The ISO standards get updated from time to time to cater for technological advancements. It is, therefore, not surprising that organizations are curious to know what’s in the new, updated version – ISO 27001 2022.
After many years without updates, ISO finally released a new version in October. And the latest version of ISO 27001 really seems long overdue for an international standard that covers today’s complex security challenges. Now, organizations now have 18 to 36 months to transition from the old version.
When Does ISO 27001 2022 Go into Effect?
There’s a pretty long transition period in place. You have three years to implement the new version if you got assessed for 2013 before October 2022. That means that the next time your organization circles back for a certification audit, which is on a 3-year cycle, it will need to be assessed against the 2022 version at that point.
In the meantime, a new version of Annex A is already available to work with now that the new standard is released.
What’s New in ISO 27001 2022?
Being in a business that handles sensitive data means keeping up with the latest recommendations and requirements for data security. Often, changes to best practices will develop over time. Having partners who can keep you up to date and help you understand what’s changed can keep you in compliance and keep your most sensitive information safe. In ISO 27001 2022 version, the changes can be summarized by the following differences:
Updated Content of ISO Clauses
ISO clauses are always applicable and must be implemented regardless of the type of organization or the type of data that is being handled. Changes have also been made to clauses 4 to 10, especially in clauses 4.2, 6.2, 6.3 and 8.1, with the addition of information. The terminology was updated, and some sentences and clauses were restructured.
New Annex A Controls
Unlike ISO clauses, Annex A controls are more specific and can be applied in a more flexible way as they relate (or don’t) to the organization’s scope. With this new version, the biggest change is a reduction of Annex A controls; in the 2013 version, there were 114, and now it’s down to 93. The 2022 version has less controls in terms of functionality because unnecessary and redundant controls have been combined and/or eliminated.
The controls haven’t been all together removed. Rather 24 controls have been merged together, 11 new controls are being introduced, and 58 have been updated. The new controls are as follows:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
For example, your team may need to spend more time on the first control during this transition period. The ‘threat intelligence’ requirement is different from previous versions and even other cybersecurity frameworks because it demands specific identification of threats. Rather than a general discussion of threats in the risk assessment phase, the 2022 version pushes information security teams one step further. Putting a mature process in place for identifying new threats and specifying threats that need to be mitigated is part of a stronger, more proactive threat intelligence process.
These new ISO controls should be the focus for organizations’ compliance efforts during the transition period. Your team should get familiar with them, decide if they are applicable, and then understand what needs to be done in order to implement the new controls.
Reorganized Annex A Controls
To make auditing and compliance easier, the new version has 93 controls divided into four categories, in place of the previous 14 clauses. These categories are organized around four different concepts or themes.
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
New Standards for Cloud Services
In comparison to 2013, the use of cloud services is much more ubiquitous today. Because of this, ISO has modified control 5.23 in order to apply specifically to cloud technologies. This risk-reduction measure is intended to regulate the administration and use of cloud services like AWS, Azure, and GCP. Confidentiality, integrity, and availability are all covered under this control.
Related article: How to Prepare for an ISO 27001 Audit in 10 Steps.
What Should You do to Prepare for ISO 27001 2022?
First your team should review the new controls. Then, you will have to determine if they are applicable given your organization’s scope. To determine applicability, you should use the same perspective applied when originally drafting the scope for the ISMS. Using that scope of the ISO certification within your organization will make it possible to assess the applicability of the new controls. Then, your team can plan out next steps in order to implement the changes needed.
Best Practices for ISO Statements of Applicability
Many consider the Statement of Applicability (SoA) the most onerous part of certification. However, this document is an important part of the assurances for your auditors and other interested parties and gives a sense of the depth and breadth of your information security management system ISMS. It is also often used to identify controls that you need for other reasons that include contracts and managing legislation that applies to your firm.
With the release of the ISO 27001 2022, the Statement of Applicability (SOA) should refer to the controls in Annex A of ISO 27001:2013. By changing the format in the part of ISO 27001 to emphasize the four parts of this requirement, the authors make it clearer what is required. While the process of cataloging everything can be difficult, having everything neatly in place means having an information security system that is easier to implement and more likely to keep you in compliance.
