What is new in ISO27001:2022?

What is new in ISO27001:2022?

Background

The most implemented version of ISO270001 has been around since its release in 2013. The update to ISO27001 has been a long time coming.

At the rate of technology changes and the migration to the cloud that we have seen in the past ten years, the ISO27001 information security standard had become somewhat outdated. It had become difficult to apply the 2013 based control standards to cloud environments and provide a control framework to help reduce risks associated with newer modern attack vectors and threats.
ISO27017 had addressed some cloud requirements as an add-on to ISO27001 for cloud service providers but this still required organizations to adopt ISO27001:2013 as the foundation for their information security programs.
ISO27001:2022 was released for adoption in Sept 2022.

What hasn’t changed?

The Information Security Management System (ISMS) that ISO27001 introduces as part of its Clauses 4-10 widely remain unchanged. The clauses do introduce a good structure and approach for managing your organizations security program. The clauses drive accountability, organization, a risk-based security approach, monitoring and improvement capabilities that ensure security is top of mind for the company’s security leader, stakeholders, and management team.

ISO27001:2022 Clauses:

4 - Context of the Organization
5 - Leadership
6 - Planning
7 - Support
8 - Operation
9 - Performance Evaluation
10 - Improvement

ISO27001:2022 Changes

To summarize the changes in ISO27001:2022, the following have been updated:

  1. Simplified control references
  2. Introduction of control attributes
  3. Control consolidation
  4. Addition of 11 new controls
  5. Overall reduction in controls from 114 Annex a to 90
  6. Additional updated control guidance in ISO27002

ISO27001:2022 New Controls

The following 11 new controls have been added to the standard:

A.5.7 - Threat Intelligence
A.5.23 - Information security for the use of cloud services
A.5.30 - ICT readiness fo Business Continuity
A.7.4 - Physical Security Monitoring
A.8.9 - Configuration Management
A.8.10 - Information Deletion
A.8.11 - Data Masking
A.8.12 - Data Leakage Prevention
A.8.16 - Monitoring Activities
A.8.23 - Web Filtering
A.8.28 - Secure Coding

The new domains:

Domain

Title

A.5

Organizational Controls

A.6

People Controls

A.7

Physical Controls

A.8

Technological Controls

Extended Control Attributes

Control Type

InfoSec Properties

Cybersecurity Concepts

Operational Capability

Preventative
Detective

Corrective

Confidentiality
Integrity

Availability

Identify
Protect
Detect
Respond
Recover

Governance
Asset Management
Information Protection
Human Resource Security
Physical Security
System & Network Security
Application Security
Secure Configuration
Identity & Access Management
Threat & Vulnerability Mgmt.
Continuity
Supplier Relationship
Legal & Compliance
InfoSec Event Management

InfoSec Assurance

What should you consider next?

If you are already certified to ISO27001:2013 you will have up to three years depending on your surveillance and re-certification timing to adopt the new standard. Contact your certification body or EKKO for exact guidance on when to migrate and the process that is involved.

Organizations looking to certify to ISO27001 can adopt the new 2022 standard. Certification firms such as A-lign https://a-lign.com have started supporting audits to ISO27001:2022 under guidance from ANAB, the US ISO certification body.

Documentation updates

Your policies and procedures will need to be updated to reflect the new control numbering systems, control attributes and introduction of the eleven new controls. In addition, you will have to :

  1. Update the Statement of Applicability
  2. Update policies
  3. Implement and remediate new control requirements
  4. Conduct a new risk assessment
  5. Update treatment plans
  6. Conduct an internal audit against the new controls

More information

EKKO has developed new ISO27001:2022 tools, templates and its EKKO Agility Atlassian solution to help with the adoption and migration to the new ISO27001:2022 standard.

For more information or advice contact us

Contact us: https://ekkosecurity.com/contact
Email: ekko-info@ekkoconsulting.com