What is new in ISO27001:2022?
Background
The most implemented version of ISO270001 has been around since its release in 2013. The update to ISO27001 has been a long time coming.
At the rate of technology changes and the migration to the cloud that we have seen in the past ten years, the ISO27001 information security standard had become somewhat outdated. It had become difficult to apply the 2013 based control standards to cloud environments and provide a control framework to help reduce risks associated with newer modern attack vectors and threats.
ISO27017 had addressed some cloud requirements as an add-on to ISO27001 for cloud service providers but this still required organizations to adopt ISO27001:2013 as the foundation for their information security programs.
ISO27001:2022 was released for adoption in Sept 2022.
What hasn’t changed?
The Information Security Management System (ISMS) that ISO27001 introduces as part of its Clauses 4-10 widely remain unchanged. The clauses do introduce a good structure and approach for managing your organizations security program. The clauses drive accountability, organization, a risk-based security approach, monitoring and improvement capabilities that ensure security is top of mind for the company’s security leader, stakeholders, and management team.
ISO27001:2022 Clauses:
4 - Context of the Organization
5 - Leadership
6 - Planning
7 - Support
8 - Operation
9 - Performance Evaluation
10 - Improvement
ISO27001:2022 Changes
To summarize the changes in ISO27001:2022, the following have been updated:
- Simplified control references
- Introduction of control attributes
- Control consolidation
- Addition of 11 new controls
- Overall reduction in controls from 114 Annex a to 90
- Additional updated control guidance in ISO27002
ISO27001:2022 New Controls
The following 11 new controls have been added to the standard:
|
# |
Control |
Title |
Summary |
|
1 |
A.5.7 |
Threat Intelligence |
|
|
2 |
A.5.23 |
Information security for use of cloud services |
|
|
3 |
A.5.30 |
ICT Readiness for Business Continuity |
|
|
4 |
A.7.4 |
Physical Security Monitoring |
|
|
5 |
A.8.9 |
Configuration Management |
|
|
6 |
A.8.10 |
Information Deletion |
|
|
7 |
A.8.11 |
Data Masking |
|
|
8 |
A.8.12 |
Data Leakage Prevention |
|
|
9 |
A.8.16 |
Monitoring Activities |
|
|
10 |
A.8.23 |
Web Filtering |
|
|
11 |
A.8.28 |
Secure Coding |
|
The new domains:
|
Domain |
Title |
|
A.5 |
Organizational Controls |
|
A.6 |
People Controls |
|
A.7 |
Physical Controls |
|
A.8 |
Technological Controls |
Extended Control Attributes
|
Control Type |
InfoSec Properties |
Cybersecurity Concepts |
Operational Capability |
|
Preventative Corrective |
Confidentiality Availability |
Identify |
Governance InfoSec Assurance |
What should you consider next?
If you are already certified to ISO27001:2013 you will have up to three years depending on your surveillance and re-certification timing to adopt the new standard. Contact your certification body or EKKO for exact guidance on when to migrate and the process that is involved.
Organizations looking to certify to ISO27001 can adopt the new 2022 standard. Certification firms such as A-lign https://a-lign.com have started supporting audits to ISO27001:2022 under guidance from ANAB, the US ISO certification body.
Documentation updates
Your policies and procedures will need to be updated to reflect the new control numbering systems, control attributes and introduction of the eleven new controls. In addition, you will have to :
- Update the Statement of Applicability
- Update policies
- Implement and remediate new control requirements
- Conduct a new risk assessment
- Update treatment plans
- Conduct an internal audit against the new controls
More information
EKKO has developed new ISO27001:2022 tools, templates and its EKKO Agility Atlassian solution to help with the adoption and migration to the new ISO27001:2022 standard.
For more information or advice contact us
Contact us: https://ekkosecurity.com/contact
Email: ekko-info@ekkoconsulting.com