In today’s digital world, organisations face a growing number of threats to their information assets. From cyber-attacks to data breaches, organisations need to implement effective security measures to protect their data and systems. One of the most widely recognised Standards for information security management is ISO 27001. In this blog post, we will discuss the latest version of this Standard, ISO 27001:2022.
What is ISO 27001?
ISO 27001 is an international Standard that outlines the requirements for an information security management system (ISMS). It provides a framework for implementing and managing security controls to protect information assets. The Standard is designed to apply to all types of organisations, regardless of their size or sector.
The previous iteration of the Standard was released in 2013. Since then, there have been significant advancements in technology and changes in the threat landscape, prompting a revision of the Standard. ISO 27001:2022 has been updated to reflect these changes and provide a more comprehensive approach to information security.
What’s new in ISO 27001:2022?
ISO 27001:2022 has several new features and updates that organisations should be aware of. These include:
Risk-based approach: The Standard now places greater emphasis on risk management. Organisations are required to identify, assess, and treat risks to their information assets based on their likelihood and potential impact.
Context of the organisation: The new version of the Standard has enhanced focus on requiring organisations to consider the context in which they operate when implementing their ISMS. This includes understanding their internal and external environment, as well as the needs and expectations of their stakeholders.
Information security roles and responsibilities: The Standard now places greater emphasis on defining and communicating information security roles and responsibilities within the organisation.
Integration with other management systems: The Standard is now aligned with other management systems Standards, such as ISO 9001 and ISO 14001. This makes it easier for organisations to integrate their ISMS with their overall business processes.
Security controls: The Standard includes an expanded list of security controls that organisations can use to protect their information assets. This includes controls related to cloud computing, mobile devices, and supply chain security and is detailed in Annex A of the Standard, with further information available in ISO 27002:2022.
The following changes have been made to Annex A:
- The number of controls has decreased from 114 to 93.
- The controls are placed into 4 sections, instead of the previous 14.
- There are 11 new controls, while none of the controls were deleted. These include:
- A.5.7 Threat Intelligence
- A.5.23 information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical Security Monitoring
- A.8.9 Configuration Management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.11 Data leakage prevention
- A.8.12 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
- There are 57 merged controls and 1 split control
- There are 23 renamed controls.
- There are 35 controls remained the same as those present in the 2013 version.
Transitioning from the 2013 version of the Standard:
As with all management systems produced by ISO, there is a three year transition period to upgrade to the new version, which begins from the date of publication of the new version of the Standard. As the new version was published in October 2022, organisation certified to the 2013 version must transition to the 2022 version by 31st October 2025.