ISO/IEC 27001:2022 Update: Preparing for Transition and the Importance of Adopting the New Standard
The ISO/IEC 27001 Information Security Management System (ISMS) standard has undergone significant changes, with the latest ISO/IEC 27001:2022 version officially published on October 25, 2022. This release followed the completion of the Joint Technical Committee (JTC) voting process on September 22, 2022. All organizations that have implemented or plan to implement an Information Security Management System based on ISO/IEC 27001 can now adopt the ISO/IEC 27001:2022 standard.
Certification audits (initial certification and recertification) for ISO/IEC 27001:2013 were permitted until October 25, 2023. After this date, all initial certification and recertification audits must adhere to ISO/IEC 27001:2022. Surveillance audits for ISO/IEC 27001:2013 are still allowed until October 24, 2025.
Key Changes in the Latest ISO 27001 Version
The ISO/IEC 27001 standard updates in 2022 align with the evolving landscape of digital business practices, including the increased adoption of Remote Working, Bring Your Own Device (BYOD), and growing reliance on Cloud Service.
The general changes implemented in ISO/IEC 27001:2022 include:
1. Changes in the total number of Annex A controls, from 114 to 93, with the following breakdown:
- 24 merged controls
- 23 controls with changed names
- 35 controls with changed numbering
- 11 new/additional controls, which include:
- Threat Intelligence
- Information Security for Cloud Services
- Information and Communications Technology (ICT) Readiness for Business Continuity
- Physical Security Monitoring
- Monitoring Activities
- Web Filtering
- Data Masking
- Secure Coding
- Configuration Management
- Information Deletion
- Data Leakage Prevention
2. Restructuring of Annex A control domains into 4 main domains:
- People (8 Controls): Controls concerning individuals, such as Teleworking, Filtering, and Confidentiality Agreements.
- Organizational (37 Controls): Controls concerning the organization, such as Information Security Policies, Return of Assets, and Information Security for the Use of Cloud Services.
- Technological (34 Controls): Controls concerning technology, such as Authentication, Information Deletion, Data Leakage Prevention, and System Development.
- Physical (14 Controls): Controls concerning physical objects, such as Storage Media, Equipment Maintenance, Physical Security Monitoring, and Securing Office Rooms.
3. Five types of attributes for controls to facilitate easier categorization, consisting of:
- Control Type (Preventive, Detective, Corrective)
- Information Security Aspect (Confidentiality, Integrity, Availability)
- Cybersecurity Concepts (Identify, Protect, Detect, Respond, Recover)
- Operational Capabilities (Governance, Asset Management, Risk Management, etc.)
- Security Domains (Governance, Protection, Business Continuity)
Overall, there are no significant differences between the core requirements of ISO/IEC 27001:2022 and ISO/IEC 27001:2013. However, the changes in Security Controls necessitate updating the Statement of Applicability (SOA) as a top priority.
Key to Transitioning to ISO/IEC 27001:2022
Organizations can initiate their transition to ISO/IEC 27001:2022 immediately, with a deadline of October 25, 2025, or three years from the standard’s publication date. The milestones are as follows:
While the publication of ISO/IEC 27001:2022 will necessitate a transition process, there is no need for concern. Robere & Associates is ready to assist your organization in navigating this transition.
Robere & Associates is committed to supporting you since the release of the ISO/IEC 27001:2022 standard. We will continue to provide updates on its progress and offer further details on the necessary transition process.
Discuss With Us!
For those who wish to delve deeper and gain the latest insights on Governance, Risk, and Compliance, Robere & Associates is here to help. Join us now!
