One of the remarkable updates to ISO 27001:2022 is an improved risk assessment procedure. It has its origin in the ISO 31000 regulatory standard. This feature makes the 2022 version more adaptable and flexible than its 2013 edition. ISO 27001:2022 provides the feasibility of formulating risk-handling strategies as per an organization’s needs. It offers better support to enterprises in effective ISMS implementation. The advanced structure of the new ISO 27001 standard facilitates its easy integration with environmental and quality management ISO’s.
Areas like cloud services’ usage, supply chain safety and data governance have undergone improvements in this updated ISO 27001 standard.
A Bird’s Eye View Of The ISO 27001 Transition
The 2022 version of ISO 27001 exhibits slight changes in its core content starting from clauses 4-10. Annex A of the standard displays a noticeable decrease of controls to 93 against 114 in the previous version. The 2013 edition contained all 114 controls under 14 sections, while the current standard showcases only 4 sections.
A summary of the changes in the ISO clauses as mentioned above.
- Clause 4.2 deals with the comprehension of the interested parties’ expectations and needs. An addition to this is the assessment of party requirements that ISMS will address.
- The need to plan processes along with their interrelations became a part of clause 4.4.
- A clarification of clause 5.2 stated the internal communication between an organization’s ISMS authorities and roles.
- The monitoring of ISMS objectives is an addition to clause 6.2. This section deals with these objectives and plans to accomplish them.
- Inclusion of clause 6.3 is another significant change. This segment deals with the planning of ISMS changes.
- Deletion of item(e) from clause 7.4 that emphasized the requirement of process setting in communication.
- The operational control and planning clause numbered 8.1 also underwent a change. It discarded the previous requirement of plan implementation to attain objectives. The additions to this clause include the implementation of security criteria and relevant processes to fulfill them.
- The addition of 9.3.2 in clause 9.3 consisting of review management. This new item ensures that the interested parties’ inputs must relate to ISMS requirements.
- Clause 10, dealing with improvement, witnessed the position changes of its two sub-clauses, but their content remained the same. These are namely Continual Improvement and Nonconformity.
What were the changes in Annex A of ISO 27001:2022?
Annex A experienced a change in its structure and also received 11 new controls. To be more specific, Annex A is a security control checklist to assist organizations in their ISMS operations. The updated list is non-exhaustive. It makes the selection of appropriate controls easier for implementation as per organizational needs. The 4 categories that cover all 93 controls are:
- Organizational – 37 controls
- People – 8 controls
- Physical – 7 controls
- Technological – 34 controls
Despite the addition of new controls, their number in Annex has declined from 114 to 93. This is due to the merging of separate controls that comprise similar requirements. The 11 additions to Annex A are:
1. Threat intelligence
Organizations need to gather information on cyber security threats to assess them and initiate measures to mitigate them. Collecting details regarding information security attack trends, tools, and methods proves fruitful. The appropriate sources of such information can be both internal and external. Announcements by government agencies and vendor reports are examples of information sources.
2. Cloud services usage
This control enforces the introduction of security requirements to assist organizations in safeguarding their cloud information. It is about the steps that an enterprise must take to tighten its existing cloud security.
3. Business continuity
A benchmark for organizations to ensure the availability of their information assets despite information technology disruptions. This control covers testing, maintenance, implementation, planning, and readiness.
4. Security monitoring
Physical monitoring through the installation of video monitoring or alarm systems is emphasized by this control. Every organization must enforce proper communication channels and surveillance systems to prevent unauthorized information access.
5. Configuration management
This control involves the management of cyber security technology functioning on configuration, such as cyber networks, hardware, software, etc. ISO 27001 makes it binding on an ISMS to document the configuration management rules and follow them.
6. Information deletion
Organizations must implement this security control of not retaining unwanted or unused data. Cloud services, removable media, and IT systems are entitled to this rule as per the new edition of ISO 27001. Distributing the responsibilities of erasing data when needed and securing deletion with the help of tools.
7. Data masking
The obligation of using data pseudonymization tools is included in this security control. Obfuscation or encryption for data masking alongside its access control is an integral part of cybersecurity. ISO 27001:2022-certified enterprises must incorporate it.
8. Data exposure prevention
This security control is all about monitoring the channels susceptible to potential data leakage. Determining the right method for preventing confidential data disclosure and risk analysis of technologies used while handling data. The revised version of ISO 27001 security control focuses on these areas.
9. Activity monitoring
Introduction of processes to keep an eye on what is happening within an organization’s ISMS. Performance of system resources, proper code execution, outbound and inbound traffic, and administrators’ activities are the areas to be monitored.
10. Web filtering
This security control is meant to ensure the protection of IT systems through the management of website access. ISO 27001:2022 empowers an organization to discriminate between authorized and unauthorized users. This section deals with the prevention of malicious code usage by unknown visitors to an organization’s websites.
11. Secure coding
ISO 27001 current version emphasizes the reduction of software security vulnerabilities. The utilization of security components like encryption and authentication forms the core of this security control. Organizations need to determine coding principles to restrict the tampering of source code and logging attacks.
Cybersecurity professionals or organizations must not hesitate to incorporate the updated ISO 27001 version into their ISMS. There is still ample time left since the time limit to adopt the new certification is 31st October 2025. ISO 27001 Lead Implementer Certification course is ideal for individuals aspiring to assist their employer organizations in this transition.