27001:2022 Query
Hi Dejan,
Regarding this article:
What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)
ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?
So will ISO 27001 become ISO 27002?
Also, in reality, how would a small company deal with the following:
A.5.7 Threat Intelligence - gather information and analyse them? (interpret)
Could this be outsourcing to AV/MDR or something else?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Hi Dejan,
Regarding this article:
1 - What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)
I assume you are asking about ISO 27001 sections and Annex A. Annex A lists all the 93 controls, and they are divided into 4 sections (Organizational, People, Physical, and Technological controls).
2 - ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?
Your assumption is correct. Released in October 2022, ISO 27001:2022 Annex A has now only 93 controls, aligning this standard with ISO 27002:2022.
3 - So will ISO 27001 become ISO 27002?
ISO 27001 will not become ISO 27002. They have different purposes.
Please note that ISO 27001 is the standard that provides requirements for the implementation of an Information Security Management System (ISMS), while ISO 27002 is a complementary standard, which provides guidance to implement controls defined in ISO 27001:2022 Annex A. Additionally, ISO 27002 is not mandatory to implement ISO 27001 requirements.
For further information, see:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
4 - Also, in reality, how would a small company deal with the following:A.5.7 Threat Intelligence - gather information and analyse them? (interpret)Could this be outsourcing to AV/MDR or something else?
To implement control A.5.7 Threat Intelligence, a company should consider gathering information internally (e.g., from logs of internal systems, incident reports, etc.), as well as from external sources (e.g., vendor reports, government agency announcements, etc.)
ISO 27001 does not prescribe that the organization needs to perform this information gathering by itself, so outsourcing this activity is an acceptable option.
For further information, see:
- Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
Comment as guest or Sign in
Dec 15, 2022