Updating to ISO 27001:2022 – A Crucial Move for Businesses Today
Discover the critical changes, what is involved in updating to ISO 27001:2022 and act NOW to adopt the latest standards. Position your organisation as a proactive leader, boosting stakeholder confidence and increasing trust in your operations.
By Richard Nealon
What Has Changed with ISO 27001:2202?
The 27001 Standard was so well written (along with its accompanying set of 27002 controls) in its last two iterations (2005 & 2013), that it almost remained the same up until 2022. In February 2022 a new version of 27002 was launched and in October 2022 a new version of 27001.
Companies that are currently certified under the 2013 version of the standard have until 2025 to migrate to the new version of the standard. This is a mandatory migration to retain the certification. The timeframe may seem ample, but prompt action is crucial to ensure a seamless transition.
So what has changed in the new version?
Redefined ISO 27002 Controls: From 18 Domains to 4 Key Themes
The controls in 27002 have been “sorted” into four new key areas, now called Themes, instead of the old 18 “Domain” model set:
- Organisational (5.1 to 5.37)
- People (6.1 to 6.8)
- Physical & Environmental (7.1 to 7.14) and
- Technical (8.1 to 8.34)
The controls have been realigned – in many cases, they’ve been merged (where they would have spanned more than one domain in the 2013 model (e.g Storage Media which would have been covered by 08.3.1, 08.3.2, 08.3.3 and 11.2.5)). Some controls have rationalised and some newer controls (mainly addressing advances and changes in computing practices) have been introduced, namely:
- Threat Intelligence
- Security for Cloud Services,
- ICT readiness for Business Continuity,
- Physical Security Monitoring,
- Configuration Management,
- Information Deletion,
- Data Masking,
- Data Leakage Prevention,
- Monitoring activities,
- Web filtering, and
- Secure Coding.
In reality, many of these controls may have been addressed by businesses since they’ve become introduced. In some cases, the business may have already considered (1) some of these controls and found that the risk associated with not doing them falls comfortably within the organisation’s risk appetite/risk tolerance. The rationalisation, and adding of new controls has resulted in an overall reduction in the numbers of controls from 114 to 93 (but that’s only structural – nothing substantive has really been removed).
New Attributes Enhance Control Views for Effective Risk Management
The second big change has been the addition of “Attributes” (not a word I favour because it could lead to confusion with other security related meanings of the word e.g. NIST, SABSA, where attribute means something completely different). These ISO Attributes are broken down into five categories
- Control types (Preventive, Detective, Corrective)
- Information security properties (Confidentiality, Integrity, Availability)
- Cybersecurity concepts (Identify, Protect, Detect, Respond, Recover) – aligning with NIST CSF
- Operational capabilities (Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, Information security assurance) – mainly used for assignation of responsibility
- Security domains (Governance and Ecosystem, Protection, Defence, Resilience)
These attributes are really designed to give a “view” of each control and can be really useful in assessing whether controls are required, effective, and/or allocated. They can be a useful tool in the production of metrics for management, auditors & regulators, and can be used to demonstrate effective risk management. Of course, organisations are not limited to just these attributes – they can define their own as well.
That’s all really. The controls are laid out in pretty much the same way :
- Attribute table (New),
- Control Description,
- Guidance and
- Other Information
What do I need to do now?
If you’re already certified to 27001:2013, you will need to:
- Review and renumber your Statement of Applicability (SOA)
- Review your documentation (policies, procedures, artefacts) to ensure that they are aligned (numbering; control descriptions, implementation guidance; other information; new controls)
- Don’t forget the content of 27001 itself (many organisations just focus on the control annex A of the standard). There are some very subtle changes within the wording of 27001 that you’ll need to take into account (e.g. management reviews need to consider changes in needs and expectations of interested parties … This means that you’ll need to:
- have your interested parties listed e.g. staff, clients, investors, regulators, etc.
- have documentation of their needs & expectations (contracts, agreements & MOUs, SLAs, publications, laws & regulations, etc.), and
- have these considered during management review )
If you’re not already certified to 27001:2013 then now it’s a great time to certify to the new version (27001:2022) and get ahead of the competition. Cycubix have extensive experience of bringing Small & Medium Enterprises to ISO27001 certification (and keeping them certified) with minimum cost/disruption. Please reach out to us at [email protected] to discuss how we can help you to :
- implement standardised controls
- plan your migration from 27001:2013 to 27001:2022
- get certified for the first time
(1) i.e. risk assessed
About Richard Nealon
Richard Nealon is an official certified instructor for ISC2 and a seasoned Information Security and Risk Management professional with over 35 years’ experience.In his role as a vCISO with clients across a range of industries, Richard has worked with clients to enable them to manage their cyber risk. In addition to vCISO services, Cycubix offers cybersecurity consultancy services tailored to help clients secure the applications critical to their business.