ISO/IEC 27001:2022: what major changes are there?

The updated ISO/IEC 27001:2022 requirements

What major control changes are contained in Annex A?

Does my current ISO/IEC 27001 certificate comply with the new changes in ISO/IEC 27001:2022?

ISO/IEC 27002 and 27001

What assistance can Ascent WORLD offer?

On October 25, 2022, the new ISO/IEC 27001:2022 was issued. The ISO/IEC 27001:2022 standard has undergone several significant new modifications, including a significant change to Annex A, minor updates to the clauses, and a change to the standard’s name.

The most recent version of ISO/IEC 27002 was released at the start of 2022, and its most recent revisions also affected ISO/IEC 27001.

The internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organizations’ information assets, has been updated to version 2022 and a new, more pertinent edition has been released. This is because the world is currently facing new, evolving security challenges.

The full title of the new edition, which differs from ISO/IEC 27001:2013, is SO/IEC 27001:2022 Information security, Cybersecurity and Privacy Protection — Information security management systems — Requirements.

The earlier ISO/IEC 27001:2013 version standard was called- Information technology — Security techniques — Information security management systems — Requirements. So, as one can see, Cybersecurity and Privacy Protection has been added into the name.

Annex A of ISO/IEC 27001, which is in line with the ISO/IEC 27002:2022 modifications, has undergone the most important changes and was published earlier this year.

Regarding the remaining sections, clauses 4 to 10 have undergone several minor revisions, particularly in clauses 4.2, 6.2, 6.3, and 8.1 where new content has been inserted. Minor revisions to the vocabulary and sentence and clause structure are also included. These clauses’ titles and placement, however, remain the same:

• Clause 4 Context of the organization
• Clause 5 Leadership
• Clause 6 Planning
• Clause 7 Support
• Clause 8 Operation
• Clause 9 Performance evaluation
• Clause 10 Improvement

Changes to the number of controls and their grouping are contained in Annex A of ISO/IEC 27001:2022. Information security controls reference has replaced Reference control objectives and controls as the title of this Annex. As a result, the control group reference objectives that were included in the previous version of the standard have been eliminated.

There are now 93 fewer Annex A controls than there were previously—114. Most of the reduction in controls has resulted from the consolidation of numerous controls. A total of 57 controls were combined into 24 controls, one control was split into two, 23 controls were renamed, 35 controls remained the same, and so on. There have been 93 controls restructured into four control groups or sections.

The following are the new ISO/IEC 27001:2022 control groups:

1. Organizational controls, which total 37 controls, are in A.5.
2. Controls for people in A.6 contain eight controls.
3. Physical controls: 14 controls in total.
4. Controls relating to technology (A.8): 34 controls

The 11 new controls listed below have also been included in ISO/IEC 27001:2022’s Annex A:

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

The current ISO 27001 Certification will not be impacted by the new modifications in ISO/IEC 27001:2022.

The current 2013 version certificate will be valid till 2025, after which it has to be transitioned to the 2022 version.

Since IT security and information security management systems are both covered by ISO/IEC 27001 and ISO/IEC 27002, they appear to be relatively comparable. They aren’t the same, though.

An organization or individual can be certified following a list of compliance standards set forth by ISO/IEC 27001, a standard for information security management systems. It aids businesses in establishing, putting into practice, maintaining, and enhancing an information security management system (ISMS).

Early in the 1990s, this standard was first known as ISO/IEC 17799. The standard was updated and given the new designation ISO/IEC 27001 in 2005. The 2013 revision of ISO/IEC 27001 resulted in the publication of a new edition, which is more current with technological advancements and the most recent security risks. The standard underwent yet another revision in 2019, although up to this point, the same version remained in effect.

Along with ISO/IEC 27001, another standard that is a member of the ISO/IEC 27000 ISMS family of standards is ISO/IEC 27002. By offering instructions for choosing and implementing appropriate information security controls described in Annex A of ISO/IEC 27001, this standard is used to adapt information security management systems to the particular context of businesses. Additionally, ISO/IEC 27002 provides considerably more complete and in-depth information about these controls.

