Dedicated security consultants working to keep you compliant

Retain compliance

Retain compliance

Identify areas that need addressing to maintain your ISO 27001 compliance.

Clear report findings

Clear report findings

Receive a clear report of conformity against each new control.

Expert consultants

Expert consultants

Delivered by our team of certified and experienced ISO lead auditors.

Implementation support

Implementation support

Receive expert support and optional extras to aid your compliance journey.

Two males in a meetingTwo males in a meeting

The ISO 27002:2022 controls

ISO 27002 was updated in February 2022. The new controls highlighted within ISO 27002:2022 are expected to be reflected within Annex A of the ISO 27001 when the updated version is published later this year.

This means your organisation will be required to review its Information Security Management System (ISMS) against the new controls. This will ensure you can achieve certification to the new standard within the usual two-year transition period.


Comprehensive analysisComprehensive analysis

A comprehensive ISO 27002:2022 analysis

For organisations certified against ISO 27001, a ISO 27002:2022 Gap Analysis will assess your compliance against 93 controls, clearly identify where your current ISMS fails to meet the requirements, and what needs to be implemented in preparation to be certified to ISO 27001:2022.

Get a quote

Controled guidanceControled guidance

ISO 27002 controls guidance

In ISO 27002:2022, the number of controls has decreased from 114 to 93. These controls are then categorised into four themes:

  • Organisational
  • People
  • Physical
  • Technological

24 existing controls have been merged, 58 updated and there are now 11 new controls to reflect the current cyber security landscape. These include:

  • Threat intelligence
  • Information security for the use of cloud services
  • Physical security monitoring
  • Configuration management
  • Information deletion and data leakage prevention

How can a ISO 27002 Controls Gap Analysis help youHow can a ISO 27002 Controls Gap Analysis help you

How can a ISO 27002 controls gap analysis help you?

Ensure your next ISO 27001 audit is a success your company can plan and prepare for the 2022 changes with the help of a ISO 27002 Controls Gap Analysis:

  • Comprehensive assessment against the 93 controls of ISO 27002
  • Identify where your ISMS needs to be updated
  • Clearly understand your conformity against each control with a RAG status report
  • Receive guidance on steps to take to achieve conformity from experienced ISO consultants
  • Full debrief call to discuss your report and any concerns with the findings
Get a quote

Why choose BulletproofWhy choose Bulletproof

Why choose Bulletproof?

Our team of certified and experienced consultants help organisations of all sizes monitor and manage their information security. We understand that each organisation has unique processes and procedures, so we’ll work with you to understand your ISMS and provide appropriate advice on how you can easily address any areas of non-conformity.

We also offer additional solutions such as penetration testing, 24/7 security monitoring and assistance with other compliance engagements such as the GDPR and Cyber Essentials.


Here’s what our customers say about us

Start your ISO 27002 controls gap analysis today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.


ISO 27002 controls gap analysis FAQs

What is ISO 27002?

ISO 27002 is the set of technical controls which is referenced in Annex A of ISO 27001. It explains each of the controls in more detail and provides information on what the control is, what the objective of the control is and how to implement it. Consider it as the user manual for the controls.

What’s the difference between ISO 27002 and ISO 27001?

  1. ISO 27001 is the central framework of the ISO 27000 series. ISO 27001 is the standard that defines how to implement an information security management system. It is made up of a series of clauses, of which, clauses 4-10 define the management system requirements and Annex A, which defines the information security controls that can be used to address risks identified.
  2. ISO 27002 provides detail on the security controls, as while they are listed in Annex A of 27001, the information provided is very limited. In particular, it describes how to implement it and the objectives of the controls. It is important to note that an organisation cannot certify to ISO 27002, because it’s only a supplementary standard. It is only possible to achieve certification to ISO 27001.

Do I have to conform to the new ISO 27002 controls if I am already ISO 27001 certified?

Not yet, but you will eventually. Once the new version of ISO 27001 comes out (which is expected in the autumn of 2022) this will reference the new ISO 27002:2022 controls. It is widely expected that organisations will have two years from the date of the publication of the new ISO 27001:2022 to achieve certification against the new standard, however this is yet to be confirmed.

How many controls are there in ISO 27002?

There are 93 controls in 27002:2022, in comparison to the 114 controls in 27002:2013. In 27002:2013, controls were broken into 14 control sets. With 27002:2022, the structure has been changed to group the controls by four themes: People (8 controls), Organisational (37 controls), Technological (34 controls) and Physical (14 controls).

ISO 27002:2022 has also introduced 11 new controls which cover:

  • Monitoring activities
  • Physical security monitoring
  • Data masking
  • Data leakage prevention
  • Threat intelligence
  • Information security for use of cloud services
  • Information deletion
  • Secure coding
  • Configuration management
  • Web filtering
  • ICT readiness for business continuity

24 controls have been merged from two, three, or more controls from the 2013 version; thus reducing the number of overall controls in the 2022 version.

ISO 27002 controls gap analysis resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus