iso27001:22 updates

ISO 27001:2022 Update: What’s New and Why It Matters

Wesley Van Zyl

Senior Compliance Success Manager

Linkedin

If you’re here, chances are your organization is already ISO 27001 certified or looking to get certified. And you’ve heard the buzz about the latest 2022 update. So what’s the scoop? Well, the newest version brings some key changes that could impact your information security management system (ISMS).

The core of ISO 27001 remains intact, but revisions aim to help certified companies like yours stay ahead of emerging tech and threats. We’re talking restructured Annex A controls, increased focus on governance and technological controls, and more.

Bottom line? The name’s still the same, but ISO 27001:2022 has new specifics that matter. We’ll break it all down so you know what to expect and can prep for a smooth transition. Ready to dive in? Let’s go!

Overview of ISO 27001

ISO 27001 is an international gold standard for managing information security. It provides a structured way for organizations to protect their sensitive data and keep it secure. The primary goal of ISO 27001 is to help organizations establish, implement, maintain, and continually improve an ISMS. 

Here are the key components of ISO 27001:

  • Risk Assessment and Treatment: Identifying risks to information security and selecting appropriate controls to mitigate them.
  • Security Policy: Establishing a clear and comprehensive information security policy.
  • Asset Management: Managing information assets, including data classification and handling.
  • Access Control: Implementing measures to control access to information.
  • Incident Management: Developing processes for reporting, managing, and recovering from information security incidents.

To get ISO 27001 certified, your organization needs to go through an audit by an accredited certification body. There are two main stages:

  1. Stage 1 Audit: Review of your ISMS documentation.
  2. Stage 2 Audit: Detailed audit of how well your ISMS is working in practice.

Key Updates from ISO 27001:2013 to ISO 27001:2022

Every few years, ISO 27001 gets a refresh to keep up with new cybersecurity changes and threats. The latest update, ISO 27001:2022, brings a couple of changes to the table.

First up, the Annex A (the list of security controls) has been streamlined from 114 controls down to 93. Don’t worry, none of the essentials have been lost – the controls have simply been reorganized into four sleek categories for better manageability.

But that’s not all. The 2022 edition also introduces 11 brand-new controls to tackle modern security challenges like cloud adoption and emerging technologies.

Let’s take a closer look at some of the key changes.

Restructured Annex A Controls

One of the most notable changes you’ll notice is the reorganization of the Annex A controls. The number of controls has been reduced from 114 to 93, now categorized into four sections:

iso 27001:2022 annex a controls

This streamlined structure aims to provide better clarity and alignment with modern security practices.

New Controls for Emerging Threats

To address the latest security challenges, ISO 27001:2022 introduces eleven new controls. These include measures for securely adopting cloud services, managing cyber-attack threats, and protecting against emerging vulnerabilities like cryptojacking. These new controls include:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding
  • Configuration management
  • Information deletion

You’ll need to review these new controls carefully and assess how they apply to your organization’s specific risks and technology.

Increased Focus on Governance and Technological Controls

The 2022 update places a greater emphasis on the governance of information security risks, and the security of digital technologies. It highlights the importance of integrating risk management processes with your overall strategic management.

This shift encourages organizations to embed information security into the core of their processes, rather than treating it as a siloed function. You may need to reevaluate your existing governance structures and risk management frameworks to align with this updated approach.

Clarity in Requirements

Clarity in requirements is a significant aspect of the 2022 update. The language and requirements have been refined to provide better understanding and facilitate easier implementation.

This includes more explicit requirements on the treatment of nonconformities and corrective actions. You’ll need to review these refined requirements carefully to ensure your processes and documentation meet the new expectations.

Slight Modifications in Documentation and Evidence Requirements

While the core documentation requirements remain largely unchanged, ISO 27001:2022 introduces slight modifications to emphasize the evidence needed to demonstrate compliance.

This means you may need to review and update your existing documentation practices to ensure you maintain adequate records to support your ISMS and meet audit requirements.

Addressing Digital Transformation Challenges

Recognizing the rapid pace of digital transformation, ISO 27001:2022 includes specific controls addressing the security challenges associated with adopting cloud services and other digital technologies.

As your organization embraces these technologies, you’ll need to ensure your ISMS effectively manages the associated risks and aligns with the updated standard’s requirements.

Implications for Organizations

The ISO 27001:2022 updates bring several implications for startups and organizations aiming to maintain or achieve compliance with the standard. Here are the key points:

Keeping Up with New Threats

The updates reflect new cybersecurity threats, so organizations need to make sure their security measures are up-to-date and ready to handle the latest risks.

Stronger Focus on Risk Management

There’s a bigger emphasis on managing risks. This means organizations need to be more thorough in identifying and dealing with potential threats.

Easier Integration with Other Standards

The new version makes it easier to integrate with other standards. This can streamline processes and make managing compliance simpler.

New and Updated Controls

Expect the new security controls listed above and updates to existing ones. Organizations need to check their current controls and make necessary changes to stay compliant.

More Attention on Cybersecurity

There’s a greater focus on cybersecurity, especially around cloud security, supply chain security, and incident management. Organizations need to beef up their cybersecurity measures.

Better Documentation

The new standard requires more detailed documentation. Organizations must ensure their documentation clearly reflects their security practices and procedures.

Leadership Involvement

Top management needs to be more involved in supporting and promoting the security management system, making sure security is part of the organization’s culture and strategy.

Ongoing Improvement

The updates stress the need for continuous improvement. Organizations should regularly review and update their security practices to keep getting better.

More Flexibility

The new version allows for more customization, so organizations can tailor their security measures to fit their specific needs and contexts better.

Certification Changes

If an organization is already certified, it will need to update its practices to comply with the new version and go through a recertification audit. Companies that are certified against ISO 27001:2013 must align with ISO 27001:2022 version by October 31, 2025 at the absolute latest. New certifications will have to meet these updated requirements from the start.

Implementing ISO 27001:2022

Implementing ISO 27001:2022 involves several steps. Here’s a straightforward guide on how companies can do it:

  1. Understand the Requirements: Familiarize yourself with the ISO 27001:2022 standard. Understand the requirements and what needs to be done to meet them.
  1. Get Management Support: Ensure top management is on board. Their support is crucial for providing resources and driving the initiative.
  1. Define the Scope: Determine the boundaries of your Information Security Management System (ISMS). Decide what parts of the organization the ISMS will cover.
  1. Conduct a Risk Assessment: Identify potential security risks. Assess the likelihood and impact of these risks to prioritize which ones need addressing first.
  1. Develop and Implement Controls: Based on the risk assessment, select appropriate security controls to mitigate identified risks. Implement these controls effectively.
  1. Create Policies and Procedures: Document your security policies and procedures. Ensure they are clear, comprehensive, and accessible to all relevant employees.
  1. Raise Awareness and Train Employees: Educate employees about the ISMS and their roles within it. Conduct regular training sessions to keep everyone informed and vigilant.
  1. Monitor and Measure: Regularly monitor and measure the effectiveness of your ISMS. Use performance metrics to identify areas for improvement.
  1. Conduct Internal Audits: Perform internal audits to check compliance with ISO 27001:2022. Identify any gaps and take corrective actions as needed.
  1. Management Review: Hold regular management review meetings to discuss the performance of the ISMS. Ensure top management is involved in these reviews.
  1. Continuous Improvement: Continually improve your ISMS. Use the results of monitoring, measurement, and audits to make necessary adjustments.
  1. Prepare for Certification: Once you’re confident your ISMS meets the requirements of ISO 27001:2022, prepare for the certification audit. This involves selecting a certification body and scheduling the audit.
  1. Certification Audit: Undergo the certification audit conducted by an external auditor. If successful, you’ll receive ISO 27001:2022 certification.
  1. Maintain Certification: After certification, maintain compliance through regular monitoring, audits, and updates to your ISMS. Address any non-conformities promptly.

Embrace ISO 27001:2022 Changes with Scytale

To wrap things up, understanding the updates in ISO 27001:2022 is key to keeping your information security management system (ISMS) up to date. The new version brings some significant changes, like the restructured Annex A controls and a greater focus on governance and tech requirements, which can really boost your overall security.

These changes might seem a bit daunting at first, but with some preparation and Scytale on your side, you can transition smoothly. Stay informed, evaluate how these updates affect your current setup, and take steps to incorporate them into your ISMS.

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs