If you’re in charge of information security, the recent ISO/IEC 27001:2022 standard update necessitates the implementation of these modifications. This ensures both your compliance and the alignment of your information security stance with the digital evolution of business practices and the associated risks.

 

The first version of ISO 27001 was published in 2005, followed by an update in 2013. Now, we have the latest version of use, published in 2022 – ISO 27001:2022.

 

So, what does this mean for your organization? What challenges will you face in meeting the new compliance requirements? In this article, we’ll explore the changes introduced in ISO 27001:2022 in a way that’s easy to understand.

 

Importance of complying with ISO 27001

 

Many businesses today, especially those handling sensitive information, have to set up various security measures like firewalls, antivirus software, and password managers to protect against cyberattacks. Additionally, many have shifted their IT operations and security responsibilities to cloud service providers.

 

However, just having these security measures in place doesn’t guarantee that shared information is safe from potential breaches. This is where ISO 27001 comes into play. It serves as the foundation for an Information Security Management System (ISMS), a structured approach that helps businesses identify and manage security risks.

 

Complying with ISO 27001 brings several benefits to your organization:

 

• Enhanced data protection and security: Strengthened security measures protect your sensitive information from breaches and unauthorized access.

 

• Improved risk management: A proactive approach to risk management helps you identify and mitigate threats more effectively.

 

• Demonstrated commitment: ISO 27001 certification demonstrates your commitment to information security to stakeholders, partners, and clients.

 

• Enhanced trust and credibility: Building trust is paramount in business. ISO 27001 certification enhances your credibility and trustworthiness.

 

 

What has changed in the ISO 27001:2022 standard? 

 

To stay abreast of evolving technology and security threats, ISO/IEC 27002 has undergone recent revisions. These changes are geared towards safeguarding an organization’s core principles concerning its information assets: confidentiality, integrity, and availability. Notably, organizations heavily invested in complying with the ISO 27001 standard will find solace in the fact that the new version does not mandate a complete overhaul of the certification process.

 

The primary revisions in ISO 27001 involve a significant alteration in Annex A, accompanied by minor updates to the obligatory clauses. It’s worth highlighting that the modifications to Annex A align with the latest iteration of ISO/IEC 27002, which was introduced at the outset of 2022.

 

Furthermore, there has been a name change for the standard, which now goes by the title of “ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection.

 

Clauses that have undergone changes in the ISO 27001 standard

 

Regarding other sections of the standard, mandatory clauses 4 through 10 have seen several minor adjustments. There are additional enhancements in clauses 4.2, 6.2, 6.3, and 8.1, with some updates involving terminology and the reconfiguration of wording. Nonetheless, the titles and groupings of these mandatory clauses remain unaltered:

 

List of compulsory clauses

 

• Clause 4 – Organizational Context
• Clause 5 – Leadership
• Clause 6 – Planning
• Clause 7 – Support
• Clause 8 – Operations
• Clause 9 – Performance Assessment
• Clause 10 – Improvement

 

So, what exactly has evolved within these mandatory clauses?

 

• 4.4 – Information Security Management System (ISMS): This fresh addition necessitates the identification of processes and their interactions. It mandates the identification of the scope of pertinent requirements from interested parties and a determination of which ones will be addressed through the ISMS.

 

• 6.2 – Information Security Objectives: Objectives must now be documented and accessible as “documented information” for all stakeholders. This section introduces a novel aspect related to planning changes to the ISMS, although it doesn’t specify a particular process.

 

• 8.1 – Operational Planning and Control: This requirement replaces the initial obligation to plan how to achieve information security objectives. Organizations are now tasked with defining criteria for operational processes and exercising control over these processes based on those criteria.

 

• 9.1 – Performance Evaluation: Procedures for assessing and monitoring controls should be consistent and reproducible, enabling the organization to analyze trends.

 

• 9.2 – Internal Audits: Internal assessments must encompass all organization requirements, not just those outlined in the ISO 27001 standard.

 

Annex A changes

 

The adjustments in ISO/IEC 27001:2022 have led to a reduction and reorganization of the controls found in Annex A. The controls have been streamlined, decreasing from 114 to 93. Furthermore, they have been regrouped into four broad categories: organizational, personnel, physical, and technological.

 

Fortunately, these modifications have a positive side—they render the standard more accessible and straightforward to put into practice.

 

The four new control groups

 

1. Organizational controls –  contains 37 controls
2. People controls – contains 8 controls
3. Physical controls – contains 14 controls
4. Technological controls – contains 34 controls

 

Newly added controls to Annex A

 

• Threat intelligence
• Information security for the use of cloud services
• Information and communications technology for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering 
• Secure coding

 

Transition period

 

Regardless of where your organization stands in its pursuit of ISO/IEC 27001:2022 certification, there’s no need to fret; there’s ample time to enact the requisite adjustments.

 

In adhering to the freshly updated ISO 27001:2022 standard, all organizations benefit from a generous three-year transition window. Certificates issued under ISO 27001:2013 will either expire or be rendered invalid no later than October 31, 2025. During this transitional period, organizations can seek certification against the 2013 version until October 31, 2023.

 

You’ll love reading these security memes. 

 

How to achieve 27001:2022 compliance?

 

Organizations aiming to adhere to ISO/IEC 27001 have a rigorous certification process in place, encompassing an extensive array of obligatory requirements. These requirements span various facets, including defining the scope of the Information Security Management System (ISMS), crafting security policies, conducting risk assessments, and providing evidence of competence, monitoring, and audits.

 

The CyberArrow GRC offers a comprehensive and unified approach to information security, streamlining and facilitating the certification journey. Through our ready-made questionnaires and integrated tools, you’ll be equipped to catalog all your assets, evaluate their associated risks, and expedite the certification process.

 

Furthermore, by utilizing our platform, your organization will comprehensively understand its cyber risk levels, enabling thorough preparation for the requisite audits.

 

Emirates, a leading global airline, enhanced its information security by automating ISO 27001 compliance with CyberArrow GRC. By leveraging CyberArrow’s automation capabilities, Emirates improved compliance efficiency, reduced manual work, and ensured robust protection of sensitive information.

 

See what Emirates have to say about CyberArrow GRC: