Everything you need to know

ISO/IEC 27001:2022 The international Standard for Information security, cybersecurity and privacy protection — Information Security Management Systems Requirements

What is ISO/IEC 27001:2022?

ISO27001 is the international standard for information security. It is an Information Security Management Systems (ISMS) and an organisation will seek ISO27001 Certification. ISO/IEC 27001:2022 is the much anticipated 2022 update to the standard.

Why has it changed?

Considering the modern compliance landscape, regulations, e.g. GDPR, POPIA and APPS and the evolving business continuity and cyber risk difficulties faced by organisations – the need for ISO 27002 to broaden the scope of its information security controls was overdue.

The objective of the latest revision (2022) was to improve the intent of the standard by providing a reference set for information security control objectives and broaden its scope for use in context-specific information security, privacy and cyber security risk management.

How ISO 27002:2022 Differs From ISO 27002:2013

Broadly speaking, the number of security controls in the new version of ISO 27002:2022 has decreased from 114 controls in 14 clauses in the 2013 edition to 93 controls in the 2022 edition. These security controls are now categorised into four control “themes.”

Controls explained

A “control” is defined as a measure that modifies or maintains risk. An information security policy, for example, can only maintain risk, whereas compliance with the information security policy can modify risk. Moreover, some controls describe the same generic measure in different risk contexts.

Specific changes in detail

The control sets are now organised into four (4) security categories or themes instead of fourteen (14) control domains. (previously A5. to A.18)

The four categories include:

Organisational
People
Physical
Technological.
93 controls in the new version of 27002.
11 controls are new.
A total of 24 controls were merged from two, three, or more security controls from the 2013 version; and
- The 58 controls from the ISO 27002:2013 have been reviewed and revised to align with the current cyber security and information security environment.
Annex A, which includes guidance for the application of attributes,
Annex B, which corresponds with ISO/IEC 27001 2013. It’s basically two tables table that cross-references control numbers/identifiers for ease of reference detailing what is new and what has merged.

Iso Compliance makes setting up and managing your ISMS as easy as it can get.

Since migrating we’ve been able to reduce the time spent on administration.

100% of our users pass certification first time.

11 new controls in ISO/IEC 27002:2022

Control guidance reviews & updates

The Guidance section for each control has been reviewed and updated (where needed) to reflect current developments and practices.

The language used throughout the guidance notes is more robust than the previous version; there is now a raised expectation of mandatory controls and organisations being able to evidence compliance to a greater degree. In addition, each control is now equipped with a ‘Purpose’ statement and introduces a set of “Attributes” (see 4.2) to each control.

A business implementing controls can choose which ones apply to them based on risk, as well as adding their own into an ISO 27001 compliant ISMS (context-dependent usage).

ISO 27002 themes & attributes explained

Attributes are a means of categorising controls. These allow you to quickly align your control selection with common industry language and standards.

These attributes identify key points:

Control type
InfoSec properties
Cyber security concepts
Operational capabilities
Security domains

The use of attributes supports work that many companies already do within their risk assessment and statement of applicability (SOA). For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.

Each control now has a table with a set of suggested attributes and Annex A of ISO 27002:2022 provides a set of recommended associations.

Information Security Properties

Information security involves protecting various aspects of the information, which can be represented by the CIA model. These aspects include confidentiality, integrity, and availability of the information. Understanding this enables the formulation and implementation of effective information security controls. These are now defined as attributes on a per control basis.

The CIA Triad Explained

Confidentiality – The confidentiality of information means measures should be taken to protect it from unauthorised access. One way to achieve this is by enforcing different access levels for information based on who needs access and how sensitive the information is. Some means for managing confidentiality include file and volume encryptions, access control lists, and file permissions.

Integrity – Data integrity is an integral part of the information security triad, aimed at protecting data from any unauthorised modifications or deletions. This also involves ensuring that the unauthorised changes or deletions made to the data can be undone.

Availability – Availability aims to ensure that the data is accessible to those who need them when it is required. Some of the information security risks to availability include sabotage, hardware corruption, network failure, and power outages. These three components of information security work hand in hand, and you cannot concentrate on one of them at the expense of the others.

