In October 2022, a new and improved version of the ISO 27001 was published to address the evolving cybersecurity challenges and improve digital trust.
ISO 27001 is an international standard, published by the International Organisation for Standardisation (ISO), that outlines best practices for maintaining and developing ISMS (Information Security Management System). ISO 27001 best-practice approach helps organisations manage their information security by addressing processes, people, and technology.
Organisations of all sizes and types collect, create, store, dispose, transmit and process information in many forms. Aligning with these standards allow for the secure exchange of information, manages and minimises your organisation’s risk exposure, keep confidential and sensitive information secure, and build a culture of security within your organisation.
What’s changing in ISO 27001?
Overall, when compared to the 2013 version, the changes in ISO 27001:2022 are moderate. Some of the main updates of ISO/1EC 27001:2022 include a major change of Annex A, a change in the title of the standards and a minor update of the clauses.
Different from the ISO/IEC 27001:2013, the new version’s complete title is ISO/1EC 27001:2022 Information, Security, Cybersecurity and Privacy Protection.
In clauses 4 to 10, especially in clauses 8.1, 4.2, 6.2 and 6.3, new content has been added. Other changes include minor updates in the restructuring and terminology of clauses and sentences.
What are the main control changes in Annex A?
Annex A of the ISO/IEC 27001:2022 contains changes in the number of controls and their listing in groups. The title of this annex has changed from Reference control objectives and controls to Information security controls reference.
The number of Annex A controls has decreased from 114 to 93. These controls have been restricted to four control groups:
- A.5 Organisational controls – contains 37 controls
- A.6 People controls – contains 8 controls
- A.7 Physical controls – contains 14 controls
- A.8 Technological controls – contains 34 controls
The decrease in the number of controls have mainly come from merging many of them. 35 controls have remained the same, 57 controls were merged into 24 controls, 23 controls were renamed, and 11 new controls have been added.
New controls are:
- Web filtering
- Threat intelligence
- Secure coding
- Monitoring activities
- Data masking
- Configuration management
- Data leakage prevention
- Physical security monitoring
- Information security for the use of cloud services
- ICT readiness for business continuity
- Information deletion.
ISO 27001: 2022 – Getting certified or re-certified
Organisations that are already certified against ISO 27001:2013 needs to transition to ISO 27001:2022 by October 31, 2025.
Organisations that have already implemented ISO 270001:2022 and are facing a registrar that has not yet transitioned to 2022 can get certified to ISO 27001:2013 with just a modified Statement of Applicability showing the ISO 27001:2013 controls and can then transition to ISO 27001:2022 by October 31, 2025.
Certification bodies can start certifying organisations against ISO 27001:2022 by October 31, 2023.
Organisations that have not yet been certified can complete their implementation based on ISO 27001: 2013 and become certified until October 31, 2023. They will then have 2 years to complete the transition to ISO 27001:2022.
Need help with implementation?
Tivarri provides a comprehensive range of services that help businesses achieve ISO 27001 certification seamlessly, meet insurers IT requirements and keep their businesses safe from cyberattacks. Our services include:
- advice on how to scope and implement an information management system that meets the standard’s requirements,
- guidance with the development of policies and procedures,
- training for your staff in information security management,
- and guidance in auditing and certification.
Make a free, non-binding consultation and get started on the ISO 27001 compliance process today.