The new version of the ISO/IEC 27001:2022 standard represents a significant update to the international standard for information security management. This version of the standard contains significant changes and innovations that will help organizations improve their information security and protect their confidential information. In this article, we will discuss three key differences between the new version of the ISO 27001:2022 standard and the previous version.
Publication of New Version of ISO 27001 Certification
The new version of the ISO/IEC 27001:2022 was first published on October 25, 2022. Some of the major updates include a major change to Appendix A, minor updates to terms, and a change in the title of the standard.
The latest version of the ISO/IEC 27002 was published in early 2022, and its latest changes also affected the ISO/IEC 27001.
Key Changes in ISO/IEC 27001:2022
The new version of the ISO/IEC 27001:2022 standard contains several noticeable changes, but they largely relate to the Annex A, the general structure used in new ISO management system standards, rather than information security:
Context and Scope You now need to identify "relevant" stakeholder requirements and determine which requirements will be considered within the ISMS. The ISMS now explicitly includes "necessary processes and their interaction."
Planning Information security objectives must be monitored and made available as documented information. A new section on planning changes to the ISMS has been introduced. It does not specify which processes must be included, so it is necessary to determine how to demonstrate that changes to the ISMS were planned.
Support Requirements for identifying who will communicate and the communication processes have been replaced with a requirement to identify how communication will be carried out.
Actions The requirement to develop a plan to achieve information security objectives has been replaced with a requirement to establish criteria for the processes that implement the actions defined in section 6 and to monitor these processes in accordance with the criteria. Organizations now need to control "external processes, products, or services" related to information security, not just processes.
Transition Period for ISO 27001:2022 Standard
The new version of ISO/IEC 27001:2022 standard, which establishes requirements for cybersecurity management systems (CMS), was released on October 25, 2022. Accredited certification bodies will be given a 12-month transitional period from the last day of the month of ISO/IEC 27001:2022 release, i.e., October 31, 2023, to transition to the new version.
Organizations themselves, on the other hand, will be given 36 months from the last day of the month of standard release (i.e., until October 31, 2025) to transition to the new version.
Key Challenges for ISO 27001:2022 Certificate
Although several clauses have been reworded or reordered in ISO/IEC 27001:2022, there are minimal new requirements in clauses 4-10.
However, significant impact on ISMS management can be expected due to changes in clause 4.4, which now requires the establishment, implementation, support, and continual improvement of processes and their interactions.
New requirements were introduced in clause 3 of the new 2022 version, supplementing it with references to the ISO and IEC databases, a new item was added in clause 4.2 (c), and a new section "Planning changes" was added in clause 6.3. A note was also added in clause 5.1 to clarify the term "business."
In the 2022 version, there are 93 controls, 11 of which are new, compared to 114 controls in the 2013 version. Additionally, 56 controls in ISO/IEC 27001:2013 were combined into 24 controls in ISO/IEC 27001:2022.
What Are the Control Changes in Annex A?
Several Annex A controls have been merged, while 11 have been added:
Even though no controls have been removed, ISO 27001:2022 lists only 93 controls rather than ISO 27001:2013’s 114. This is due to the large number of merged controls (56 into 24).
These controls are grouped into 4 ‘themes’ rather than 14 clauses. Here they are:
People (8 controls)
Organisational (37 controls)
Technological (34 controls)
Physical (14 controls)
Hear are the completely new controls:
Threat intelligence
Information security for use of Cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
In ISO 27002, the controls also have five types of ‘attribute’ to make them easier to categorise:
Control type (preventive, detective, corrective)
Information security properties (confidentiality, integrity, availability)
Cyber security concepts (identify, protect, detect, respond, recover)
Operational capabilities (governance, asset management, etc.)
Security domains (governance and ecosystem, protection, defence, resilience)
Executive Summary
The new version of the ISO/IEC 27001:2022 certificate brings significant changes and challenges that can help organizations both improve their information security and open up new opportunities. Organizations should start preparing for the transition now and ensure that they meet the new requirements before the deadline. By doing so, they can ensure that their information security management system remains effective and up-to-date.
If you work in the IT business, telecommunication, or cloud data storage handling sensitive data, and you consider doing business with larger companies in Europe, the UK, the USA, Canada, or either in Southeast Asia, or in the Middle East, including Singapore, Malaysia, South Korea, Indonesia, Australia, or the UAE, you should consider having your business certified according to the new ISO 27001:2022 standard. Take it from me!
By getting certified yet in 2023 or 2024, you can get ahead of the competition and the industry as a whole. You'll also surpass many companies that will still be in the transitional period by the end of 2025.
Still got any questions? Please feel free to contact us clicking on the button below.
Would you like to receive a personalized offer for the new ISO 27001:2022 certification issued by a certification body?
Commentaires