Articles
Considering the cybersecurity landscape in today’s world, there are many information security and cybersecurity frameworks which help organizations protect themselves from cybercrime. The ISO/IEC 27002 is an international standard used as a reference for selecting and implementing information security controls. In addition, it guides on the information security best practices that help organizations in selecting, implementing, and managing information security controls such as organizational, people, physical, and technological controls, among others.
Therefore, together with ISO/IEC 27001, ISO/IEC 27002 serves as the foundation for developing a privacy information management system (PIMS).
The ISO/IEC 27002 has been under review and is currently at DIS (Draft International Standard) stage. The article explains the key changes that are expected to be in the newest version as compared to ISO/IEC 27002:2013 version.
12 new controls are introduced in the latest version of the ISO/IEC 27002 standard. The newest controls reflect the evolvement in technologies and industrial practices.
The following table are shows the new controls that have been added to the newest version of the standard.
| Changing landscape of technology use and data protection | Inclusion of sensitive data protection controls | Recognition of the essential role of technology in business resilience | Other new controls |
|---|---|---|---|
| 5.7 Threat intelligence | 8.10 Information deletion | 5.30 ICT readiness for business continuity | 5.16 Identity management |
| 5.23 Information security for use of cloud services | 8.11 Data masking | 7.4 Physical security monitoring | |
| 8.12 Data leakage prevention | 8.1 User endpoint devices | ||
| 8.9 Configuration management | |||
| 8.22 Web filtering | |||
| 8.28 Secure coding |
The controls are regrouped into 4 categories, instead of 14 categories that were in the 2013 version.
The following table is a visualization of the current control categories updated with the latest standard.
| 5 Organizational Controls | 6 Organization of information security | 7 Physical Controls | 8 Technological Controls |
There are 93 controls in the DIS version while there were 114 controls in the 2013 version of the standard.
The following 16 Controls have been removed from the newest version of the standard.
| 5.1.2 Review of the policies for information security |
| 6.2.1 Mobile device policy |
| 8.1.2 Ownership of assets |
| 8.2.3 Handling of assets |
| 9.4.3 Password management system |
| 11.1.6 Delivery and loading areas |
| 11.2.5 Removal of assets |
| 11.2.8 Unattended user equipment |
| 12.4.2 Protection of log information |
| 12.6.2 Restrictions on software installation |
| 13.2.3 Electronic messaging |
| 14.1.2 Securing application services on public networks |
| 14.1.3 Protecting application services transactions |
| 14.2.9 System acceptance testing |
| 16.1.3 Reporting information security weaknesses |
| 18.2.3 Technical compliance review |
An ISO/IEC 27002 certification demonstrates that you are able to:
In a world where data security is essential for every organization, the implementation and management of information security is highly important.
PECB offers ISO/IEC 27002 training courses that would help you in planning, implementing, and managing information security controls.
For more information regarding ISO/IEC 27002 training courses, contact us at support@pecb.com.
About the author
Albana Iseni is a Product Marketing Manager for ISR at PECB. She is in charge of conducting market research while developing and providing information related to ISO standards. If you have any questions, please do not hesitate to contact her: marketing.ism@pecb.com.
Share
Beyond Recognition
©2025 Professional Evaluation and Certification Board. All rights reserved.
