ISO/IEC 27001 2022 was finalized in October 2022 and highly anticipated changes to the popular 2013 standard are now published. The nine-year anticipation of the changes was probably more painful than complying with the new standard. Today, the barrier between IT and Operations has disappeared. The new edition of ISO/IEC 27001 2022 considers this challenge and is data / cloud centric, versus the 2013 monolithic IT operational models. The days of file cabinets and onsite servers or moreover onsite workforce has changed since the 2013 version and the 2022 version aligns with digital and cloud native services lifecycles.
Some highlights of the changes
- Controls decreased from 114 to 9
- Controls are now in 4 sections compared to 14 previously
- 11 new controls and many where merged or changed
Highlight of some changes in clauses 4 – 11
- In clause 4.2 – Interested parties and determining what needs to be in your ISMS
- In clause 4.4 – ISMS
- In clause 5.3 – Organizational roles communicated internally
- In clause 6.2 – Information security objectives monitoring.
- In clause 6.3 – Change management
- In clause 7.4 – Communications
- In clause 8.1 – Operational planning and control for security processes
- In clause 9.3 – Management review of interested parties’ interest in ISMS
- In clause 10 – Continual improvement is now (10.1), and Corrective actions 10.2
Annex A control changes “Control chapters”
5. Organizational (37 controls)
6. People (8 controls)
7. Physical (14 controls)
8. Technological (34 controls)
New security controls
- A.5.7 Threat intelligence
- A.5.16 Identity management
- A.5.23 Information security for use of cloud services
- A.5.29 Information security during disruption
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
This latest version of the standard addresses operational controls as most organizations are now cloud native or utilize SAAS partners. The annex changes address the security concerns about the shared responsibility model of the cloud. Organizations often neglect their responsibilities in cloud security such as IAM, data governance and retention, and threat intelligence in their cloud environments.
In the mandatory clause one of the significant changes are around interested parties to your ISMS and management oversight and approval of them in the ISMS. Not all interested parties are relevant for the ISMS which is why clause 9.3 now requires management to review interested parties for relevance. Internal and external parties need to be considered. Clause 5.3 communicating roles internally can be related to clause 4.2 interested parties of employees clearly knowing everyone’s role and responsibility to ensure an effective ISMS.
Timing for certifying to the ISO 270012022 standard, according to The International Accreditation Forum (IAF) certifications bodies have until October 31 of 2025 to transition all certifications to the new standard. Certification bodies must start certifying to the new standard by October 31, 2023. If you are currently in your three-year certification, you should speak with your certification party on their plan to incorporate the changes in your surveillance audits. You will see your enterprise level suppliers certifying to the new standard rapidly.
To prepare you current 2013 standard to transition to the standard should not be overly onerous. Most mature ISMS are continuously improving and maturing their controls during the lifecycle of their certifications and may be compliant with many of the new controls. Your policies will need to be updated to account for the control changes, taxonomy changes and controls that have merged. You will need to incorporate all the new controls and changes to the clauses to your ISMS and Statement of Applicability. As with any new compliance effort, you need to do an internal or external audit to evaluate your control effectiveness against the new standard. Your internal audit plans, compliance activities will need to be adjusted also to the new controls, unless they are already in scope.
Good luck with your 2022 standard journey and if you do have the internal expertise, make sure to consult with a trusted partner.