ISO 27001 is the international information security standard that assists organizations, no matter their category or size, to manage security. It provides a management framework to implement an ISMS (information security management system) and thereby guarantee the confidentiality, integrity, and availability of all the data handled by companies, since it assists on implementing controls that ensure that the information is supervised and protected.(ISO, n.d.)
This standard has been updated since its first version published in 2005, however, the idea of having a standard that evaluated certain criteria in terms of cybersecurity had already been previously considered in 1995, in the United Kingdom with the British Standard 7799, written by the Department of Commerce and Industry, DTI, and from there, specific standards began to be developed in an ISMS, which later became ISO 27001. (ISO 27000 Directory, n.d.)
After the version published in 2005, the version used has been that of 2013, which has been updated, having minimal changes in 2014, 2015 and 2017. And it is now which has had significant changes which will be detailed below.
The ISO 27001:2022 version was released on October 25, 2022, replacing the 2013 version. The changes in this version will mainly impact Annex A and certain clauses in the ISMS.
SIGNIFICANT CHANGES IN ISO 27001 2022
CHANGES TO THE MAIN PART OF THE STANDARD
The following clauses were adjusted to specify certain additions to the management system(Kosutic, 2022) :
4.2 (c) Understanding the needs and expectations of stakeholders – stakeholder requirements should be indicated and determined which will be addressed in the ISMS. The ISMS now specifies the necessary processes and interactions.
4.4 Information Security Management System - s and added the planning of processes and their interactions as part of the system.
5.3 Functions, responsibilities, and authorities of the organization – it is specified that the communication of the functions is done internally.
6.2 – Information security objectives and planning to achieve them – subsection (d) is added indicating that the objectives are monitored.
6.3 Change Planning – Added a section specifying that any changes to the system must be planned, which must also be demonstrable.
7.4 Communication – subsection (e), which would require processes for communication, was removed.
8.1 Planning and operational control – It was included that criteria were established for security processes and for the implementation of controls based on these criteria. The requirement on implementation of plans for the achievement of objectives has also been removed.
9.3 Management Review – added element 9.3.2 (c), which mentions that stakeholder input should include changes in stakeholder needs and expectations.
10 Improvement – the clauses have only changed places, now Continuous Improvement (10.1) is the first, and the second is Nonconformity and Corrective Action (10.2).
CHANGES TO ANNEX A
As mentioned above, changes to Annex A include
New sections: In the previous version of the standard there were 14 sections, now only 4 are included: (IT Governance Ltd, 2022)
A.5 Organizational controls (37 controls)
A.6 People controls (8 controls)
A.7 Physical controls (14 controls)
A.8 Technology controls (34 controls)
New controls: 11 new controls added (Kosutic, 2022):
A.5.7 Threat Intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical Security Monitoring
A.8.9 Configuration Management
A.8.10 Deletion of Information
A.8.11 Data masking
A.8.12 Data Leakage Prevention
A.8.16 Follow-up activities
A.8.23 Web filtering
A.8.28 Secure Coding
Merged and separate controls; 57 controls have been merged into 24, plus 1 split control:
Technical Compliance Review (18.2.3) was divided into:
-Compliance with information security policies, regulations and standards (5.3.6);
-Management of technical vulnerabilities (8.8)
Renamed controls: 23 controls were renamed for better understanding.
Controls that did not change; 35 controls remain unchanged in their structure.
USE OF ATTRIBUTES
The concept of attributes has been introduced, which will be useful for filtering and grouping controls, which in turn will help organizations understand their security posture and adopt best practices(IT Governance Ltd, 2022) :
Type of control (preventive, detective, corrective)
Information security properties (confidentiality, integrity, availability)
Cybersecurity concepts (identify, protect, detect, respond, recover)
Operational capabilities (governance, asset management, etc.)
Security domains (governance and ecosystem, protection, defense, resilience)
WHAT IS THE CERTIFICATION PROCESS NOW?
For organizations seeking to become ISO 27001:2013 certified, they have until April 2024 to complete this certification. While those who already have the ISO 27001:2022 certification, will have until October 2025 to complete it;however, on November 1, 2025, all certifications in ISO 27001:2013 will be considered expired, regardless of the expiration date that is printed.
This means that organizations that still plan to be certified in the 2013 version will have to take into account the gap between April 2024 and October 2025, which is when they will need to switch to the 2022 version.(McGladrey, 2022)
For those organizations that are already certified in the 2013 version, the transition is only a moderate change that can be identified by an assessment to identify the differences, mostly in Annex A with the new controls, and start working on them. Once this has been determined, it would be recommended to initiate an internal audit, and subsequent the certification into the new version of the standard.
The implementation of this standard will help create a better awareness of information security with the understanding of it, while providing greater control over the Information Security Management System (ISMS) and everything it involves (policies, asset registration, procedures, risk management, compliance, etc.).
Author
Odalys Vasquez
Junior Security Engineer
REFERENCES
ISO 27000 Directory. (n.d.). The ISO 27000 Directory. Retrieved from A Short History of the ISO 27000 Standards: https://www.27000.org/thepast.htm
.ISO. (n.d.). ISO - International Organization for Standardization. Retrieved from ISO/IEC 27001 and related standards. Information security management: https://www.iso.org/isoiec-27001-information-security.html
IT Governance Ltd. (2022, October). IT Governance. Retrieved from ISO 27001 and ISO 27002: 2022 updates: https://www.itgovernance.co.uk/iso27001-and-iso27002-2022-updates
Kosutic, D. (2022, October 25). 27001Academy. Retrieved from ISO 27001 2013 vs. 2022 revision – What has changed?: https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
McGladrey, K. (2022, December 22). Hyperproof. Retrieved from How to Upgrade Your Security Program from ISO 27001:2013 to ISO 27001:2022: https://hyperproof.io/resource/upgrade-iso-270012013-iso-270012022/