Sekuro has an extensive and proven track record in establishing and operating useful (i.e., non-shelfware) Information Security Management Systems (ISMS) certified to the internationally recognised ISO 27001 standard. All our ISMSs are tailored to our client’s requirements, constraints and maturity levels.
ISO 27002:2022 was published on February 15, 2022, and ISO 27001:2022 in October, 2022. This article discusses the changes within the 2022 versions of these two standards.
Summary of changes between ISO 27001:2013 and ISO 27001:2022
-
- ISO 27001:2013 Clauses 4 to 10 remain the same with minor wording updates for clarification purposes.
- The security controls contained in Annex A have been updated (the number of controls decreased from 114 to 93).
- Controls are now grouped in 4 main domains (instead of the previous 14) and are tagged for easier reference and use.
- 11 new controls have been introduced, whilst none of the controls was deleted, many controls were merged together, thereby reducing the overall number. The 11 controls now include:
-
- Physical security monitoring
- Threat intelligence
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Information security for use of cloud services
- Web filtering
- Secure coding
- ICT readiness for business continuity
Schedules of Changes:
iso 27002 Revision:
The revision to ISO 27002 Information Security, Cyber Security and Privacy Protection – Information Security Controls containing the security control guidance (referred in ISO 27001 Annex A) was published on February 15, 2022.
ISO 27001 Amendment:
An amendment to ISO 27001, which is the main standard to which companies are certified against and stipulates the requirements for Information Security Management Systems (ISMS), is expected to be published later in 2022. The exact date has not been announced yet. A draft amendment replacing the Annex A controls (ISO 27002:2022) was made available in February 2022. Amendments to ISO 27001 should be a formality as the same content has been approved under the publication of ISO 27002.
ISO 27001/27002 Major Revision Update:
ISO/IEC 27001:2013 was last updated in 2013 to comply with Annex L (a.k.a. Annex SL), a structure common to all recent management system standards and which allows better synergies when implementing more than one management system (i.e. QMS+ISMS+EMS as it is often seen). The Annex L structure has been widely adopted, and that could explain why the focus of the 2022 version is not on the ISO 27001 clauses, but rather on Annex A and associated ISO 27002.
ISO 27002 still carried forward a lot of control from the 2005 revision but included a much-needed uplift to fulfil its role as a guide for the implementation of ISO 27001 Annex A controls. This was particularly important as both the way we handle information and the pace of that change has shifted quickly in the 8 years since it was last reviewed.
Impact Of ISO 27001 Revision:
- The re-organisation of Annex A controls may look like a formality to some, but it will change the way organisations who made “hard links” to the previous 14 domain areas look at their controls. The change makes it easy for future evolutions, with 93 controls divided into 4 sections and legacy domains no longer a source of contention.
- The Statement of Applicability (SoA)’s and the common control framework mappings (for the more mature organisations which do have Common Control Framework, known as CCF) will need to be updated to address the additions and updates and remove some of the legacy domains.
- The addition of new controls, updates and merging of controls reflect the current security practices such as threat intelligence, cloud, data masking, web filtering, secure coding, and Data Loss Protection (DLP).
- ISO 27002 makes very few references to the term “Information Assets” which was the commonly adopted term for all types of assets holding value (i.e. assets which must be protected). Instead, it uses the concept of primary assets and supporting assets and often refers to associated assets. As passionate GRC professionals, whilst this departure from the term “Information Asset” can be understood, we also expect a lot of confusion on this. The many organisations which used the term “Information Assets” in their governance framework will need to consider how it impacts them should they choose to change.
The often-misused-and-misunderstood Inventory and Ownership of Assets clauses (formerly A.8.1.1 ad A.8.1.2) have been updated to in-effect mandate an inventory of “information and associated assets”, which means that organisations who have not yet done data flows or a data mapping exercise should consider it as soon as practical. Though many organisations have done a data mapping exercise through their privacy compliance work, that mapping may have been selective to PII and may not meet the intent of Control 5.9 “Inventory of information and other associated assets”.
Speak to us today if you think you may have exposure there.
Adoption Timeline:
- Despite the changes set out within the ISO 27002:2022 revision, there will be a transition period of 3 years for currently certified companies, as it is the norm with any ISO standard. This period will only start after ISO 27001 is officially updated and published.
- Companies can nonetheless leverage the published ISO 27002 standard and proactively adopt the new standard.
ISO 27002:2022 Control Structure
Here what's changed in ISO 27002:2022/ ISO 27001 Annex A:
-
- 35 controls remained the same with change in control number and realigned to the 4 sections;
- 11 new controls were added;
- 23 controls have been renamed to make them easier to understand
- Even thought the number of controls have been reduced (from 114 to 93 ); no controls are excluded;
- 57 controls have been merged into 24 controls;
- Only one control was split; Control 18.2.3 Technical Compliance Review was split into:
- 5.3.6 – Compliance with policies, rules and standards for information security;
- 8.8 – Management of technical vulnerabilities
The following table presents the new ISO 27001 Annex A control sections with the most significant controls additions or updates highlighted.