What are the main changes in 2022?

Summary of Changes

Management system

The management system of ISO 27001:2022 will contain a few minor changes, aligning it to Annex SL.

These changes include:

Refinement of 4.1 Context
Refinement of 4.2 Interested parties
Refinement of 4.4 ISMS
Refinement of 6.1.3 Risk treatment
Refinement of 6.2 Objectives
Addition of 6.3 Change management
Refinement of 7.4 Communication
Rewrite of 8.1 Operational planning
Refinement of 9.1 Monitoring
Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output (and the addition of an extra topic)
10.1 Improvement and 10.2 Nonconformities have switched numbers (!)

Annex A controls

Annex A of ISO 27001:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version now contains 93 controls, divided over 4 chapters:

5. Organizational (37 controls)
6. People (8 controls)
7. Physical (14 controls)
8. Technological (34 controls)

While some controls appear to have been merged, other controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:

ISO 27001:2022	ISO 27001:2013 equivalent
A.5.7 Threat intelligence	A.6.1.4 Contact with special interest groups
A.5.16 Identity management	A.9.2.1 User registration and de-registration
A.5.23 Information security for use of cloud services	A.15.x Supplier relationships
A.5.29 Information security during disruption	A.17.1.x Information security continuity
A.5.30 ICT readiness for business continuity	A.17.1.3 Verify, review and evaluate information security continuity
A.7.4 Physical security monitoring	A.9.2.5 Review of user access rights
A.8.9 Configuration management	A.14.2.5 Secure system engineering principles
A.8.10 Information deletion	A.18.1.3 Protection of records
A.8.11 Data masking	A.14.3.1 Protection of test data
A.8.12 Data leakage prevention	A.12.6.1 Management of technical vulnerabilities
A.8.16 Monitoring activities	A.12.4.x Logging and monitoring
A.8.23 Web filtering	A.13.1.2 Security of network services
A.8.28 Secure coding	A.14.2.1 Secure development policy

What about localized versions?

We have it on good authority that most localized versions are already under development, based on the released draft-versions. We expect them to be released a few months after the respective English versions.

November 2nd, 2022 Posted in ISO 27001

The long-awaited ISO 27001:2022 standard has been released and has brought with it a raft of changes. While 35 controls remain unchanged, some 57 have been merged, 23 others renamed, and 11 new ones introduced. Overall, this translates into a reduction of controls from 114 to 93 controls, spread over 4 categories.

Let’s have a look at the changes in more detail.

When should organisations transition to the new control set?

Now that the new standard is published, it is expected that there is to be a transition period of around 3-years to allow the changes to be implemented. Not only that, but the certification bodies will also need some time to interpret and adopt the new standard and the changes the new control set brings. This means that certification bodies are not likely to be offering assessments against the updated standard for a period of 3-6 months from the date it was published.

Now that the standard has been released, we anticipate a timeline for the transition as displayed below:

What is different in the new iteration of ISO 27001?

The first noticeable difference is that the information security standard document title has been simplified to the relatable “Information security, cyber security, and privacy protection – Information security management systems.”

More significantly, some adjustments have been applied to Clauses 4 to 10.

Clause 3 “Definitions”

This section now contains links to the ISO online browsing platform and the IEC Electropedia which contain the terminology databases. The addition of these links will make it much easier for people to review terminology to gain clarity on clauses and controls.

Clause 4.2 “Understanding the needs and expectations of interested parties”

Addition of item (c) stating “which of these requirements will be addressed through the information security management system” the impact being that more clarity will be needed regarding the requirements of interested parties.

Clause 4.4 “Information security management system”

Additional wording has been introduced, requiring the inclusion of “the processes needed [for the maintenance and improvement of the ISMS] and their interactions, in accordance with the requirements of this document.” This addition allows for alignment to other ISO standards such as ISO 9001:2015 and 22301:2019.

Clause 5.3 “Organisational roles, responsibilities and authorities”

Now amended and reads “Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation” adding clarity with regards to whom those roles should be communicated.

