New ISO 27001:2022 standard released
Changes To The ISO 27001:2022 Standard
The International Organization for Standardization (ISO) published the new version of the 27001 information Security Management Systems standard on 25 October 2022.
The last revision was almost a decade ago, in 2013, and professionals have been awaiting a new version for some time. The update is a significant improvement and further alignment with other (information) security standards. Terminology has been updated and vulnerabilities associated with the use of cloud technology are specifically addressed.
What Has Changed In ISO 27001:2022?
Major changes in the standard are in the annex, with a new structure of the domains. Other changes include the improvement of the readability and enable a more practical application of the document. The Annex has been simplified (with a reduction of the number of controls from 114 to 93), and has a more pragmatic approach. The terminology section is improved, and there are only a few minor new requirements.
To align the standard with other security frameworks, the annex controls are now grouped into four themes. These themes are People, Organisational, Technological and Physical. These 93 controls in these domains include 11 new controls (see below), 24 merged controls from the historic annex, and 58 controls where descriptions have been updated – some of them only had some changes in terminology to improve the readability.
New ISO 27001:2022 Controls
To make the standard future-proof and to include emerging risks, a set of new controls is introduced in the ISO 27001:2022 Annex. These new controls include:
- Threat intelligence
- Physical security monitoring
- Configuration managemen
- Information deletion
- Data masking
- Data leakage prevention
- Web filtering
- Information security for use of cloud services
Merged ISO 27001:2022 Controls
57 controls have been merged into 24 controls. Two examples are:
-
The controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security are merged into
-
5.1 Policies for information security -
Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas are merged into
-
7.2 Physical entry
Control Attributes In The Annex
In addition, the controls have five types of attributes to categorise them:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
Transition Period
Initial certification applicants can be audited against the 2013 revision of ISO 27001 for a period of up to 12 months from the last day of the publication month. As the publication was released on 25 October 2022, new certification applicants can be audited against the 2013 revision until 31 October 2023. As the certification has a three-year re-certification cycle, these organisations need to be transitioned to the new 2022 standard before 31 October 2025. For organisations that received the ISO 27001:2013 certification after a positive audit conclusion, the expiration of the current certification cycle will not be changed.
Changes In The Statement Of Applicability
As most changes are in the controls in the annex, the current Statement of Applicability needs to be reviewed. This review is likely to lead to updates to risk assessment and treatment plans as controls are updated and consolidated.
How SecurityBase Assists With Transitioning To ISO 27001:2022
SecurityBase can assist organisations transitioning from ISO 27001:2013 to ISO 27001:2022. We have purpose build tools to conduct a gap-analysis, update the Statement of Applicability and review the newly introduced controls. Please contact us if you like more information about these services.
