What has changed in ISO 27001:2022?
Here are some of the specific changes in each clause of the standard:
Context and Scope: The scope clause now applies to "relevant" requirements of interested parties and processes. This means that organisations need to consider the needs of all of their stakeholders, not just their customers and suppliers.
Planning: The planning clause now requires organisations to define their information security objectives and to monitor and review those objectives on a regular basis. This is a change from the previous version, which only required organisations to define their information security policies.
Support: The support clause now requires organisations to define how they will communicate information security risks and issues to their staff. This is a new requirement in the new standard.
Operation: The operation clause now requires organisations to control "externally provided processes, products, or services" that are relevant to their ISMS. This is a change from the previous version, which only required organisations to control their own processes and systems.
The new structure of Annex A controls in ISO 27001:2022
The new edition of ISO 27001 restructures the Annex A controls into four categories: organisational, people, physical, and technological. This is a significant improvement over the previous version, which had 14 control domains. The new structure is designed to make it easier for organisations to select and implement the controls that are most relevant to their needs.
- The organisational category contains 37 controls that address the overall management of information security within an organisation. These controls include things like establishing an information security policy, appointing a security manager, and conducting risk assessments.
- The people category contains 8 controls that address the role of people in information security. These controls include things like training employees on information security best practices, conducting background checks on new hires, and managing user access to sensitive information.
- The physical category contains 14 controls that address the physical security of information assets. These controls include things like securing buildings and facilities, protecting computer rooms, and managing the disposal of sensitive information.
- The technological category contains 34 controls that address the technological aspects of information security. These controls include things like implementing firewalls and antivirus software, encrypting data, and managing access to information systems.
The new structure of Annex A controls is aligned with the four pillars of information security:
- Organisational: This pillar addresses the need for a strong organisational commitment to information security.
- People: This pillar addresses the importance of people in information security.
- Physical: This pillar addresses the need to protect information assets from physical threats.
- Technological: This pillar addresses the need to protect information assets from technological threats.
The new structure of Annex A controls is a significant improvement over the previous version. It makes it easier for organisations to implement an effective information security management system and protect their information assets from a wide range of threats.
In addition to the new structure, ISO 27001:2022 also includes 11 new controls. These controls are designed to address emerging threats, such as cloud computing, social engineering, and data breaches. The new controls are also designed to improve the effectiveness of information security management systems by providing organisations with more options for mitigating risks.
The new controls are as follows:
Threat intelligence: This involves the collection and analysis of information about potential threats to information security within organisations.
Information security for the use of cloud services: Assessing and managing the risks associated with the use of cloud services.
ICT readiness for business continuity: Ensuring that information and communications technology (ICT) systems remain resilient and operational in disaster scenarios is a requirement.
Physical security monitoring: Continually monitoring the physical security systems to promptly identify and respond to security incidents.
Configuration management: Managing the configuration of their information systems to ensure that they are secure.
Information deletion: Securely deleting sensitive information when it is no longer needed.
Data masking: Masking sensitive information to prevent unauthorized access.
Data leakage prevention: Preventing sensitive information from being leaked outside of the organisation.
Monitoring activities: Monitoring the information security activities to ensure that they are effective.
Web filtering: Filtering web traffic to prevent access to malicious websites.
Secure coding: Developing and using secure code to protect the information systems.
Through these new Annex A controls, many organisations may be required to implement 20+ new ISMS documents, policies and procedures into their ISMS based on their scope and requirements.