Organizations cannot be certified against ISO/IEC 27002; only experts can do so because it is a supporting standard that only contains guidelines rather than requirements.

Key Changes to the ISO 27001 standard

There are documentary editions:

• “International Standard” replaced with “document”.
• Re-arranging some of the English phrases to allow easier translation to local languages.

Changes to align with the ISO harmonized  (Annex SL / Annex L) approach:

• Bit of a numbering re-structuring.
• The requirement to identify, list out and define processes and their interactions.
• Communicating the organizational roles relevant to ISMS within the organization, also.
• There is a new clause 6.3 – Planning of Changes, to include Change Management.
• Requirement explicitly mentioned to ensure that the organization has determined how to communicate- clause 7.4
• Requirements to establish criteria for operational control processes and implementing.

In a gist, revisions in Annex A, has reflected the changes made in ISO/IEC 27002:2022.

• The structure of Annex A has been divided into 4 key areas
  Organizational, People, Physical and Technological instead of 14 in the previous edition
• The controls listed decreased from 114 to 93
  Some controls have merged with others, some removed, and a few new ones have been introduced, while a few have been updated.
• The concept of attributes has been introduced
  Aligned with digital security, these 5 attributes are: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains

Aspiring Organizations intending to take up ISO 27001 standard certification and/or, those who want to transit from their existing ISO 27001:2013 version can acquire the knowledge, abilities, and competencies necessary to assist enterprises in ensuring information security, cybersecurity, and privacy protection from ISO/IEC 27002. Organizations can learn a lot about these two standards and gain the essential competence to help an organization plan, implement, and maintain an information security management system and its controls by using both a theoretical and practical approach to qualitative education.

Ascent WORLD shall Strengthen the overall information security posture.

By completing the transition and adopting the ISO/IEC 27001:2022 standard, the organization strengthens its overall information security posture, guidance, and support in the overall digitization strategy, prevent/mitigate the risks of various information breaches, builds trust internally and externally, and build the organization’s information resilience.

Cyber-attacks, if they happen and strike your organization- are generally costly, disruptive and a growing threat to business, governments, society, individuals, and the general work being done.

Ascent WORLD helps to address global cybersecurity challenges and improve digital trust. Ascent WORLD in a responsibility to address these within an Organization- these cybersecurity challenges, guides them to enhance overall resilience and implement cyber threat mitigation efforts. Here’s how we at Ascent WORLD will benefit your organization:

• Guidance in Securing information in all forms, including paper-based, cloud-based and digital data
• Guidance in Increase of resilience towards cyber-attacks
• Guidance in the provision of a centrally managed (with KPIs) framework that secures all information in one place
• Guidance in ensuring organization-wide protection, including against technology-based risks and other threats and vulnerabilities
• Guidance in aligning Assets’ values and the CIA model within the Risk Assessment
• Guidance in responding to and mitigating and evolving security threats
• Guidance in reducing costs and expenditures on ineffective defence technology
• Guidance in protecting the integrity, confidentiality, and availability of data.

Through the apt and expertise guidance of Ascent WORLD, Organizations that adopt cyber resilience through the use of confident vulnerabilities, aptly transforms and emerges as Industry leaders and thereby set the standard within their ecosystem. The overall holistic approach of Ascent WORLD in assisting and guiding Organizations towards compliance with ISO/IEC 27001:2022 automatically means that the entire processes and Departments within the organization are covered, not just the standalone IT. Generally, through the motivations of Ascent WORLD, People, technology, and processes- they all benefit.

When an organization implements ISO/IEC 27001:2022, with the help of Ascent WORLD, it demonstrates to its various stakeholders- Internal, as well as External and customers, users, and the public that it is committed to managing all information securely and safely. Ascent WORLD can really guide the Organization to a fantastic way to promote itself, somehow celebrate achievements, and demonstrate your trust.