Brief overview of the changes in ISO 27001:2022

Internet,Security,And,A,Personal,Data,Protection,Concept.,Protect,A

The global digital landscape is changing. New business practices, such as remote working, “bring your own device” have become widespread, and core business practices are increasingly cloud-based and digitally reliant. In response, the ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Controls for Information Security standards are being updated to reflect this evolution.

These updates provide more robust controls, enabling your organization to address increasingly sophisticated security risks, ensure business continuity, and gain a competitive advantage. Understanding these changes and their impact on your organization as soon as possible will ensure your information remains protected, and that you continue to maximize your competitive edge.

Key Changes in this revision come in Annex A, these changes are:

There are 11 new controls, which were needed because of the trends in IT and security:

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities 
  • A.8.23 Web filtering
  • A.8.28 Secure coding

ISO 27002:2022 has 93 controls in the following 4 sections:

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)

Here’s a brief overview of the changes in ISO 27001:2022:

  • In clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
  • In clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
  • In clause 5.3 (Organizational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.
  • In clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored. Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
  • In clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
  • In clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
  • In clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
  • In clause 10 (Improvement), the sub clauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.

What Organisations must do now?

If you already have your Information Security Management System implemented according to ISO 27001:2013, you will need to follow these steps:

Since this change in the standard involves 11 new controls, this alignment in risk treatment and documentation will be the biggest job that’s ahead of you, although it probably will not require a big change in technological and process areas.

The business benefits of ISO 27001 compliance
ISO 27001 compliance is optional, but it can greatly improve your business in several ways:

While most news stories around cybercrime focus on large organisations, businesses of all sizes and industries are at risk, and the consequences can be devastating. The ISO 27001 compliance process forces business owners to look in detail at the way they manage and protect information assets, highlighting weaknesses before breaches occur. The standard also uses a continuous improvement lifecycle model which helps organisations constantly adapt their security according to the threats they are facing.

In achieving ISO 27001 certification, you are demonstrating to all stakeholders that you take information security seriously. This can enhance relationships with existing customers, employees, and investors, opening new business opportunities, ability to tender, and helping businesses to distinguish themselves from competitors.

It only takes a single data breach or mishap to damage a company’s reputation. Compliance with ISO 27001 will help you reduce the risk of data breaches that may have a reputational impact, and helping you maintain a positive position within the market.

By voluntarily implementing ISO 27001, you will be better positioned to meet regulatory requirements under data privacy and security laws such as EU/UK GDPR (General Data Protection Regulation), FCA (Financial Conduct Authority) and the NIS Regulations (Network and Information Systems Regulations), as many of the criteria overlap. It can also save time for businesses who are required to complete supplier due diligence questionnaires, considerably reducing administrative overheads.

By becoming compliant with ISO 27001, you’ll build an ISMS that can be scaled to support the growth of your business. You’ll have a framework in place that will help account for changing risks and responsibilities, meaning you never lose sight of the best information management practices.