ISO 27002:2022 Gap Analysis

Start your journey to achieving ISO 27001:2022 with a comprehensive gap analysis against the new ISO 27002:2022 controls.

Get a quote

Dedicated security consultants working to keep you compliant

Retain compliance

Identify areas that need addressing to help you certify to ISO 27001:2022.

Clear report findings

Receive a clear report of conformity against each new control.

Expert consultants

Delivered by our team of certified and experienced ISO lead auditors.

Implementation support

Receive expert support and optional extras to aid your compliance journey.

Two males in a meeting Two males in a meeting

The ISO 27002:2022 controls

ISO 27002 was updated in February 2022. The new controls highlighted within ISO 27002:2022 are now referenced in Annex A of the new version of ISO 27001 which was published in October 2022.

This means organisations that currently use Annex A controls will be required to update their Information Security Management System (ISMS) taking into account the new controls prior to being assessed against ISO 27001:2022.


Comprehensive analysis Comprehensive analysis

A comprehensive ISO 27002:2022 analysis

For organisations certified against ISO 27001:2013, an ISO 27002:2022 Gap Analysis will assess your compliance against the new control set and help you, identify where your current ISMS fails to meet the requirements, and what needs to be implemented to help you achieve 27001:2022 certification.

Get a quote

Controled guidance Controled guidance

ISO 27002 controls guidance

In ISO 27002:2022, the number of controls has decreased from 114 to 93. These controls are then categorised into four themes:

  • Organisational
  • People
  • Physical
  • Technological

24 existing controls have been merged, 58 updated and there are now 11 new controls to reflect the current cyber security landscape. These include:

  • Threat intelligence
  • Information security for the use of cloud services
  • Physical security monitoring
  • Configuration management
  • Information deletion and data leakage prevention

How can a ISO 27002 Controls Gap Analysis help you How can a ISO 27002 Controls Gap Analysis help you

How can a ISO 27002 controls gap analysis help you?

Ensure your organisation is ready to move to ISO 27001:2022 with the help of a ISO 27002 Controls Gap Analysis: 

  • Comprehensive assessment against the 93 controls of ISO 27002
  • Identify where your ISMS needs to be updated
  • Clearly understand your conformity against each control with a RAG status report
  • Receive guidance on steps to take to achieve conformity from experienced ISO consultants
  • Full debrief call to discuss your report and any concerns with the findings
Get a quote

Why choose Bulletproof Why choose Bulletproof

Why choose Bulletproof?

Our team of certified and experienced consultants help organisations of all sizes monitor and manage their information security. We understand that each organisation has unique processes and procedures, so we’ll work with you to understand your ISMS and provide appropriate advice on how you can easily address any areas of non-conformity.

We also offer additional solutions such as penetration testing, 24/7 security monitoring and assistance with other compliance engagements such as the GDPR and Cyber Essentials.


Here’s what our customers say about us

ISO 27002 controls gap analysis FAQs

What is ISO 27002?

ISO 27002 is the set of technical controls which is referenced in Annex A of ISO 27001. It explains each of the controls in more detail and provides information on what the control is, what the objective of the control is and how to implement it. Consider it as the user manual for the controls.

What’s the difference between ISO 27002 and ISO 27001?

  1. ISO 27001 is the central framework of the ISO 27000 series. ISO 27001 is the standard that defines how to implement an information security management system. It is made up of a series of clauses, of which, clauses 4-10 define the management system requirements and Annex A, which defines the information security controls that can be used to address risks identified.
  2. ISO 27002 provides detail on the security controls, as while they are listed in Annex A of 27001, the information provided is very limited. In particular, it describes how to implement it and the objectives of the controls. It is important to note that an organisation cannot certify to ISO 27002, because it’s only a supplementary standard. It is only possible to achieve certification to ISO 27001.

Do I have to conform to the new ISO 27002 controls if I am already ISO 27001 certified?

Not yet, but you will eventually. Once the new version of ISO 27001 comes out (which is expected in the autumn of 2022) this will reference the new ISO 27002:2022 controls. It is widely expected that organisations will have two years from the date of the publication of the new ISO 27001:2022 to achieve certification against the new standard, however this is yet to be confirmed.

How many controls are there in ISO 27002?

There are 93 controls in 27002:2022, in comparison to the 114 controls in 27002:2013. In 27002:2013, controls were broken into 14 control sets. With 27002:2022, the structure has been changed to group the controls by four themes: People (8 controls), Organisational (37 controls), Technological (34 controls) and Physical (14 controls).

ISO 27002:2022 has also introduced 11 new controls which cover:

  • Monitoring activities
  • Physical security monitoring
  • Data masking
  • Data leakage prevention
  • Threat intelligence
  • Information security for use of cloud services
  • Information deletion
  • Secure coding
  • Configuration management
  • Web filtering
  • ICT readiness for business continuity

24 controls have been merged from two, three, or more controls from the 2013 version; thus reducing the number of overall controls in the 2022 version.

ISO 27002 controls gap analysis resources


Trusted cyber security & compliance services from a certified provider