Understanding ISO 27001:2022 and Its Implications for Your Organisation

A new version of ISO 27001 was published this week, introducing several significant changes in the way organisations are expected to manage information security.

The Standard was last revised almost a decade ago (although a new iteration of the supplementary standard ISO 27002 was published in February 2022), meaning that the release of ISO 27001:2022 has been much needed and highly anticipated.

What’s changing?

The good news for organisations is that ISO 27001:2022 doesn’t drastically overhaul their compliance requirements. There are new requirements on planned changes and how your organisation should deal with them, as well as a greater focus on how you must deal with the needs and expectations of interested parties.

Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives.

It also aligns its terminology with that used across other ISO management system standards.

Another notable aspect of its terminology is that ISO 27002:2022 no longer refers to itself as a “code of practice”. This better reflects its purpose as a reference set of information security controls.

However, the most significant changes with the 2022 version of ISO 27002 are in its structure. It is no longer divided into 14 control categories, and is instead split into four ‘themes’: organisational, people, physical and technological.

Meanwhile, although the 2022 version of ISO 27002 is significantly longer than its predecessor, the total number of controls has decreased from 114 to 93.

This is because many of its controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirements have been added. These are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The new and amended controls are also categorised according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.

This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.

How will this affect organisations implementing ISO 27001?

The introduction of ISO 27001:2022 won’t have an immediate effect on organisations that are currently certified to ISO 27001:2013 or are in the process of achieving certification.

For the time being, organisations should continue to follow the 2013 version of the Standard. This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, while the 2022 version of the Standard should be used only as a reference.

Indeed, the reason that the updated version is being published now is to give organisations time to familiarise themselves with the new controls before embarking on an implementation project.

The controls listed in ISO 27002:2022 can be considered an alternative control set that you will have to compare with the existing Annex A – just as you would with any other alternative control set.

ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.

What next?

There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.

However, it’s never wise to put off the planning process until the last minute. Implementation will take several months, and it’s worth knowing what’s expected of you as soon as possible.

You can begin by reading the Standard for yourself. You can purchase a digital copy of ISO 27001:2022 from our website, and we recommend comparing the updated version to the 2013 edition and your current compliance practices to determine what adjustments you’ll have to make.

If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.

Speak to one of our experts for more information on how we can support you.