Until the new version of ISO 27001 is released, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013, and the controls in ISO 27002:2022 will be an alternative control set that you must compare to the existing Annex A.
Adding Information to Your Asset Inventory
ISO 27001 treats information as assets and the updated language stresses the importance of safeguarding them.
It only makes sense to treat information as assets and to safeguard it appropriately. The loss of sensitive data can be even more devastating to your business than the loss of physical assets. Data loss can lead to huge financial losses, liability and even irreparable harm to your reputation. During inventory, it it vital to assess how important a piece of information is, what the risks associated with it are and who is in charge of safeguarding that asset.
The reason for this categorization is to properly assess your risk. After all, if you have not accurately assessed vulnerabilities relating to information assets, you are at risk of failing to properly safeguard that information. Taking on an asset inventory as part of your certification helps you ensure that you’ve covered every base.
How Has ISO 27001 Changed Over the Years?
The International Organization for Standardization (ISO) develops and publishes proprietary, industrial, and commercial standards. ISO has become a household name regarding security compliance for information management systems. One such information security management standard is ISO 27001.
ISO 27001, as it is now known, has existed since the early ‘90s under the name of ISO/IEC 17799. This developed into the ISO/IEC 27001:2005 Information Security Management System (ISMS) specification. This later version comprises policies and procedures, including physical, legal and technical controls that help companies carry out information and risk management.
The last major change in ISO regulations dates back to 2017. There were actually only a few very minor changes between the two. One was simply a name change to reflect a regional update. ISO27001 was adopted as a standard at the EU level in 2017. This led to inclusion of the letters “EN” in “BS EN ISO/IEC 27001:2017.”
There were also two very minor changes to the wording regarding some of the controls in Annex A. The first applies to the assets. In the 2013 version, entities are called on to create an inventory of assets that have to do with information. In 2017, information itself is specifically named as an asset. As a result, there was a call to specifically inventory information.
The other change was strictly aesthetic. In the 2013 version, the items that go on the Statement of Applicability are presented as a list. In the 2017 version, they are presented as a series of four bulleted points. The four items on the list remained, however, unchanged. They are:
- the necessary controls
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
In both cases, it appears that the changes were made specifically for emphasis. They did not introduce any new requirements or practices. Rather, they called for closer attention to requirements that already exist.
At least once every five years, all ISO standards are reviewed. This is a necessary part of keeping the information management standards up to date with the constantly evolving cyber threat landscape. Ongoing improvement of the framework is important to outlining the current best practices for protecting data. Though ISO 27001 was revised in 2013, 2017, and 2019, the changes were so minor that the 2013 version is still what guides compliance teams. Because of this, it’s safe to argue that ISO regulations needed revision, seeing the advancements in technology that have occurred all these years.
Related article: Why Is ISO Becoming a Popular Framework for U.S. Businesses?
What Happens When ISO 27001 2013 Expires?
At this point, organizations still have enough time to ensure a smooth transition to the new standard, during which interested organizations should take the ISO/IEC 27001 training course and transition training course to get certified. After this transition period, the ISO 27001 certificates issued under revision 2013 will be withdrawn and considered expired, irrespective of the certificate’s listed expiry date.
How Does the New Version Affect Current ISO Certifications?
ISO 27001 certification has a three-year validity, and the old version of the standard will be valid until it expires. If your organization is currently certified to ISO 27001:2013, you must upgrade to ISO 27001 2022 before the next surveillance or recertification audit you have scheduled. Depending on the scope of your ISMS, your organization could be required to implement new controls. Those controls must be implemented, enforced via policies and procedures, and tested prior to your audit.
Even the controls that haven’t really changed will require considerable organizational modifications since the ISO 27002 security controls have been combined and renumbered. To reflect the changes, you’ll need to rename your old papers and create an updated statement of applicability.
Although there is a three-year transition period allowing certified organizations to revise their management system in compliance with the new version, it’s not recommended that your organization delay updating.
Guidance for ISO Certification & Risk Assessment – Without the Anxiety
Is ISO 27001 certification right for your organization? We can help you understand the benefits, as well as the requirements for certification. Get in touch with I.S. Partners, LLC for a consultation.