In 2013, the International Organization for Standardization (ISO) released a revised 27001 framework outlining best practices to help organizations manage the security of their information assets. Ten years later, it remains a globally recognized information security standard that with over 40,000 organization certifications. Holding an ISO 27001 certification shows that an organization has invested in its people, processes, and technology to protect their data – and provides an expert assessment of whether your data is sufficiently protected.
In October 2022, another 27001 revision was published and rebranded as a “reference set of information security controls”. Organizations with current ISO27001:2013 certifications have been given a 3-year transition window to accommodate implementation, and it is expected that certification bodies will not begin to offer ISO 27001:2022 certifications for at least six months following the original publication.
Luckily for companies that need to comply with this standard, changes made to ISO 27001:2013 are not particularly significant, but worth noting when preparing for certification. Shown below are some of the key updates to plan for:
The number of clauses has not changed, but verbiage has been updated to align with other ISO standards.
- 4.2 Needs and Expectations: A sub-clause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.
- 4.4 Information Security Management System: New language was added requiring organizations to identify necessary processes and their interactions within the ISMS.
- 5.3 Roles, Responsibilities, and Authorities: Language clarified that communication of roles relevant to information security are to be communicated within the organization.
- 6.2 Objectives and Planning: Includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.
- 6.3 Planning of Changes: Added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned for.
- 7.4 Communication: Sub-clauses d and e have been simplified and merged into the renamed sub-clause d: “how to communicate”.
- 8.1 Operational Planning and Control: Additional guidance was added for operational planning and control. The ISMS is now required to establish criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.
- 9.2 Internal Audit: This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.
- 9.3 Management Review: New changes clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties.
- 10 Improvement: Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.
Changes to Annex A security controls are generally considered to be moderate, though structurally it has seen the biggest overhaul. There are 11 new controls, primarily due to existing controls being merged together bringing the total from 114 to 93. For much-needed simplification and clarity, sections grouping these controls have been reduced from 14 to 4. The remaining controls have been unchanged or simply renamed. Requirements for controls remain largely the same, and only one control was split in to two separate controls while retaining its same requirements from the previous version.
The new Sections of ISO 27002:2022 are:
- Section 5: Organizational
- Section 6: People
- Section 7: Physical
- Section 8: Technology
The 11 new controls added:
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 5.7 Threat Intelligence
- 7.4 Physical security monitoring
- 8.1 Data masking
- 8.9 Configuration management
- 8.10 Information deletion
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Despite the long wait for updates to 27001:2013, changes were fairly minimal and should not present a huge challenge for companies needing to stay in compliance. We are here to help every step of the way for those in need of guidance and implementation. For assistance with readiness, auditing, and/or remediation for ISO 27001:2022 book an appointment today with our experts!
