With security threats constantly evolving and growing, organizations must stay on top of managing risks. ISO/IEC 27001 is designed to protect confidentiality, integrity, and availability. Since it was first released in 2005, ISO 27001 has helped organizations better manage their information security management systems.
With the progress and maturity of the cybersecurity industry and increased movement to a remote workforce due to the pandemic, changes to the standard were inevitable. The technologies and threats from 2013 are certainly not the same threats we face today.
The highly anticipated ISO 27001:2022 updates modernize the standard to keep up with this changing cyber landscape. The 2022 changes are the first major updates to the standard in nearly a decade, which demonstrates how significant they are.
This article breaks down everything you need to know about those changes and provides advice for how to get (and stay) compliant.
Major Changes and Updates in ISO 27001:2022
While there have been several minor changes within clauses 4 to 10 including terminology and sentence restructuring, most of the major changes remain around the controls in Annex A. Here is a summary of those:
Control group changes. Controls that were previously grouped in 14 clauses are now grouped in 4 “themes”:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls
Reduction of Annex A controls. The 114 controls previously in ISO 27001:2013 have been decreased to 93 controls. This decrease was due to redundant controls being merged or removed. 23 of these controls were renamed, 57 of the controls were merged into 24 controls, 35 of the controls have remained the same, and one control has been split into two.
New controls implemented. While technically this new version contains fewer controls, there were 11 new controls added. Many of these controls help modernize the ISO 27001 control set and bring it up to current technological times. For example:
- Threat intelligence (A.5.7): Requires organizations to collect and analyze information around threats and mitigate them appropriately
- Information security for the use of cloud services (A.5.23): Requires processes for acquisition, use, and management from cloud services in accordance with the organization’s information security requirements
- ICT readiness for business continuity (A.5.30): Requires ICT readiness to be planned, implemented, maintained, and tested based on ICT requirements and business continuity objectives
- Physical security monitoring (A.7.4): Requires sensitive areas to be monitored, ensuring only authorized personnel can access the premises
- Configuration management (A.8.9): Requires the establishment of configurations for security in all systems and technologies
- Information deletion (A.8.10): Addresses the deletion of data when retention periods are up or when data is no longer needed
- Data masking (A.8.11): Requires data masking be used in accordance with policy on access controls to reduce the likelihood of exposure of sensitive information
- Data leakage prevention (A.8.12): Requires Data Leakage Prevention (DLP) measures be applied to systems, networks, and other devices that process, store, or transmit sensitive information
- Monitoring activities (A.8.16): Requires the monitoring of networks, systems, and applications for anomalous behavior and appropriate actions taken to evaluate potential information security incidents
- Web filtering (A.8.23): Requires access to external websites be managed to reduce exposure to malicious content
- Secure coding (A.8.28): Requires secure coding principles be applied to software development
Control attributes. Controls now have attributes that were added to provide organizational schemes and to help organizations prioritize their controls. These five attribute types include:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
What Does This Mean for Your Organization?
For organizations that are currently ISO 27001 certified, there is a three-year transition period to certify to ISO/IEC 27001:2022. These transition audits can be performed in concurrence with a surveillance audit, as a stand-alone audit, or during a recertification audit. Although it may require additional audit time, this will determine whether your Information Security Management System (ISMS) meets the updated ISO 27001:2022 standards and requirements.
Any organizations not transitioned to the updated standard by October 31, 2025 will have an expired certificate.
According to IAF MD 26, the transition audit will need to include, at a minimum:
- ISO 27001:2022 gap analysis
- ISMS needs for change
- Updating the Statement of Applicability (SoA)
- Updating the risk treatment plan
- Implementing any new or modified controls within the client organization’s environment
- Adapting sections within existing policies and procedures
For new organizations looking to get certified, the best time to prepare is now. The timing and resources required for these changes can be easily underestimated and waiting to get certified to the new standard could potentially leave your organization at greater risk.
Organizations do have until October 31, 2023, to certify against the ISO 27001:2013 standard, but will still be required to complete the transition to the new standard by end of the transition period in 2025 regardless of the original date of certification.
Start Soon to Ensure Certification
It’s a priority to make sure that sensitive information is secure within your organization. Applying ISO 27001 will help demonstrate that your organization has effective security controls implemented and will provide reasonable assurance that appropriate controls are in place to keep your information protected from new and evolving threats.
Starting the certification process now will not only help you complete the transition period on time but will most importantly ensure your current controls address the updated threat landscape to protect your business and data. With a period of almost 10 years between these ISO updates, it’s vital to keep your ISMS up to date with current trends. There’s a lot of information to unravel with these changes to understand where to start with the transition.
At Echelon Risk + Cyber, we are here to help with any uncertainty and assist with your ISO 27001 needs. We offer ISO 27001 program design and build, gap assessments, internal audit, penetration testing, and overall compliance management to help our clients achieve success.