ISO 27001:2022: The new standard for information security
ISO 27001 is the international standard for information security management systems (ISMS). It provides organisations with a framework for managing their information security risks and protecting sensitive data.
The latest version of ISO 27001, published in 2022, includes several significant changes. These changes are designed to make the standard more relevant to the current threat landscape and to help organisations improve their information security posture.
Why is it important to transition to ISO 27001:2022?
There are a number of reasons why it is important for organisations to transition to ISO 27001:2022. These include:
-
To comply with the latest international standards for information security
-
To protect sensitive data from cyber threats
-
To demonstrate to customers, partners, and other stakeholders that the organisation is committed to information security
-
To improve the organisation's overall risk management processes
-
To reduce the risk of data breaches and other incidents
-
To improve the organisation's efficiency and effectiveness
-
To further improve the maturity of CIA (Confidentiality, Integrity and Availability of data)
ISO 27001:2022 transition timeline
The transition period for ISO 27001:2022 began on October 31, 2022, and will end on October 31, 2025. During this time, organisations that are already certified to ISO 27001:2013 have three years to transition to the new standard. Organisations that have not yet started their ISO 27001 certification journey have until April 1, 2024, to become certified to the new standard.
Here is a detailed timeline of the transition period:
-
October 31, 2022: The transition period begins
-
May 1, 2024: All initial (new) certifications should be to the ISO 27001:2022 edition
-
July 31, 2025: All transition audits should be conducted by this date
-
October 31, 2025: The transition period ends. Certificates for ISO/IEC 27001:2013 will no longer be valid after this date
Organisations that are already certified to ISO 27001:2013:
-
Can continue to operate under their existing certification until October 31, 2025
-
Must transition to ISO 27001:2022 by this date (October 2025)
-
Can choose to transition at any time during the transition period
-
May need to undergo a transition audit to verify their compliance with the new standard
What are the key changes in ISO 27001:2022?
The new edition of ISO 27001 introduces several significant changes, including:
A focus on risk-based thinking
The new standard emphasises the importance of organisations understanding their information security risks and taking steps to mitigate those risks. This is a major change from the previous version, which focused on a more prescriptive approach to information security.
A greater emphasis on the importance of people and culture
The new standard recognises that people are a critical element of any information security program. It emphasises the importance of creating a culture of information security within the organisation. This includes things like training employees on information security best practices and promoting a security-minded mindset throughout the organisation.
The introduction of new controls to address emerging threats
The new standard includes a number of new controls to address emerging threats, such as cloud computing, social engineering, and data breaches. These new controls are designed to help organisations stay ahead of the curve and protect their information assets from the latest threats.
A new way of breaking down the standard
The new standard changes the layout of the Annex A controls to be broken down into smaller groups. These controls now evolve around what they most protect and thus simplifying what was once a more complicated breakdown.
100% of our users pass
ISO 27001 certification first time
What has changed in ISO 27001:2022?
Here are some of the specific changes in each clause of the standard:
-
Context and scope: The scope clause now applies to "relevant" requirements of interested parties and processes. This means that organisations need to consider the needs of all of their stakeholders, not just their customers and suppliers.
-
Planning: The planning clause now requires organisations to define their information security objectives and to monitor and review those objectives on a regular basis. This is a change from the previous version, which only required organisations to define their information security policies.
-
Support: The support clause now requires organisations to define how they will communicate information security risks and issues to their staff. This is a new requirement in the new standard.
-
Operation: The operation clause now requires organisations to control "externally provided processes, products, or services" that are relevant to their ISMS. This is a change from the previous version, which only required organisations to control their own processes and systems.
The new structure of Annex A controls in ISO 27001:2022
The new edition of ISO 27001 restructures the Annex A controls into four categories: organisational, people, physical, and technological. This is a significant improvement over the previous version, which had 14 control domains. The new structure is designed to make it easier for organisations to select and implement the controls that are most relevant to their needs.
-
The organisational category contains 37 controls that address the overall management of information security within an organisation. These controls include things like establishing an information security policy, appointing a security manager, and conducting risk assessments.
-
The people category contains 8 controls that address the role of people in information security. These controls include things like training employees on information security best practices, conducting background checks on new hires, and managing user access to sensitive information.
-
The physical category contains 14 controls that address the physical security of information assets. These controls include things like securing buildings and facilities, protecting computer rooms, and managing the disposal of sensitive information.
-
The technological category contains 34 controls that address the technological aspects of information security. These controls include things like implementing firewalls and antivirus software, encrypting data, and managing access to information systems.
The new structure of Annex A controls is aligned with the four pillars of information security:
-
Organisational: This pillar addresses the need for a strong organisational commitment to information security.
-
People: This pillar addresses the importance of people in information security.
