ISO 27001 2022 - The changes and what they mean for organisations

ISO 27001
Written By Simon Hunt
ISO 27001 2022 - The changes and what they mean for organisations

ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for organisations to manage their information security risks and protect their information assets. The 2022 version of ISO 27001 introduces a number of changes, including a new structure for Annex A controls, eleven new controls, and a greater emphasis on risk management and the needs and expectations of interested parties.

ISO 27001:2022 - New structure for Annex A controls

The Annex A controls are the security controls that organisations can implement to protect their information assets. The 2022 version of ISO 27001 reorganises the Annex A controls into four categories:

  • Organisational controls: These controls relate to the overall management of the ISMS, such as the security policy, risk assessment, and internal audit.

  • People controls: These controls relate to the security awareness and training of employees, as well as the management of employee access to information assets.

  • Physical controls: These controls relate to the physical security of information assets, such as access control, environmental controls, and asset management.

  • Technological controls: These controls relate to the technical security of information systems, such as firewalls, intrusion detection systems, and encryption.

This new structure is designed to make the Annex A controls more user-friendly and easier to understand. It also aligns the controls with the four pillars of information security: confidentiality, integrity, availability, and authenticity.

Eleven new controls

The 2022 version of ISO 27001 introduces eleven new controls:

  • Information security for use of cloud services

  • ICT readiness for business continuity

  • Threat intelligence

  • Physical security monitoring

  • Data masking

  • Configuration management

  • Information deletion

  • Data leakage prevention

  • Monitoring activities

  • Web filtering

  • Secure coding

These new controls reflect the changing threat landscape and the need for organisations to protect their information assets from a wider range of threats.

Merging of controls

Fifty-seven controls have been merged into 24 controls in the 2022 version of ISO 27001. This has been done to simplify the standard and make it easier to understand and implement.

Minor updates to existing controls

Fifty-eight controls remain mostly unchanged in the 2022 version of ISO 27001, with minor contextual updates.

Increased emphasis on risk management

The 2022 version of ISO 27001 places a greater emphasis on risk management. Organisations are now required to identify, assess, and treat information security risks in a systematic way. This is essential for organisations to protect their information assets and comply with relevant regulations.

Greater focus on the needs and expectations of interested parties

The 2022 version of ISO 27001 requires organisations to consider the needs and expectations of interested parties when developing and implementing their ISMS. Interested parties can include customers, employees, regulators, and shareholders. By considering the needs and expectations of interested parties, organisations can ensure that their ISMS is effective and meets the requirements of all stakeholders.

What do the changes mean for organisations?

The changes in the 2022 version of ISO 27001 mean that organisations will need to review and update their ISMS to meet the new requirements. This may involve implementing new controls, updating existing controls, and/or improving their risk management processes.

Organisations should start planning for the transition to ISO 27001 2022 as soon as possible. Organisations that have already certified their ISMS (information security management system) to ISO 27001:2013 have until 31 October 2025 to conform to ISO 27001 2022.

However, certification bodies must stop offering (re)certification to the 2013 edition of the Standard by 30 April 2024, so there may be less time to conform to ISO 27001 2022 than you thought.

Moreover, even if your organisation’s ISMS is recertified to ISO 27001:2013 by 30 April 2024, that certificate will expire on 31 October 2025 – even if it has been in place for less than three years (the normal duration of an ISO management system certificate).

Tips for transitioning to ISO 27001 2022

Here are some tips for transitioning to ISO 27001 2022

  • Conduct a gap analysis to identify the differences between your current ISMS and the requirements of ISO 27001 2022.

  • Develop a plan to implement the necessary changes to your ISMS.

  • Communicate the changes to your employees and other stakeholders.

  • Train your employees on the new security controls and procedures.

  • Implement the necessary changes to your ISMS.

  • Have your ISMS audited by a qualified certification body.

Conclusion

The changes in the 2022 version of ISO 27001 are designed to help organisations better protect their information assets from the ever-changing threat landscape. Organisations should start planning for the transition to ISO 27001 2022 as soon as possible.

If you found this article useful, you may like:-

ISO 27001 Implementation Guide – No Sales Pitch
Security Gap Analysis
Implementing ISO 27001 – 3 Basic Approaches
Other ISO 27001 Articles

Simon Hunt
Previous

ISO 27001 checklist: A comprehensive guide to implementation
Next

ISO 27001 or SOC 2 certification – What is the difference?