The updated version of the ISO 27001 standard has now officially been released. Its full title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements.
If you’re already ISO 27001 certified, changes have been introduced to the 2013 version of the standard that will eventually impact your ISO 27001 Information Security Management System (ISMS) and require you to make changes. If you’re currently thinking about implementing it or in the process, you will need to be mindful that this could affect your approach.
If you’re already certified, speak to your certification body or consultant about what the changes mean for you. (If you’re an ISOQAR client, you will have received an email about this.) If you’re thinking about implementing the standard, speak to the Alcumus ISOQAR Technical Sales Team.
Alcumus ISOQAR is producing a detailed Transition Gap Analysis which identifies in detail what the changes are. We will be releasing this soon.
What has changed?
The updated version of the ISO 27001 standard has now officially been released.
Its full title is ISO/IEC 27001:2022 Information Security, Cybersecurity And Privacy Protection — Information Security Management Systems — Requirements.
The major changes are to the Annex A.
The term ‘control objectives’ has gone. Additionally, the term ‘information security controls’ is generally used rather than simply ‘controls’.
The number of ‘controls’ has gone from 114 controls contained within 14 clauses, to 93 controls in 4 clauses.
The new clauses are:
- Clause 5: Organisational Controls – 37 controls
- Clause 6: People Controls – 8 controls
- Clause 7: Physical Controls – 14 controls
- Clause 8: Technological Controls – 34 controls
11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
The 11 ‘new’ controls are:
- Threat intelligence (A.5.7)
Organisations will need to actively work to identify threats. This will be linked with risk assessments, context and identifying threats and opportunities.
- Information security for the use of cloud services (A.5.23)
The growth in the cloud has been significant since 2013 and this addition is very timely.
- ICT readiness for business continuity (A.5.30)
While this is similar to previous Business Continuity Controls, strong emphasis is now placed on ICT.
- Physical security monitoring (A.7.4)
Physical security now needs to be monitored continuously.
- Configuration management (A.8.9)
Configuration now needs to be managed and recorded.
- Information deletion (A.8.10)
Linked to new regulations and legislation such as GDPR and DPA 2018, deletion of information needs stronger controls.
- Data masking (A.8.11)
GDPR and DPA 2018 have led to the use of pseudonymization and anonymization.
- Data leakage prevention (A.8.12)
A final GDPR / DPA 2018 linked control strengthening controls.
- Monitoring activities (A.8.16)
A strengthening of monitoring requirements in the standard.
- Web filtering (A.8.23)
With the growth in the web, the need to control against malicious or hostile sites has become more important.
- Secure coding (A.8.28)
While linked to previous development controls there is strengthening of this, especially read and write access and libraries etc.
Other changes include:
- 6.1.3 - changes the terms used in the Annex A
- 6.2 - states that objectives need to be monitored
- 6.3 - ‘Change Management’ is a new requirement
- 7.4 - states that organisations need to determine how to communicate
- 9.3 – ‘Management Review’ needs to consider changes in the needs and expectations of interested parties
Another couple of notable terms that are featured in the updated standard include:
- ‘topic-specific policies’
- ‘information and other associated assets’
The definition of assets is given as ‘anything that has value to the organisation’ (3.1.2).
These changes highlight the stronger focus on information as an asset and equipment being ‘other associated’. Organisations will need to create information registers.
It is worth reviewing asset registers considering the definition of ‘asset’.
In the context of information security, two kinds of assets can be distinguished:
- the primary assets:
- business processes (3.1.27) and activities
- the supporting assets (on which the primary assets rely), for example:
- personnel (3.1.20)
- organisation’s structure
This is just a selection of the key changes. Alcumus ISOQAR will be releasing a Transition Gap Analysis which will highlight the changes in much more detail and support your transition from ISO 27001:2013 to ISO 27001:2022. Please monitor these pages or our social media accounts for news of when that document is released. If you’re an ISOQAR client, we will email it to you.