-
Physical: This pillar addresses the need to protect information assets from physical threats.
-
Technological: This pillar addresses the need to protect information assets from technological threats.
The new structure of Annex A controls is a significant improvement over the previous version. It makes it easier for organisations to implement an effective information security management system and protect their information assets from a wide range of threats.
In addition to the new structure, ISO 27001:2022 also includes 11 new controls. These controls are designed to address emerging threats, such as cloud computing, social engineering, and data breaches. The new controls are also designed to improve the effectiveness of information security management systems by providing organisations with more options for mitigating risks.
ISO 27001:2022 includes eleven new controls
In addition to the new structure, ISO 27001:2022 also includes 11 new controls. These controls are designed to address emerging threats, such as cloud computing, social engineering, and data breaches. The new controls are also designed to improve the effectiveness of information security management systems by providing organisations with more options for mitigating risks.
The new controls are as follows:
-
Threat intelligence: This involves the collection and analysis of information about potential threats to information security within organisations.
-
Information security for the use of cloud services: Assessing and managing the risks associated with the use of cloud services.
-
ICT readiness for business continuity: Ensuring that information and communications technology (ICT) systems remain resilient and operational in disaster scenarios is a requirement.
-
Physical security monitoring: Continually monitoring the physical security systems to promptly identify and respond to security incidents.
-
Configuration management: Managing the configuration of their information systems to ensure that they are secure.
-
Information deletion: Securely deleting sensitive information when it is no longer needed.
-
Data masking: Masking sensitive information to prevent unauthorised access.
-
Data leakage prevention: Preventing sensitive information from being leaked outside the organisation.
-
Monitoring activities: Monitoring the information security activities to ensure that they are effective.
-
Web filtering: Filtering web traffic to prevent access to malicious websites.
-
Secure coding: Developing and using secure code to protect the information systems.
Through these new Annex A controls, many organisations may be required to implement 20+ new ISMS documents, policies and procedures into their ISMS based on their scope and requirements.
DataGuard helped us get ISO 27001 certified 50% faster.
Reece Couchman, CEO & founder @ The SaaSy People
100% of our users pass ISO 27001 certification first time
Your roadmap to transition to ISO 27001:2022
The transition to ISO 27001:2022 can be a daunting task, but it is important to remember that it is a journey, not a destination. By following a structured roadmap, you can make the transition smoother and more successful.
Here are the key steps in your roadmap to transition:
-
Raise awareness: The first step is to raise awareness of the transition within your organisation. This includes communicating the benefits of the new standard, as well as the timeline and requirements for the transition.
-
Conduct a change analysis and gap assessment: Once you have raised awareness, you need to conduct a change analysis and gap assessment. This will help you to identify the areas where your current information security management system (ISMS) needs to be updated to meet the requirements of ISO 27001:2022.
-
Review and update documentation: Once you have identified the gaps, you need to review and update your ISMS documentation. This includes your policies, procedures, and work instructions.
-
Perform an internal audit: Once your documentation is updated, you need to perform an internal audit to ensure that your ISMS is compliant with the new standard.
-
Conduct a transition gap assessment: After the internal audit, you need to conduct a transition gap assessment. This will help you to identify any remaining gaps that need to be addressed before you can transition to ISO 27001:2022.
-
Undergo a transition audit: Once you have addressed all of the gaps, you need to undergo a transition audit. This is a final check to ensure that your ISMS is compliant with the new standard.
-
Maintain continuous improvement: Once you have transitioned to ISO 27001:2022, it is important to maintain continuous improvement. This means regularly reviewing your ISMS to ensure that it is still effective in protecting your information assets.
In addition to these key steps, there are a few other things you can do to make the transition to ISO 27001:2022 smoother and more successful. These include (and are not limited to):
-
Get buy-in from senior management.
-
Involve all stakeholders in the transition process.
-
Use a certified transition partner.
-
Set realistic goals and milestones.
-
Communicate regularly with stakeholders.
-
By following these tips, you can make the transition to ISO 27001:2022 a success.
Here are some additional proactive business advice:
-
Use the transition as an opportunity to improve your overall information security posture.
-
Consider using the transition as a way to consolidate or streamline your ISMS processes.
-
Use the transition to communicate the importance of information security to your employees and other stakeholders.
-
Use the transition to improve your organisation's risk management capabilities.
By taking a proactive approach to the transition, you can make it a valuable asset to your organisation.
Your practical steps to getting ISO 27001 certified
ISO 27001 provides a comprehensive approach to securing your organisation's information systems and data. It's more than just a defence against cyberattacks; it guarantees the security and confidentiality of your data.
Achieving this certification boosts your organisation's security measures and its reliability in handling information systems. Interested in enhancing your information security compliance through ISO 27001? Contact our experts today, and we'll guide you through it.