ISO 27001 Changes: What’s New in 2022

Given the rapidly changing environment in Cyber Security, many security standards are updated every few years. That has not been the case with ISO/IEC 27001, a fully risk-based standard designed to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The current operating version, ISO 27001: 2013, is widely utilized globally and certification is accepted in 168 countries worldwide.

As one of the most highly regarded information security standards on the planet, it’s somewhat surprising that it hasn’t been updated in nearly a decade. But the wait is coming to an end, after delays caused largely by the pandemic, the International Standards Organization (ISO) is expected to release a new version of the ISO/IEC 27001 Standard by the end of 2022.

What is Changing

The critical elements required for certification in the first half of ISO 27001: 2013, Clauses 4-10, are not expected to change in the 2022 version to come. In February this year, however, the ISO organization released ISO 27002: 2022, which replaces its earlier version ISO 27002: 2013. 

ISO/IEC 27002 essentially mirrors all the Annex A controls in ISO 27001 and provides very detailed implementation guidance for each control. When the new version of ISO/IEC 27001 is released, expect the Annex A controls to match those in the new ISO 27002: 2022. So, we can take the ISO/IEC 27002: 2022 as a useful guide on what to expect.

It’s important to note that, unlike the clauses in the first half of the ISO/IEC 27001 document, which must be met completely for ISO 27001 certification, ISO 27002 controls are not required but a reference set of generic information security controls that are designed to be used by organizations:

  • Within the context of an information security management system (ISMS) based on ISO/IEC 27001
  • For implementing information security controls based on internationally recognized best practices
  • For developing organization-specific information security management guidelines

For the 2022 updates, the number of controls has decreased from 114 to 93 and are placed in 4 sections instead of the previous 14. The decrease in controls is a result of mergers, not removal.

The following 11 new controls have been added:

A.5.7 Threat intelligence

This control requires organizations to collect and analyze information about threats and mitigate them appropriately. Types of information could include data about specific attacks, methods the attackers are using, and types of attacks. Information should be gathered internally, and from external sources such as vendor reports, government bodies, and industry announcements.

A.5.23 Information Security for Use of Cloud Services

Requires that security requirements for cloud services are set for the protection of sensitive information in the cloud. Included in this control should be policies on buying, utilizing, managing, and ending the use of cloud services.

A.5.30 ICT Readiness for Business Continuity

This control requires that people, processes, and systems are prepared in the event of disruptions so that key information and assets are available when required.

A.7.4 Physical Security Monitoring

Sensitive areas must be monitored to ensure only authorized personnel can access them. This could include offices, production facilities, warehouses, and other key physical premises.

A.8.9 Configuration Management

This requires the management of device configurations for security in all technologies and systems. The intent is consistency in security levels and control of unauthorized changes.

A.8.10 Information Deletion

This addresses deletion of data when no longer needed or when storage times exceed documented retention periods. The intent is to control the potential for leakage of sensitive data and to comply with any relevant privacy and other requirements. Deletions could include data in IT systems, removable media, or cloud services.

A.8.11 Data Masking

This control requires that data masking is used in combination with appropriate access controls to reduce the likelihood of exposure of sensitive information. This control is particularly focused on personal data as this is strongly regulated via privacy regulations for example in jurisdictions such as the EU this also applies to other forms of sensitive data as relevant to the organization.

A.8.12 Data Leakage Prevention

This control requires the application of Data Leakage Prevention (DLP), measures to avoid unauthorized disclosure of sensitive information This also covers the inclusion of measures for the detection of incidents in a timely manner.

A.8.16 Monitoring Activities

This requires the management and monitoring of systems to identify unusual activity and to instigate appropriate incident responses.

A.8.23 Web Filtering

This control requires the management of security measures for all websites that users can access to ensure the protection of IT systems.

A.8.28 Secure Coding

This control requires the management of security measures for all websites that users can access to ensure the protection of IT systems.

Using a risk assessment, organizations can determine which controls are necessary to meet. Selection is driven by the need to mitigate known risks in the Risk Analysis described in Clause 6 in ISO/IEC 27001:2013 which is mandatory for certification.

The changes in controls from ISO/IEC 27001:2013 to the new set described in ISO/IEC 27002: 2022 are not insignificant but were made primarily to more closely align with contemporary needs and to simplify the implementation.

The Timeline for ISO 27001 Changes

As indicated, the release of the ISO/IEC 27001: 2022 Standard is expected sometime in Q4 this year.

Assuming the change follows the typical pattern of new ISO Standard releases, accreditation bodies will grant a 12-24-month grace period, giving you time to update processes and documentation, train employees, etc. Meaning, if your ISMS is already certified, any recertification audit scheduled in 2022 will be under the 2013 Standard.

If you are currently planning for your first certification now, and getting your ISMS certified for the first time in 2022 or early 2023, the 2013 Standard will also apply.

What this means is organizations should plan to start implementing the elements of the new Standard in 2023, whether re-certifying or certifying for the first time, and fully transition mid to second half of 2023 depending on certification dates. Likely the 2013 Standard will be sunset sometime in 2024

CompliancePoint has a team of experts that are deeply experienced in all aspects of ISO 27001 and many allied ISO Security Standards applicable to companies of any type and size. For organizations looking for assistance in the ISO 27001 journey towards Certification for the first time, or if you are already certified and need help with maintaining your ISMS and getting through the next audit, CompliancePoint can help you.

Transition to the new Standard for currently certified clients will be a necessity and for those on the first journey, you will need advice on timing. Wherever you are on the journey, having a Trusted Advisor is essential. Let us be your guide. Contact us at connect@CompliancePoint.com so we can simplify the process for you.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.