The internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organizations’ information assets, has been updated and a new, more pertinent edition has been released. This is because the world is currently facing new, evolving security challenges.
In October 2022, the updated ISO/IEC 27001:2022 standard was released. The ISO/IEC 27001:2022 standard has undergone several significant new modifications, including a significant change to Annex A, minor updates to the clauses, and a change to the standard’s name.
The most recent version of ISO/IEC 27002 was released at the start of 2022, and its most recent revisions also had an effect on ISO/IEC 27001. Some key changes include:
- Reduced number of controls through consolidation
- Minor updates on mandatory clauses 4 to 10
- Reduced number of controls sections
- New controls added
ISO 27001 – Quick Overview
The widely accepted information security standard’s first edition was released in 2005. The International Standards Organization (ISO) examined the controls in 2012 but didn’t release a second revision until 2013.
We are currently dealing with the third revision, and since cybersecurity risks increase dramatically, we anticipate more adjustments to occur much more quickly.
The importance of ISO is undeniable. Customers in the B2B market will only accept products with an ISO 27001 certification. Chat with us if you require a thorough examination of the standard and its implication to your business.
How Is ISO 27001 Structured?
Broadly speaking, ISO 27001 can be divided into two main parts:
Clauses: The ISO 207001 provides a series of standards known as clauses that outline the fundamental procedures for constructing your information security management (ISMS) from an administrative and managerial standpoint. These ten provisions are then broken into “requirements” subsections that break down each phrase into more specific procedures.
Controls: The physical, logical, and environmental security controls that enterprises must implement in order to comply with ISO 27001 are listed in a section of the standard called Annex A. New control groups (categories used by ISO to divide controls into sections) and new extra controls are among the changes made in ISO 27001:2022. One of the additional controls included to ISO 27001 particularly is data leakage prevention.
The New Changes of ISO/IEC 27001:2022
The full title of the new edition, which differs from ISO/IEC 27001:2013, is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection.
Annex A of ISO/IEC 27001, which is in line with the ISO/IEC 27002:2022 modifications, has undergone the most important changes.
Regarding the remaining sections, clauses 4 to 10 have undergone a number of minor revisions, particularly in clauses 4.2, 6.2, 6.3, and 8.1 where new material has been inserted. Minor revisions to the vocabulary and sentence and clause structure are also included. These clauses titles and placement, however, remain the same:
- Clause 4 Context of the organization
- Clause 5 Leadership
- Clause 6 Planning
- Clause 7 Support
- Clause 8 Operation
- Clause 9 Performance evaluation
- Clause 10 Improvement
What Are The Main Control Changes In Annex A?
Changes to the number of controls and their grouping are contained in Annex A of ISO/IEC 27001:2022. Information security controls reference has replaced reference control objectives and controls as the title of this Annex. As a result, the control group reference objectives that were included in the previous version of the standard have been eliminated.
There are now 93 fewer controls in Annex A. Most of the reduction in controls has resulted from the consolidation of numerous controls. 57 controls were combined into 24 controls, one control was split into two, 23 controls were renamed, 35 controls remained the same. Four control groups or divisions were created out of the 93 controls.
The new control groups of ISO/IEC 27001:2022 are:
- A.5 Organizational controls – contains 37 controls
- A.6 People controls – contains 8 controls
- A.7 Physical controls – contains 14 controls
- A.8 Technological controls – contains 34 controls
ISO/IEC 27001:2022 has also added the below-mentioned 11 new controls to Annex A:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Will ISO/IEC 27001:2022 Changes Affect My Current ISO/IEC 27001 Certificate?
The current ISO/IEC 27001 certificate will not be impacted by the new modifications in ISO/IEC 27001:2022.
ISO/IEC 27001 and ISO/IEC 27002
Since IT security and information security management systems are both covered by ISO/IEC 27001 and ISO/IEC 27002, they appear to be relatively comparable.
An organization or individual can be certified in accordance with a list of compliance standards set forth by ISO/IEC 27001, a standard for information security management systems. It aids businesses in establishing, putting into practise, maintaining, and enhancing an information security management system (ISMS).
Organizations cannot be certified against ISO/IEC 27002; only experts can do so because it is a supporting standard that only contains guidelines rather than requirements.