The 2022 revision of ISO/IEC 27001 introduced a new control structure and added control attributes within Annex A, marking a significant evolution in how information security controls are organized and applied.
This new approach aims to provide clearer, more practical guidance that aligns better with modern cybersecurity needs and organizational contexts.
The revamped control structure groups controls into broader, more meaningful domains while control attributes provide valuable metadata for improved selection, implementation, and auditing.
New Control Structure
The updated control framework in ISO/IEC 27001:2022 focuses on clarity and operational relevance. The following points describe the new grouping of controls and the role of control attributes.
1. Control Grouping into Four Domains: The previous 14 control domains were condensed into four comprehensive categories representing the broad areas organizations typically focus on for information security.
| Control Type | Description |
| Organizational Controls | Cover policies, procedures, governance, and management system-related controls that drive information security culture and practices throughout an organization. |
| People Controls | Address personnel-related security aspects such as roles, responsibilities, training, and awareness to ensure employees and others act securely. |
| Physical Controls | Focus on tangible security measures protecting physical environments, assets, and infrastructure from unauthorized access or damage. |
| Technological Controls | Deal with IT systems, applications, networks, and technical measures that protect digital information and support operational security. |
2. Simplification and Practicality: This structural revision simplifies understanding and helps organizations focus on critical security dimensions aligned with their operational structures and risk profiles.
3. Control Attributes
Control attributes act as detailed descriptors or classifications assigned to each control, facilitating improved organization, prioritization, and risk alignment.
-Picsart-CropImage.png)
Benefits: These attributes enable organizations to tailor control implementation more precisely, enhance risk assessments by focusing efforts on specific properties or functions, and streamline communication among stakeholders. They also support auditors in reviewing controls systematically based on their attributes.
