A new version of the information security management system ISO 27001 has been published, introducing significant changes in the way organizations are expected to protect their sensitive data.
ISO 27001:2022 marks the first major changes to the Standard in almost a decade, and brings its requirements into line with modern business practices. But what exactly is changing, and how will affect organizations that are currently certified – or are seeking certification to – ISO 27001?
What’s new in ISO 27001:2022?
ISO 27001 contains several new requirements. For example, there are new rules on planned changes and how organizations should deal with them, plus there is a greater focus on the needs and expectations of interested parties.
Meanwhile, Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022 (which was published earlier this year), and the Standard requires organizations to document and monitor their objectives.
There are also changes in the terminology used. The latest version of the Standard aligns its phrasing with the language used across other ISO management standards, while ISO 27002:2022 is no longer referred to as a “code of practice”. This better reflects its purpose as a reference set of information security controls.
The good news is that these changes don’t drastically overhaul the way organizations should approach compliance. More significant are the changes to the structure of ISO 27002, the complementary standard that outlines the controls that organizations must consider adopting.
ISO 27002 no longer consists of 14 control categories (often referred to as ‘clauses’), and is instead split into four ‘themes’: organizational, people, physical and technological.
As part of this change, the total number of controls has decreased from 114 to 93. This is because many controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirement have been added. These are:
The new and amended controls are also categorized according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts, and information security properties.
This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.
What organizations must do now
Organizations don’t have to take immediate action following the introduction of ISO 27001:2022. There is a three-year transition period to revise your management system to conform to the new version of the Standard – and for the time being, the 2013 iteration should be used.
This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, with the 2022 version of the Standard being used only as a reference.
The controls listed in ISO 27002:2022 can be considered an alternative control set that organizations will have to compare with the existing Annex A – just as would be the case with any other alternative control set.
Fortunately, ISO 27002:2022 contains an annex that compares its controls with the 2013 version, so this should be relatively straightforward.
The reason that the new version of ISO 27001 has been published now is so that organizations can familiarize themselves with the new controls before embarking on an implementation project.
Although they won’t need to start any time soon – an implementation project should take less than a year and probably only a few months – it’s worth understanding what’s expected of you as soon as possible.
The best way to do that is by reading a copy of the Standard for yourself and comparing it to the 2013 version and your current compliance practices.
Meanwhile, if you’re unsure how to proceed, our team of experts are here to help.
Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.
Speak to one of our experts for more information on how we can support you.