Clause 6.1.3 “Information security risk treatment”

Update in Note 2 now reads “Annex A contains a list of possible information security controls.” rather than the original “comprehensive list of control objectives and controls.” This is emphasising the fact that there are other controls that may be considered as part of your ISMS.

Clause 6.2 “Information security objectives and planning to achieve them”

Addition of item (d) which requires objectives to be monitored throughout the lifecycle of the certification. Previously not a defined requirement in ISO 27001:2013 but now ensures that progress against objectives, or lack of, is monitored.

Clause 6.3 “Planning of Changes”

An entirely new clause but covering the pre-existing requirements of Change control, this clause is named “Planning of Changes.” Ensures that when the organisation needs to perform changes to the information security management system, these changes must be conducted in a planned manner.

Clause 7.4 “Communication”

An additional amendment was made which has led to the removal of item (e), the requirement for setting up processes for communication, indicating that the way communications are effected has little impact on how they are received.

Clause 8.1 “Operational planning and control”

Now reads “The organisation shall ensure that externally provided process, products or services that are relevant to the ISMS are controlled.” The wording of this control now provides more clarity for implementing an ISMS compared to the original “The organisation shall ensure that outsourced processes are determined and controlled.” Additionally, the requirement to implement plans for achieving objectives was deleted, this is because it is covered in Clause 6.2.

Clause 9.1 “Monitoring, measurement analysis and evaluation”

The addition of the note from the existing standard “The methods selected should produce comparable and reproducible results to be considered valid” to the main body of text provides much-needed clarity as to what can be considered a “valid” result in the eyes of the standard.

Clause 9.3 ”Management Review”

Restructuring of the clause has meant there are now three sub-clauses.

The addition of item (c) to 9.3.2 Management review inputs which now includes “changes and needs and expectations of interested parties that are relevant to the information security management system.”

Clause 10 “Improvement”

The order of this clause has reversed so that 10.1 is now Continual improvement and 10.2 is now Nonconformity and corrective action.

All in all, this new version of ISO 27001 provides more clarity within Clauses 4-10 by making small amendments as well as taking into consideration more current cyber security requirements such as threat intelligence. The standard has also worked to address duplication by merging a number of controls to simplify the process of implementing and maintaining an ISMS.

The new changes of ISO/IEC 27001:2022

Cyber security concepts

Cybersecurity concepts attributes are introduced within the 2022 revision of the standard. These attribute values consist of Identify, Protect, Detect, Respond and Recover. This aligns ISO 27002 with the ISO/IEC TS 27110, the NIST Cyber Security Framework (CSF) and similar standards as mentioned earlier.

Identify – Develop the organisation’s understanding to manage cyber security risk to systems, assets, data and capabilities.
Protect – Develop and implement safeguards to deliver critical infrastructure services.
Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security event.
Respond – Create and put into practice the appropriate activities to take action in response to detected cyber security events.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.

Operational capabilities

Operational capability is an attribute to view controls from the practitioner’s perspective of information security capabilities.

These include:

governance asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, and information security assurance.

Security domains

Security domains is an attribute to view controls from the perspective of four information security domains: “Governance and Ecosystem” includes “Information System Security Governance & Risk Management” and “Ecosystem cybersecurity management” (including internal and external stakeholders);

A control may have various applications (e.g. backups help protect against malware, hacks, bugs, accidents, mechanical breakdowns, fires etc., and can include deputies and multi-skilled replacements for critical people and alternative suppliers/sources of necessary information services).
There are typically several controls required in any given application or situation (e.g., malware can be mitigated using backups, awareness, antivirus, network access controls plus IDS/IPS and more while avoiding infection is a powerful approach if bolstered with policies and procedures).
The controls we often use (e.g., backups) are not all-or-nothing, consisting of a number of more minor elements (e.g., backup involves strategies, policies and procedures, software, hardware testing, incident recovery, physical protection etc.).

Whilst many view this as the tricky part, theISOCcomplianceToolkit and support make this process intuitive.

As the world is facing new evolving security challenges, the internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organizations’ information assets has been updated and its new more relevant, and up-to-date edition has been published.

