ISO/IEC 27002 has been updated, and that matters for organisations across Europe that work with ISO 27001/27002 or derived frameworks. In the 2022 version, security awareness has been made more prominent and explicit. The standard pushes harder on demonstrability, on role-based learning and on repetition. This article shows what changed and how to set up your awareness programme accordingly.
What changed in ISO/IEC 27002:2022?
The update mainly affects the position and the wording of awareness:
- Awareness is positioned more explicitly within the so-called people controls.
- The wording is tighter: less optional language, more concrete expectations.
- Demonstrability weighs more heavily: you must not only do something, but also be able to show that it works.
What this means for your programme
In practice this means that isolated, one-off training sessions no longer suffice. You must be able to show that awareness is set up structurally, fitting the roles and risks in your organisation.
ISO/IEC 27002:2022 therefore asks for a programme that meets four characteristics:
- Role-based: different audiences receive attention for the risks that apply to them.
- Repeatable: a fixed rhythm, with attention at onboarding and periodic refreshers.
- Measurable: participation, progress and results are recorded.
- Practical: recognisable situations and little jargon, so the message lands.
How to approach this concretely
Start with a short risk inventory per audience, so you know which topics are relevant to whom. Build a programme of short, recurring modules on top of that, rather than one long annual session, and include awareness in onboarding.
Then record systematically who completed what, which topics you cover and how often you repeat them. Add results, such as the report rate in phishing simulations. That combination of records and results is exactly the evidence an auditor wants to see.
From one-off to routine: repetition counts
The biggest gain is in repetition. Awareness works like any habit: through predictability and repetition. Think of monthly themes, short modules, microlearning and targeted phishing simulations. Not to test, but to learn and strengthen reporting behaviour.
That way you not only meet the standard, you also demonstrably raise your organisation's resilience. Across Europe this aligns well with NIS2; in individual countries it maps onto national public-sector baselines. One well-designed programme serves these frameworks at once.
Related articles
FAQ
What changed for awareness in ISO/IEC 27002:2022?
Awareness is positioned more explicitly within the people controls, the wording is more concrete, and demonstrability weighs more heavily. One-off training no longer suffices; structural, role-based learning is expected.
How does 27002 relate to ISO 27001?
ISO 27002 provides the implementation guidance for the controls in Annex A of ISO 27001. Anyone certified or seeking certification benefits from a role-based, measurable awareness programme in line with 27002:2022.
How often should awareness training take place?
The standard does not prescribe a fixed frequency but requires a continuous process. Short, regularly recurring modules work better than one annual session. Include awareness in onboarding as well.
What is the most important step?
Repetition rather than a one-off. Set up a recurring, role-based programme with measurable participation, instead of an annual mandatory training.
How does this align with national baselines and NIS2?
Most national baselines build on ISO 27001/27002, so a 27002-compliant awareness programme also covers them. NIS2 likewise requires risk-based, continuous and demonstrable learning. One good programme serves all of them.