ISO 27001: 2022 has been Published

This article was updated to reflect ISO 27001: 2022 being published in October of 2022.

With the publication of ISO 27001: 2022, the highly regarded international security standard has been updated for the first time in nearly a decade.

Clauses 4-10 are the critical elements required for ISO 27001 certification. The changes to those clauses are minimal compared to the 2013 version. However, there are significant changes in the Annex A controls which comprise the second half of the 2022 release. 

ISO 27001 Changes in Clauses 4-10

Clause 4.2: More information for the requirements of interested parties

Clause 4.4: Allows for the alignment with other ISO standards

Clause 5: No significant changes

Clause 6.2: Now requires objectives to be monitored throughout the certification lifecycle

Clause 6.3: A new “Planning for Changes” clause states that changes to the information management security system be conducted in a planned manner.

Clause 7.4: Removal of the requirement for setting up processes of communication

Clause 8.1: Now provides more clarity for implementing an ISMS

Clause 9.1: Adds clarity to what can be considered a “valid” result

Clauses 9.2 & 9.3: Slightly different structure and an additional Management Review requirement

Clauses 10.1 and 10.2: Order has been reversed with no change or addition.

ISO 27001 Annex A Control Changes

The changes in Annex A controls from the 2013 to 2022 versions of ISO 27001 are significant but primarily to more closely align the structure and form with current technologies and refine control groupings by aligning them to common control attributes such as people controls, organizational controls, Physical controls.

For 2022, the number of controls has decreased from 114 to 93 and are placed in 4 sections instead of the previous 14. The decrease in controls is a result of mergers, not removal.

Through the Risk Assessment in Clauses 6 and 8 organizations determine the controls will be used to support the ISMS. Selection is driven by the need to mitigate known risks in the Risk Analysis.

The following 11 new controls have been added as indicated above to reflect contemporary technology requirements:

A.5.7 Threat intelligence

This control requires organizations to collect and analyze information about threats and mitigate them appropriately. Types of information could include data about specific attacks, methods the attackers are using, and types of attacks. Information should be gathered internally, and from external sources such as vendor reports, government bodies, and industry announcements.

A.5.23 Information Security for Use of Cloud Services

Requires that security requirements for cloud services are set for the protection of sensitive information in the cloud. Included in this control should be policies on buying, utilizing, managing, and ending the use of cloud services.

A.5.30 ICT Readiness for Business Continuity

This control requires that people, processes, and systems are prepared in the event of disruptions so that key information and assets are available when required.

A.7.4 Physical Security Monitoring

Sensitive areas must be monitored to ensure only authorized personnel can access them. This could include offices, production facilities, warehouses, and other key physical premises.

A.8.9 Configuration Management

This requires the management of device configurations for security in all technologies and systems. The intent is consistency in security levels and control of unauthorized changes.

A.8.10 Information Deletion

This addresses deletion of data when no longer needed or when storage times exceed documented retention periods. The intent is to control the potential for leakage of sensitive data and to comply with any relevant privacy and other requirements. Deletions could include data in IT systems, removable media, or cloud services.

A.8.11 Data Masking

This control requires that data masking is used in combination with appropriate access controls to reduce the likelihood of exposure of sensitive information. This control is particularly focused on personal data as this is strongly regulated via privacy regulations for example in jurisdictions such as the EU this also applies to other forms of sensitive data as relevant to the organization.

A.8.12 Data Leakage Prevention

This control requires the application of Data Leakage Prevention (DLP), measures to avoid unauthorized disclosure of sensitive information This also covers the inclusion of measures for the detection of incidents in a timely manner.

A.8.16 Monitoring Activities

This requires the management and monitoring of systems to identify unusual activity and to instigate appropriate incident responses.

A.8.23 Web Filtering

This control requires the management of security measures for all websites that users can access to ensure the protection of IT systems.

A.8.28 Secure Coding

This control requires the establishment of secure coding techniques to apply to internal software development. The intent is to reduce security vulnerabilities in software development and includes the entire development process from design, coding, QA testing, and deployment.

Timeline

With ISO/IEC 27001: 2022 now published, the timeline for organizations to implement it has been clearly laid out.

Organizations that are currently certified will have until late 2025 to transition to the 2022 standard. Organizations that are working to get certified can certify against the 2013 standard until October of 2023. They will then have 2 years to transition to the 2022 standard.

Transition to the new Standard for currently certified clients will be a necessity and for those on the first journey, you will need advice on timing. Wherever you are on the journey, having a Trusted Advisor is essential. Let us be your guide. Contact us at connect@CompliancePoint.com so we can simplify the process for you.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.