| Organisational Controls: 37 Controls | People Controls: 8 Controls | Physical Controls: 14 Controls | Technological Controls: 34 Controls |
|---|---|---|---|
| Policies for information security | Screening | Physical security perimeters | User endpoint devices (updated) |
| Segregation of duties | Information security awareness, education and training | Securing offices, rooms and facilities | Information access restriction |
| Management responsibilities | Disciplinary process | Physical security monitoring (new) | Access to source code |
| Contact with authorities | Responsibilities after termination or change of employment | Protecting against physical and environmental threats | Secure authentication |
| Contact with special interest groups | Confidentiality or non-disclosure agreements | Working in secure areas | Capacity management |
| Threat intelligence (new) | Remote working | Clear desk and clear screen | Protection against malware |
| Information security in project management | Information security event reporting | Equipment siting and protection | Management of technical vulnerabilities. |
| Inventory of information and other associated assets | Security of assets off-premises | Configuration management (new) |
|
| Acceptable use of information and other associated assets | Storage media | Information deletion (new) | |
| Return of assets | Supporting utilities | Data masking (new) | |
| Classification of information | Cabling security | Data leakage prevention (new) | |
| Labelling of information | Equipment maintenance | Information backup | |
| Information transfer | Secure disposal or re-use of equipment | Redundancy of information processing facilities | |
| Access control | Logging | ||
| Identity management | Monitoring activities (new) | ||
| Authentication information | Clock synchronisation | ||
| Access rights | Use of privileged utility programs | ||
| Information security in supplier relationships | Installation of software on operational systems | ||
| Addressing information security within supplier agreements | Networks security | ||
| Managing information security in the ICT supply chain | Security of network services | ||
| Monitoring, review and change management of supplier services | Segregation of networks | ||
| Information security for use of cloud services (new) | Web filtering (new) | ||
| Information security incident management planning and preparation | Use of cryptography | ||
| Assessment and decision on information security events | Secure development life cycle | ||
| Response to information security incidents | Application security requirements | ||
| Learning from information security incidents | Secure system architecture and engineering principles | ||
| Collection of evidence | Secure coding (New) | ||
| Information security during disruption | Security testing in development and acceptance | ||
| ICT readiness for business continuity (new) | Outsourced development |
||
| Legal, statutory, regulatory, and contractual requirements | Separation of development, test and production environments | ||
| Intellectual property rights | Change management | ||
| Protection of records | Test information | ||
| Privacy and protection of PII | Protection of information systems during audit testing | ||
| Independent review of information security | |||
| Compliance with policies, rules and standards for information security | |||
| Documented operating procedures |
Next Steps:
The following steps are to be followed to meet the revised version:
- Companies should review their risk register and the applied risk treatments to ensure alignment with the revised standard
- Update the Statement of Applicability (SoA) to align with the updated Annex A
- Review and update your documentation, including policies and procedures to meet the new controls
The transition period to the new standard will provide a new set of best practices to choose from as well as a new set of attributes to use to make control selection effective and efficient. The intent of the standard still remains the same, you still need to use a risk-based approach to select only the appropriate and right controls to suit your organisation.
Frequently Asked Questions (FAQ)
We are in early stages of our ISO 27001 establishment journey.
Should we wait for the new ISO 27001 to be published to get certified?
No. The clauses of ISO 27001 will remain the same which means the way you build and operate an ISMS remains the same. We have already started using the 2022 control in our SoAs, mapped with the legacy controls of ISO 27001:2013 Annex A, in the prevision of the transition period. Remember that certification to ISO 27001 is the engine behind your security maturity journey and not the achievement of your security achievements journey. For that reason alone, we do not recommend delaying your certification project.
We want to start ISO 27001 establishment. Should we use the new set of controls or the old ones?
How will ISO 27002:2022 and ISO 27001:2022 impact my current certification to ISO 27001:2013?
ISO 27002 updates do not impact your current certification against ISO 27001. Only ISO 27001 updates have an impact on existing certifications and the accreditation bodies will work with the certification bodies on a transition cycle which gives organisations holding an ISO 27001 certificate ample time to transition from one version to another.
How much time do I need to align my ISMS to the 2022 version of the standard?
As the new ISO 27001:2022 will be released later in 2022 and a specific date is not published yet, you will likely have at least a year to officially update to the new controls from ISO 27002:2022. As mentioned before, you can be proactive and adopt the new structure and controls earlier. Nonetheless, you will have enough time to transition.
Will the certification body check the changes in our ISMS and the documentation?
Yes, if your company is already certified, your certification body will conduct the necessary check on your ISMS and the documentation during the transition period. This transition will occur during your regular surveillance audits and a separate audit schedule is not required.
Will Sekuro help us transition to the new revision of ISO 27001?
Sekuro is an ISO 27001 and ISO 9001 certified organisation providing end-to-end cyber security services and solutions. We have a proven track record of establishing, certifying and maintaining ISMS’s for organisation of all sizes and from various industry verticals. Sekuro can help organisation transition in many ways. Some examples include:
- Update your current SoA to align with the new standard structure;
- Ascertain control applicability, keeping your scope in perspective across the new, enhanced and merged controls;
- Prepare and update your Common Control Framework (CCF) – if you have one – to ensure the new controls and structure are well integrated and aligned in the CCF, as well as enable you to efficiently meet them;
- Conduct a review across the risk and action registers as well as the risk treatments to ensure alignment to the new 2022 updates;
- Prepare and update your documentation to meet the new standard based on its applicability to your organisation;
- Assist end-to-end with remediation activities including documentation and technology solutions, where required, to continually enhance your security profile.
Author:
Prashant Haldankar
Prashant Haldankar is the Co-founder and Chief Information Security Officer (CISO) at Sekuro, a global cyber security and digital transformation company headquartered in Sydney, providing end-to-end cybersecurity and resiliency services and solutions. Prashant leads the business resilience function globally with extensive experience establishing and maintaining cyber security visions, strategies and information asset protection frameworks for enterprises.