The international standard ISO 27001 was again revised this year, undergoing some essential and long overdue changes. In August, the International Accreditation Forum (IAF) published ISO/IEC 27001:2022. The new standard replaces the previous ISO 27001:2013. Read on to find out what that means for you.
#1 Change of name
ISO 27001:2013, the previous standard, was titled ‘Information technology – Security procedures – Information security management systems – Requirements’.
The new version of ISO is called ‘Information security, cybersecurity and privacy protection – Information security management systems – Requirements.’.
What’s changed? The name of the new ISO standard includes the aspect of privacy protection. The addition came as no surprise to us since information security and data protection – even if they take different perspectives – pursue similar goals and are best implemented in tandem.
#2 Updated security controls
The controls listed in Appendix A have been updated and restructured. One upshot is that the number of controls has been reduced from 114 to 93. The new ISO 27001:2022 divides the controls into four sections instead of 14 as before:
- Organisational controls (37 measures)
- People controls (8 measures)
- Physical controls (14 measures)
- Technological controls (34 measures)
These eleven controls are new:
- A.5.7 Threat intelligence
- A.5.23 Information security for the use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
In addition to the new controls and the updated structure, each control now has five different attributes:
- Control type
- Information security properties
- Cyber security concepts
- Operational capabilities
- Security domains
#3 Editorial changes
The wording of section 6.1.2 has changed. In the notes under 6.1.2.c) the control objectives have been deleted, and ‘control’ has been replaced by ‘information security control’.
- The wording of section 6.1.3 d) has been restructured to preclude any ambiguities.
- The management review requirements have been expanded to include inputs and results.
What are the ramifications of the new ISO 27001 version for companies?
While the changes in the new version make themselves felt, they do not require a completely new approach to information security or major changes to your current information security management system. Instead, they constitute long overdue adjustments based on our growing understanding of information security.
The new ISO 27001:2022 is identical to the previous version in its essential statements and requirements. What’s more, there is a three-year (36-month) transition period – aligning the new standard with the recertification period of its predecessor. This means that, since certified companies must undergo a new audit process every three years to retain their certification, all companies that had ISO 27001:2013 certification will have 36 months to qualify for certification according to the new 2022 version.
For companies with ISO 27001:2013 certification, this means:
Prior to their next re-audit, documentation should be adapted and updated to reflect the new controls – especially for business continuity management, where the requirements are now stricter. The next audit can be used for ISO 27001:2022 certification.
For companies without ISO 27001:2013 certification, this means:
Companies can still be certified according to the old version of the standard. But it would be better to go ahead and implement the new version. If you do this, you won’t need to undergo a new audit during the transition period.
You want ISO 27001 certification but need help with implementation?
At DataGuard, we’ve helped more than 3,000 companies on their way to compliance. Our information security experts have the industry expertise to implement an ISMS in compliance with ISO 27001:2022 and guide you through internal and external audits.
The entire process is based on our web-based information security platform, which automates manual processes and guides you step-by-step through the entire project.
Just make an appointment for a free, non-binding consultation and get started on the ISO 27001 compliance process today.