What’s new in ISO 27001:2022?

ISO

The internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organizations’ information assets, has been updated and a new, more pertinent edition has been released on October 25, 2022. This is because the world is currently facing new, evolving security challenges.

The ISO/IEC 27001:2022 standard has undergone several significant new modifications, including a significant change to Annex A, minor updates to the clauses, and a change to the standard’s name. The most recent version of ISO/IEC 27002 was released at the start of 2022, and its most recent revisions also had an effect on ISO/IEC 27001. The full title of the new edition, which differs from ISO/IEC 27001:2013, is ISO/IEC 27001:2022 Information Security, Cyber security, and Privacy Protection.

Minor Updates:

The new standard has added new requirements in the clauses such as;

  1. In part c of the clause 2 Understanding the needs and expectations of interested parties, new requirement is added i.e., Requirements of interested parties to be addressed through the ISMS
  2. In clause 4 Information security management system, the ISMS is now required to take into account the processes needed and their interactions.
  3. Similarly, in the 2022 version of the standard, when the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner is a new requirement added to the main part of the standard in clause 3 Planning of changes.
  4. In clause 8.1 Operational planning and Control, new requirements for establishing criteria for the processes and implementing control of the process in accordance with the criteria
  5. The section 9.3 relating to the management review has been altered slightly by adding a new requirement for the management review shall consider changes in needs and expectations of interested parties that are relevant to the information security management system.

In addition to the new requirements, clauses 10.1 and 10.2 are swapped in the new version of the standard.

Major Updates:

Annex A security controls of the new standard has been updated in such that the controls are grouped in 4 categories;

  1. Organizational Controls (37 controls)
  2. People Controls (8 controls)
  3. Physical Controls (14 controls)
  4. Technological Controls (34 controls)

In the new standard, there are 23 renamed controls, 57 merged controls, 1 split control and 11 new controls. The controls that have not changed are 35 in total. Previously, the standard had 114 controls divided in 14 sections and now the standard has a total of 93 controls divided into 4 sections. New controls added in the newer version are as follows,

  1. Threat Intelligence (5.7)
  2. Information security for use of cloud services (5.23)
  3. ICT readiness for business continuity (5.30)
  4. Physical security monitoring (7.4)
  5. Configuration management (8.9)
  6. Information deletion (8.10)
  7. Data masking (8.11)
  8. Data leakage prevention (8.12)
  9. Monitoring activities (8.16)
  10. Web filtering (8.23)
  11. Secure Coding (8.28)
Compliance to the new ISO 27001:2022 Standard

There is plenty of time to make the necessary modifications because certified organizations have a three-year transition period to update their management system in order to comply with the new edition of ISO 27001. It is worth examining if you need to switch earlier because some certification organizations might stop granting certification to the 2013 revision of the Standard before that. If you are scheduled to renew your certification during the transition period, you should not wait until the last minute to fulfil your new duties since this could compromise the new control set.

Implementing the new controls has the benefit of making it simpler to focus your selections because they are distinguishable by attribute. This may help you see how to better integrate your security processes or lessen the compliance burden, which will make it simpler to implement and manage your ISMS.

Conclusion

The information security management system (ISMS) framework is described in ISO 27001, and it applies to all businesses, regardless of organizational structure, size, or viewpoint. Risk management is key in this situation. In order to target and compromise information flows and therefore business operations, evolving cyber threats are continually taking advantage of new potential weaknesses in organizations. It’s important to identify and manage the threats this mechanism poses to the confidentiality, integrity, and availability, the three fundamental protection objectives in information security.

The ISO/IEC 27001:2022 update offers the best management techniques for these information security issues. The revised ISO/IEC 27002:2022 guidance served as the basis for the list of potential information security controls in the normative Annex A of the new ISO/IEC 27001:2022 standard. The implementation guidelines, which have a more straightforward taxonomy and modern security controls, were already adopted in February of this year. The successful ISO standard tandem 27001/27002 and its useful recommended measures are once again state-of-the-art with the publication of the new ISO/IEC 27001:2022.