Different from ISO/IEC 27001:2013, the new version’s complete title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.

The part that has gone under the most significant changes is Annex A of ISO/IEC 27001 which is aligned with the ISO/IEC 27002:2022 updates, published earlier this year.

As for other parts, clauses 4 to 10 have undergone several minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other updates include minor changes in the terminology and restructuring of sentences and clauses. However, the title and order of these clauses remain the same:

Clause 4 Context of the organization

Clause 5 Leadership

Clause 6 Planning

Clause 7 Support

Clause 8 Operation

Clause 9 Performance evaluation

Clause 10 Improvement

What are the main control changes in Annex A?

Annex A of ISO/IEC 27001:2022 contains changes in both, the number of controls, and their listing in groups. The title of this Annex has also changed from Reference control objectives and controls to Information security controls reference. Therefore, the reference objectives of each control group that were present in the previous version of the standard, now have been removed.

The number of Annex A controls has decreased from 114 to 93. The decrease in the number of controls has mostly come from merging many of them. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. The 93 controls have been restructured to four control groups or sections.

The new control groups of ISO/IEC 27001:2022 are:

A.5 Organizational controls – contains 37 controls
A.6 People controls – contains 8 controls
A.7 Physical controls – contains 14 controls
A.8 Technological controls – contains 34 controls

ISO/IEC 27001:2022 has also added the below-mentioned 11 new controls to its Annex A:

Threat intelligence
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

Annex B explained

Annex B.1 and B.2 tables provide easy to navigate reference points that provide backwards compatibility with ISO/IEC 27002:2013. This makes it easy for organisations using the old management standard that need to transition to ISO 27002:2020, or for ease of reference between standards that use ISO 27002, e.g. ISO 27001, ISO 27701 similar. Again, ISMS.online automatically maps the old to new control identifiers within our platform, taking the pain out of the transition and implementation.

New Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
5.7	New	Threat intelligence
5.23	New	Information security for use of cloud services
5.30	New	ICT readiness for business continuity
7.4	New	Physical security monitoring
8.9	New	Configuration management
8.10	New	Information deletion
8.11	New	Data masking
8.12	New	Data leakage prevention
8.16	New	Monitoring activities
8.23	New	Web filtering
8.28	New	Secure coding

Organisational Controls

People Controls

Physical Controls

Technological Controls

How will this affect organisations implementing ISO 27001?

Certification bodies are unlikely to offer certification to ISO 27001:2022 for at least six months after the Standard’s publication and ISO 27001:2013 will not be retired for another three years, so there is no need to worry that any work you have done to implement ISO 27001:2013 has been wasted.

Depending on how far your ISO 27001:2013 implementation project has progressed, you may wish to use the new Annex A controls from ISO 27001:2022 as an alternative control set, although you will still need to compare these with the 2013 Annex A controls in your Statement of Applicability.

(ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.)

Before renewing your ISO 27001 certification after three years, you will need to transition your ISMS to comply with the 2022 iteration of the Standard.

We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.

Learn more about implementing ISO 27001

ISO 27002 vs 27001

Organisations wishing to explore information security management systems may have come across both ISO 27001 and 27002 standards.

ISO 27001 is the primary standard in the 27000 family. Companies can get certified against ISO 27001 however, they cannot certify against ISO 27002:2022 since it is a supporting standard/code of practice.

ISO 27001 Annex A for example provides a list of security controls but does not tell you how to implement them, rather references ISO 27002.

ISO 27002 conversely provides guidance on implementing controls used in ISO 27001. The great thing about ISO 27002 is that the controls are not mandatory; companies can decide whether they want to use them or not, depending on if they’re applicable in the first place.

ISO 27001 Certification

An organisation can acquire an independently accredited certification to the ISO/IEC 27001 standard, which will be recognised globally to indicate that your Information security management systems are aligned with the best practice. As mentioned earlier, an organisation cannot certify the ISO 27002 standard.

