ISO 27002 Mapping
ISO 27002 Mapping
ISO 27002 Mapping
MAPPING TOOL
The below mapping document outlines the relationship between the previous ISO 27002 controls and their 2022 counterparts.
5.1.2 Review of the policies for information security 5.1.1, 5.1.2 5.1 Policies for information security
6.1.1 Information security roles and responsibilities 5.2 Information security roles and responsibilities
6.1.4 Contact with special interest groups 5.6 Contact with special interest groups
6.1.5 Information security in project management 6.1.5, 14.1.1 5.8 Information security in project management
7.1.2 Terms and conditions of employment 6.2 Terms and conditions of employment
7.2.2 Information security awareness, education and training 6.3 Information security awareness, education and training
7.3.1 Termination or change of employment responsibilities 6.5 Responsibilities after termination or change of employment
8.1.1 Inventory of assets 8.1.1, 8.1.2 5.9 Inventory of information and other associated assets
8.1.2 Ownership of assets 8.1.1, 8.1.2 5.9 Inventory of information and other associated assets
8.1.3 Acceptable use of assets 8.1.3, 8.2.3 5.10 Acceptable use of information and other associated assets
8.2.3 Handling of assets 8.1.3, 8.2.3 5.10 Acceptable use of information and other associated assets
8.3.1 Management of removable media 8.3.1, 8.3.2, 8.3.3, 11.2.5 7.10 Storage media
8.3.2 Disposal of media 8.3.1, 8.3.2, 8.3.3, 11.2.5 7.10 Storage media
8.3.3 Physical media transfer 8.3.1, 8.3.2, 8.3.3, 11.2.5 7.10 Storage media
9.1.2 Access to networks and network services 9.1.1, 9.1.2 5.15 Access control
9.2.2 User access provisioning 9.2.2, 9.2.5, 9.2.6 5.18 Access rights
9.2.4 Management of secret authentication information of users 9.2.4, 9.3.1, 9.4.3 5.17 Authentication information
9.2.5 Review of user access rights 9.2.2, 9.2.5, 9.2.6 5.18 Access rights
9.2.6 Removal or adjustment of access rights 9.2.2, 9.2.5, 9.2.6 5.18 Access rights
9.3.1 Use of secret authentication information 9.2.4, 9.3.1, 9.4.3 5.17 Authentication information
9.4.3 Password management system 9.2.4, 9.3.1, 9.4.3 5.17 Authentication information
9.4.4 Use of privileged utility programs 8.18 Use of privileged utility programs
9.4.5 Access control to program source code 8.4 Access to source code
10.1.1 Policy on the use of cryptographic controls 10.1.1, 10.1.2 8.24 Use of cryptography
11.1.3 Securing offices, rooms and facilities 7.3 Securing offices, rooms and facilities
11.1.4 Protecting against external and environmental threats 7.5 Protecting against physical and environmental threats
11.1.6 Delivery and loading areas 11.1.2, 11.1.6 7.2 Physical entry
11.2.1 Equipment siting and protection 7.8 Equipment siting and protection
11.2.5 Removal of assets 8.3.1, 8.3.2, 8.3.3, 11.2.5 7.10 Storage media
11.2.7 Secure disposal or re-use of equipment 7.14 Secure disposal or re-use of equipment
11.2.9 Clear desk and clear screen policy 7.7 Clear desk and clear screen
12.1.2 Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4 8.32 Change management
12.1.4 Separation of development and operational environments 8.31 Separation of development, test and production environments
12.3 Backup
12.4.3 Administrator and operator logs 12.4.1, 12.4.2, 12.4.3 8.15 Logging
12.7.1 Information systems audit controls 8.34 Protection of information systems during audit testing
13.2.1 Information exchange policies and procedures 13.2.1, 13.2.2, 13.2.3 5.14 Information transfer
13.2.2 Agreement on information transfer 13.2.1, 13.2.2, 13.2.3 5.14 Information transfer
14.1.1 Security requirements analysis and specification 6.1.5, 14.1.1 5.8 Information security in project management
14.1.2 Securing application services on public networks 14.1.2, 14.1.3 8.26 Application security requirements
14.1.3 Protecting application services transactions 14.1.2, 14.1.3 8.26 Application security requirements
14.2.2 System change control procedures 12.1.2, 14.2.2, 14.2.3, 14.2.4 8.32 Change management
14.2.3 Technical review of applications after operating platform changes 12.1.2, 14.2.2, 14.2.3, 14.2.4 8.32 Change management
14.2.4 Restrictions on changes to software packages 12.1.2, 14.2.2, 14.2.3, 14.2.4 8.32 Change management
14.2.5 Secure system engineering principles 8.27 Secure system architecture and engineering principles
14.2.6 Secure development environment 8.31 Separation of development, test and production environments
14.2.8 System security testing 14.2.8, 14.2.9 8.29 Security testing in development and acceptance
14.2.9 System acceptance testing 14.2.8, 14.2.9 8.29 Security testing in development and acceptance
15.1.1 Information security policy for supplier relationships 5.19 Information security in supplier relationships
15.1.2 “Addressing security within supplier agreements” 5.20 Addressing information security within supplier agreements
15.1.3 Information and communication technology supply chain 5.21 Managing information security in the ICT supply chain
15.2.1 Monitoring and review of supplier services 15.2.1, 15.2.2 5.22 Monitoring, review and change management of supplier services
15.2.2 Managing changes to supplier services 15.2.1, 15.2.2 5.22 Monitoring, review and change management of supplier services
16.1.1 Responsibilities and procedures 5.24 Information security incident management planning and preparation
16.1.2 Reporting information security events 16.1.2, 16.1.3 6.8 Information security event reporting
16.1.3 Reporting security weaknesses 16.1.2, 16.1.3 6.8 Information security event reporting
16.1.4 Assessment of and decision on information security events 5.25 Assessment and decision on information security events
16.1.5 Response to information security incidents 5.26 Response to information security incidents
16.1.6 Learning from information security incidents 5.27 Learning from information security incidents
17.1.1 Planning information security continuity 17.1.1, 17.1.2, 17.1.3 5.29 Information security during disruption
17.1.2 Implementing information security continuity 17.1.1, 17.1.2, 17.1.3 5.29 Information security during disruption
17.1.3 Verify, review and evaluate information security continuity 17.1.1, 17.1.2, 17.1.3 5.29 Information security during disruption
17.2 Redundacies
17.2.1 Availability of information processing facilities 8.14 Redundancy of information processing facilities
18.1.1 Identification of applicable legislation and contractual requirements 18.1.1, 18.1.5 5.31 Legal, statutory, regulatory and contractual requirements
18.1.4 Privacy and protection of personally identifiable information 5.34 Privacy and protection of PII
18.1.5 Regulation of cryptographic controls 18.1.1, 18.1.5 5.31 Legal, statutory, regulatory and contractual requirements
18.2.1 Independent review of information security 5.35 Independent review of information security
18.2.2 Compliance with security policies and standards 18.2.2, 18.2.3 5.36 Compliance with policies, rules and standards for information security
18.2.3 Technical compliance review 18.2.2, 18.2.3 5.36 Compliance with policies, rules and standards for information security
NQA, Warwick House, Houghton Hall Park, Houghton Regis, Dunstable, Bedfordshire LU5 5ZX, United Kingdom
T: 0800 052 2424 E: info@nqa.com @nqaglobal www.nqa.com