ISO 27001:2022 – Key Changes
The latest iteration of ISO 27001, released in 2022, brings subtle but important changes to better align with other ISO management standards. While the number of clauses remains the same as in the ISO 27001:2013 version, several updates have been made to improve clarity and enhance process planning and monitoring. Below, we break down the key revisions from Clauses 4-10.
Clause 4.2 – Understanding the Needs and Expectations of Interested Parties
A new sub clause has been added that requires organizations to determine which requirements of stakeholders will be addressed through their ISMS. This enhances the focus on tailoring security measures to meet the needs of specific interested parties.
Clause 4.4 – Information Security Management System (ISMS)
New language has been introduced, emphasizing that organizations must not only identify processes specifically mentioned in the standard but also those that interact with or support the ISMS. This ensures a more comprehensive inclusion of processes within the security framework.
Clause 6.2 – Information Security Objectives and Planning to Achieve Them
The updated clause provides more detailed guidance on setting and documenting information security objectives. It stresses the importance of regularly monitoring these objectives to ensure they are being met and adjusted as necessary.
Clause 6.3 – Planning of Changes
This new clause establishes standards for planning changes to the ISMS. It requires organizations to thoroughly plan and assess the impact of any changes to ensure security measures are not compromised.
Clause 8.1 – Operational Planning and Control
Further guidance is provided for operational planning and control. Organizations now need to define criteria for actions identified in Clause 6 and ensure that these actions are managed according to the defined criteria.
Additional Minor Clause Changes:
– Clause 5.3 – Roles, Responsibilities, and Authorities: Minor adjustments clarify that roles related to information security should be communicated internally to ensure clarity within the organization.
– Clause 7.4 – Communication: Subclauses related to communication processes have been streamlined, with subclauses d (who communicates) and e (the communication process) being merged into one under “how to communicate.”
– Clause 9.2 – Internal Audit: The content of Clause 9.2 has been consolidated, combining the previously separate sections into one unified clause for improved clarity.
– Clause 9.3 – Management Review: A new element has been added, requiring organizations to assess how changes in stakeholder expectations influence the ISMS. For example, if an organization’s strategic direction shifts, such as preparing for an IPO, this must be factored into security considerations.
– Clause 10 – Improvement: This clause has been restructured to place “Continual Improvement” (10.1) at the forefront, followed by “Nonconformity and Corrective Action” (10.2).
A notable shift in ISO 27001:2022 is the reorganization of Annex A controls. The number of controls has been reduced, and the grouping has shifted from the original 14 domains to four primary categories:
– People Controls (8 controls)
– Organizational Controls (37 controls)
– Technological Controls (34 controls)
– Physical Controls (14 controls)
This revised structure simplifies the categorization of controls and ensures that the language used is accessible to both IT professionals and organizational management. Businesses seeking certification under ISO 27001:2022 will need to update their Statement of Applicability (SoA) to align with the new control framework.
New Controls in ISO 27001:2022 Annex A
The biggest update within Annex A is the addition of 11 new controls, which address modern security challenges. Organizations certified under ISO 27001:2013 will need to assess their current processes and implement new measures to meet these requirements.
Key new controls include:
– A.5.7 Threat Intelligence: Organizations are required to gather and analyze threat information proactively to mitigate risks.
– A.5.23 Information Security for Cloud Services: A control focused on securing cloud environments by establishing and enforcing cloud-specific security standards.
– A.5.30 ICT Readiness for Business Continuity: Ensures that information and communication technologies can be recovered and functional during disruptions.
– A.7.4 Physical Security Monitoring: Requires monitoring of sensitive physical locations like data centers to detect unauthorized access.
– A.8.9 Configuration Management: Mandates organizations to manage the security of their technological configurations and prevent unauthorized changes.
– A.8.10 Information Deletion: Specifies that organizations must delete data when it’s no longer needed, protecting against data breaches and ensuring privacy compliance.
– A.8.11 Data Masking: Implements masking of sensitive data as part of access control policies.
– A.8.12 Data Leakage Prevention: Requires measures to prevent the unauthorized transfer of sensitive data.
– A.8.16 Monitoring Activities: Calls for systems to be monitored for unusual activity and includes requirements for an appropriate incident response plan.
– A.8.23 Web Filtering: Ensures organizations manage access to potentially harmful websites to protect IT infrastructure.
– A.8.28 Secure Coding: Establishes secure coding practices to reduce vulnerabilities during the software development process.
Conclusion
The updates in ISO 27001:2022 reflect the evolving nature of cybersecurity threats and the growing need for robust, proactive risk management practices. For organizations seeking compliance, understanding and adapting to these new clauses and controls is crucial. Whether it’s ensuring cloud security or implementing better threat intelligence systems, the revisions place a strong emphasis on continuous improvement and adaptability in the face of emerging risks.
Stay ahead of the curve by updating your ISMS to align with these new standards, and ensure your organization is prepared for the future of information security.
For more Cybersecurity related content Follow: Cyber Point Solution, Youtube