ISO 27002 offers the framework that helps organisations establish their information security management systems and make them work. It contains an additional ‘implementation guidance’ which provides detailed information on how each of the controls can be successfully implemented to ensure ISO/IEC 27001 compliance.

How does it affect you?

There will be a period before organisations are required to adopt the revised version of ISO 27001 for their certification audits (at least one year after publication, and typically in conjunction with their next re-certification cycle), so they have ample time to address the changes.

Ultimately, the changes should not significantly impact an organisation’s information security management system (ISMS) and ability to sustain compliance.

However, there may be an impact on the organisation’s overall control framework, specific controls, and how an organisation monitors ongoing compliance.

When converting to the new standard, organisations will need to reassess how their frameworks, controls and policies align with the new structure and updated ISO 27001/27002 controls.

The ISO 27002 2022 revision will affect an organisation as follows:

If you are already ISO 27001 2013 certified
Are you are mid certification
If you are about to re-certify
If you are already ISO 27001:2013 certified

If your organisation is already certified, you do not need to do anything now; the revised ISO 27002 2022 standard will be applicable upon renewal/re-certification. It, therefore, stands to reason that all certified organisations will have to prepare for the revised standard at upon recertification or if adopting new sets of controls or standards e.g. ISO 27701 or similar.

Say hello to ISO 27001 success

How does it affect your ISO 27001:2013

Until a new ISO 27001 2022 standard is published, the current ISO certification schemes will continue, though mapping to the new ISO 27002 2022 controls will be required via Annex B1.1 & B1.2 however ISO experienced auditors will recognise the structure of the controls, therefore will have more to work with. Adoption of ISO 27002:2022 could make for a smoother audit.

What does this mean for organisations that are already certified to ISO 27001:2013?

There is a three-year transition period for certified organisations to revise their management system to conform to the new version of ISO 27001, so there is plenty of time for you to make the necessary changes. However, some certification bodies might stop offering certification to the 2013 iteration of the Standard before that point, so it is worth checking if you need to transition earlier.

It is inadvisable to leave it till the last minute to meet your new obligations, so if you are due to renew your certification during the transition period, you could work Do you need to amend your documentation?

Complying with these changes should include:

An update to your risk treatment process with updated controls
An update to your Statement of Applicability
Update your current policies and procedures with guidance against each control where necessary against the new control set.

One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus your selections, which could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS easier to implement and manage.

We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.

Learn more about implementing ISO 27001

Speak to an ISO 27001 expert

For more information about ISO 27001 and how we can help you implement an ISMS – whatever your size, budget or level of expertise – get in touch with one of our experts today.

Are any other 27000 standards affected?

Management system standards and frameworks related to and based on the ISO/IEC 27002:2013 version will feel the change.

The changes will have an additional impact when they cascade to related standards such as ISO 27017 cloud security, ISO 27701 privacy, and various national standards that have adopted or incorporated the current requirements and guidance.

That should occur as the review and update cycles for those standards occur over the next few years, and further impact may be expected for local standards and frameworks.

The top 3 Mistakes People make with the new ISO27001:2022

The top 3 mistakes people make with the new ISO27001 standard

1. Assuming it is different

Assuming that it is vastly different and panicking. Worrying the organisation unduly and seeking massive budget for something that fundamentally is no different to what they have or are already working towards.

2. Paying consultants to work out the impact

Paying consultants to tell you that nothing has fundamentally changed when you can buy the standard yourself and read it and around 15 minutes.

3. Not buying and reading the standard

Relying on the internet and free resources rather than getting a copy of the standard and reading it yourself.

The 3 things you missed that have changed in ISO27001:2022

1. Fundamentally nothing has changed

ISO27001 2022 is fundamentally the same with minor wording changes, a numbering change on 2 controls and some clarifications.

2. The biggest change was to ISO27002 / Annex A

The biggest change has already happened with the control set when ISO27002 was updated to the 2022 version.

3. It is a version alignment

As the standard has not changed significantly since the 2013 version, as the approach seems to be to name the standard followed by a year it is kind of embarrassing that people are working to what appears to be a 2013 version of an information security standard so to make it more relevant they have changed the name to 2022.