limited to:

  1. Attending relevant training courses: Certified individuals should attend training courses that provide an overview of the changes in the new standards, as well as provide practical guidance on how to implement them. TRECCERT offers a transition course for ISO/IEC 27001:2022. This course is tailored for individuals already certified in ISO/IEC 27001:2013, providing comprehensive insight into the modifications and updates of the new standard, alongside practical guidance for their implementation.
  2. Reading the updated standards: It is important to review the updated standards in order to gain a thorough understanding of the new controls and requirements.
  3. Participating in relevant professional organizations and networking events: Joining relevant professional organizations and networking events can help certified individuals stay informed about the latest developments in the field of cybersecurity, as well as provide opportunities to connect with other professionals in the industry.
  4. Re-certification:To maintain the certification, certified individuals may have to go through the re-certification process where they have to demonstrate their understanding of the new standards and their ability to implement them.

By staying informed and updating their knowledge and skills, certified individuals can ensure they are able to effectively implement and/or audit the new ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards and help their organization stay protected against cyber threats.

In addition to the transition course, TRECCERT also has an updated exam for TRECCERT ISO/IEC 27001:2022 Lead Implementer and TRECCERT ISO/IEC 27001:2022 Lead Auditor, which are American National Standards Institute (ANSI) National Accreditation Board (ANAB)-accredited certification schemes. These exams are designed to test the candidate's understanding of the new standard and their ability to implement the new controls and procedures in a real-world setting. These certifications are widely recognized as a proof of the professional's knowledge and experience on the subject, and demonstrate their proficiency in the field of information security management.

Additionally, passing the exam and getting certified with TRECCERT gives professionals a head start in the job market and demonstrate their proficiency in the field of information security management. The certifications from TRECCERT are highly valued by employers and other organizations, as it shows that the individual has the knowledge and skills to help organizations protect their information.