What’s New in ISO 27001 2022?
The eagerly awaited update to ISO 27001 is finally here and as expected ISO 27001:2022 is not significantly different from ISO 27001:2013; but there are some minor changes to the clause sections of the new version of the standard, such as the monitoring of information security objectives. The more significant changes or updates are to Annex A which are now aligned with the changes made to ISO 27002.
Here’s our summary of the changes to ISO 27001: 2022
Clause 4 – Context of the Organisation
When understanding the needs and expectations of interested parties the organisation now needs to determine which of these requirements will be addressed through the information security management system (ISMS).
Clause 6 – Planning
The information security objectives need to be available as documented information and they need to be monitored.
Clause 7 – Support
The requirements to define who will communicate and the processes for effective communication have been replaced by a requirement to define “how to communicate.”
Clause 8 – Operation
Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes. You also need to document that processes have been carried out as planned.
Clause 9 – Performance Evaluation
The organisation also needs to evaluate the information security performance and the effectiveness of the ISMS.
Methods of monitoring, measuring, analysing, and evaluating the effectiveness of the ISMS now need to be comparable and reproducible.
The management review must now also consider changes in the needs and expectations of interested parties rather than just record feedback from interested parties.
ISO 27001: 2022 Annex A
Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.
What has changed in ISO 27002?
Firstly, the phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as guidance for the implementation of the information security controls detailed in Annex A.
ISO 27002 is significantly more detailed and longer than the previous version, and the controls have been reordered and updated…..yet again!!
Some controls have been removed, 24 of the controls have been merged and 58 have been revised. There are also 11 new security controls, which gives us an overall number of 93 controls, down from 114 controls in ISO 27001:2013.
The controls are now organised into 4 security categories which include:
Organisational (37 controls)
People (8 controls)
Physical (14 controls)
Technological (34 controls)
What are the new ISO 27001:2022 Controls?
The completely new controls are:
5.7 Threat intelligence - Information relating to information security threats should be collected and analysed to produce threat intelligence.
5.23 Information security for use of cloud services - Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.
5.30 ICT readiness for business continuity - ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
7.4 Physical security monitoring - Premises should be continuously monitored for unauthorised physical access.
8.9 Configuration management - Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
8.10 Information deletion - Information stored in information systems, devices or in any other storage media should be deleted when no longer required.
8.11 Data masking - Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
8.12 Data leakage prevention - Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.
8.16 Monitoring activities - Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
8.23 Web filtering - Access to external websites should be managed to reduce exposure to malicious content.
8.28 Secure coding - Secure coding principles should be applied to software development.
Each control also has five new attributes to make them easier to categorise:
Control Type (preventive, detective, corrective)
Information Security Properties (confidentiality, integrity, availability)
Cybersecurity Concepts (identify, protect, detect, respond, recover)
Operational Capabilities (governance, asset management, etc.)
Security Domains (governance and ecosystem, protection, defence, resilience)
When do you need to Implement the Changes to ISO 27001?
The word on the street is that organisations already certified to ISO 27001:2013 will get 36 months to update to the new version of the standard.
When can my Organisation get Certified to ISO 27001:2022?
The new version of the standard was only released on the 25th October 2022 and it will take the ISO 27001 certification bodies quite a while to get up to speed with the new standard and train their auditors. The certification bodies will also then need to be accredited by the likes of UKAS to be able to conduct ISO 27001 audits around the new version of the standard. Again, the word on the street is that it will be at least April 2023 when the ISO 27001 certification bodies will begin to certify organisations to ISO 27001:2022.
How can Romano Security Consulting help with ISO 27001?
If you are thinking of updating your existing ISO 27001 ISMS to the new ISO 27001:2022 standard then we can help out and decipher the new requirements or if you are starting from scratch and looking at implementing ISO 27001:2022 then we’d be happy to help your organisation through the ISO 27001 certification process, for more info please click here to see our ISO 27001 webpage or contact us today.