21.08.2023
The ISO/IEC 27001 standard is an essential requirement for businesses of all sizes and industries. It serves as an indispensable guide for the development, implementation, maintenance and continuous improvement of information security management systems.Those interested in this topic are already aware of an important announcement: a new version of ISO/IEC 27001 has been released.In this article, we will reveal what is new in the updated version of ISO/IEC 27001:2022, which was released in October 2022.
The catalogue of security controls was published as early as February 2022, which indicates that changes to the list in the new standard were foreseen in advance.
In general, ISO/IEC 27001:2022 provides a description of the structure of an information security management system (ISMS) that can be used by companies of all sizes and in all industries.The information security management system (ISMS) is becoming increasingly important due to the relevance of risk management issues for many companies.In today’s world, where new cyber threats emerge almost daily and continuous change is becoming normal, the ability of companies to protect their business processes and information is becoming increasingly important. Identifying such risks and managing them effectively has become an important skill.
The new version of the standard pays special attention to best practices in risk management. The list of information security controls included in the official Annex A to ISO/IEC 27001:2022 is based entirely on the revised guidance of ISO/IEC 27002:2022.
The ISO/IEC 27001:2022 standard has introduced some innovations and changes compared to the previous version.
So, let’s take a look at some of the key changes that are worth paying attention to. Let’s start with the main one – changes have been made to the management system.The text of mandatory clauses 4 to 10 was only partially changed, mainly to bring it in line with ISO 9001, ISO 14001 and other management system standards.
Here are the clauses of ISO 27001:2022 that have been changed:
● A new subparagraph (c) has been added to paragraph 4.2, Understanding Stakeholder Needs and Expectations. This change requires an analysis to determine which specific stakeholder requirements should be met by the Information Security Management System (ISMS). This helps to better address the expectations of the various parties that influence the organisation’s information security.● The changes also affected paragraph 4.4 “Information Security Management System”. A phrase has been added that states the need to plan processes and their interaction within the Information Security Management System (ISMS). This emphasises the importance of a structured and coordinated approach to information security management within an organisation.● In paragraph 5.3, Roles, Responsibilities and Authorities within the Organisation, a phrase was added to clarify that roles are shared within the organisation. This highlights the internal dynamics and cooperation between different roles within information security management processes.● A new subparagraph (d) was added to paragraph 6.2, Information Security Objectives and Planning for Achieving Them, which requires monitoring the achievement of information security objectives. This indicates the need for systematic monitoring and evaluation of the effectiveness of the established goals and their achievement within the information security management system.● Paragraph 6.3, Change Planning, has been amended to indicate that any changes to the Information Security Management System (ISMS) should be made in accordance with the planned procedure. This emphasises the importance of an organised and systematic approach to making changes to the system to ensure its effectiveness and security.● Section 7.4, Communications, was amended by removing paragraph (d), which required processes for communications to be in place. This change may indicate greater flexibility in the approach to organising communication processes in an ISMS.● Paragraph 8.1, Operational Planning and Control, was supplemented with new requirements that provide for the establishment of criteria for security processes and ensuring their implementation in accordance with these criteria. Also, the requirement to implement plans to achieve goals was removed from this clause.● The changes have affected paragraph 9.3, Management Review. A new paragraph 9.3.2 (c) was added, which states that input from stakeholders should reflect their needs and expectations and address information security aspects.● The last paragraph that was changed was paragraph 10, Improvements. The subparagraphs have been swapped, so the first one is Continuous Improvement (10.1), and the second one is Non-Compliance and Corrective Action (10.2). The text of these clauses has not changed.
At first, it may appear that Annex A has changed significantly; the number of controls has been reduced from 114 to 93 and it now consists of four sections, compared to 14 sections in the previous 2013 version. However, a closer look reveals that the changes to Annex A are not significant.New components have been added – organisational and physical controls. It is important to emphasise that no elements of control have been removed, and many of them have been combined, resulting in a reduction in the total number. It is also worth noting that hashtags can now be used to facilitate search and navigation.
In ISO/IEC 27001:2022, the control objectives have been cancelled, and the controls have been revised, updated and supplemented. As a result, the list of controls in Annex A has become clearer, more up to date and organised into four main domains:1. Organisational Controls (Process and Policies) (includes 37 measures);2. Personal controls (People) (includes 8 measures);3. Physical controls (Physical) (includes 14 measures);4. Technical controls (Technological) (includes 34 measures).
In total, Annex A of the new version of ISO 27001:2022 now contains 93 controls, with 11 new ones added, in particular:1. Threat analytics2. Information security when using cloud services3. ITS readiness for business continuity4. Physical security monitoring5. Configuration management6. Deletion of information7. Data masking8. Preventing data leakage9. Activity monitoring10. Web filtering11. Secure coding
Annex A is limited to a list of controls. However, the ISO/IEC 27002:2022 implementation guide provides a way to classify them. Each control is assigned five attributes that can be used for filtering or sorting.Type of control.An attribute that represents the controls in terms of how they affect information security risks.Information security properties.An attribute for a control in terms of what its purpose is.Cybersecurity concepts.An attribute that analyses the relationship of controls to the cybersecurity framework described in ISO/IEC TS 27110.Operational capability.An attribute that assesses the capability of controls in the context of information security.Security domains.An attribute that analyses controls in terms of four information security domains.
To comply with the new requirements of ISO 27001:2022, there are four main steps to take.● Step one - Review the risk register and risk handling methods applied to ensure compliance with the revised standard.● Step two - Revise the Statement of Application (SoA) to align with the revised Annex A.● Step three - Review and update documentation, including policies and procedures, to ensure they meet the new control requirements.● Step four - Get audited against the new version of ISO 27001:2022.
The ISO certification is valid for 3 years, with mandatory surveillance audits in years 2 and 3. These surveillance audits, unlike full system audits, are shortened assessments to verify that the certified client’s management system remains compliant with the requirements of ISO 27001.
What will happen to companies that have already been certified under the previous version of ISO 27001:2013?
There is no need to worry, as the old version of the standard can be used until 31 October 2025. After that, any ISO 27001 audit must be based on the new version.Also, those who plan to be certified in the near future can obtain a certificate according to the old version until 30/04/2024, but they are required to switch to the new version of ISO/IEC 27002:2022 within the first year. Technical surveillance will also be conducted according to the new version.
We recommend that our clients prepare for and obtain certification under the new standard. If you wish to be certified under the previous version, this may require double preparation and audit.We invite you schedule a meeting with us so we can review the possibilities and develop a plan for obtaining ISO/IEC 27002:2022 certification specifically for your company.