Site icon Graylog

Understanding the ISO 27000 Series Changes

David Bowie once sang, “ch-ch-ch-changes, turn and face the strange.” While the changes to ISO 27000-series may look strange, they’re primarily a configuration and modernization of the same standard you already know. The standard’s format looks entirely different, but most of your current controls will remain the same. 

When you understand the underlying philosophical shift, you can pivot your compliance posture to address the ISO 27000-series changes more effectively and efficiently. 

Understanding the Philosophical Shift

The International Organization for Standardization (ISO) provides a detailed introduction to ISO 27002:2022 that addresses how companies can use the standards. When comparing all three standards, only ISO 27002:2022 provides insight. While the previous publications mentioned the need for risk assessments, they 

Focus on Risk

Significantly, while the 2013 publication focuses on asset-based language and inherent vulnerabilities, the 2022 update notes that technical measures provide limited security capabilities. Organizations need the appropriate supporting management activities and organizational processes. Further, ISO 27002:2022 explains that companies need to pay careful attention to details when carrying out risk treatments and plan controls accordingly. 

Definition of Controls

While the 2013 publication discussed controls and their selection, it never provides a definition. 

With this release, ISO places greater focus on the risk assessment process, updating the definition of control to:

a measure that modifies or maintains risk

For example, policies are controls that maintain risk while compliance with the policies can modify the risk. 

Focus on Business Impact

While the previous publication provided little insight into how organizations should select controls, ISO 27002:2022 explains that organizations must balance the following:

Overview of the high-level changes across the 27000-series

As ISO shifted its overarching approach to managing information security risk, it made changes across all three standards, realigning them with these new initiatives. 

ISO 27001:2022

Most of ISO 27001:2022 looks the same as the standard you know, with changes focusing primarily on documentation and audit. At a quick scan, ISO added a few sections within some categories


The biggest change in 27001 is the formalization of the internal audit program, requiring companies to consider processes and previous audit outcomes. When reviewing inputs, management needs to consider how “interested parties” use systems and expect to use systems, taking into account how internal and external users rely on cloud resources. 

ISO 27002:2022

When you open the cover of ISO 27002:2022, your first thought might be, “this is a whole new standard!” Most of these changes are organizational and cosmetic. 

All controls now fall into one of four main control categories or “themes”:


Reflecting ISO’s new focus on risk and outcomes, the standard organizes controls differently. 

Each control description has five main attributes:


To better organize the controls themselves, ISO also implemented the following format for each control:

ISO 27005:2022

With the overall update focusing primarily on risk, ISO 27005:2022 gives you ways to perform the risk management activities. Within ISO 27005:2022, you’ll find an introduction to risk scenario concepts that include event-based and asset-based approaches. 

Risk scenarios are defined as events that occur or change a set of circumstances. They can be:


A consequence is an event outcome that affects objectives in any of the following ways:


Event-based risk identification considers events and consequences at a business or strategic level, reviewing:


Asset-based risk identification reviews assets, threats, and vulnerabilities, considering:

New Controls for the 2022 Update to ISO 27000-series

Although ISO 27000-series looks new and shiny, most of the controls remain the same. While a few got a little bit of a rewrite to eliminate the tarnishing, only a few are net-new controls:

Graylog Security: The Flexible Security and Compliance Platform

With Graylog Security, you have the flexible, scalable cybersecurity monitoring and compliance reporting platform you need to achieve your business objectives. Built on the intuitive Graylog platform, Graylog Security gives you features that reduce your security team’s alert fatigue, help them answer critical incident investigation questions, and enable team members of all skill levels. 

By using our pre-built dashboards, your security team can monitor security and schedule automated compliance reporting. With our anomaly detection ML and UEBA, your team can quickly learn what “normal” looks like in your unique environment, so that they can more efficiently identify anomalous behavior at scale while continuously fine-tuning and improving over time. 

To learn how Graylog Security can help your company keep pace with changing security and compliance requirements, contact us today.

Exit mobile version