Most businesses with important information that needs to be protected from cybersecurity attacks have implemented various security systems, such as firewalls, antivirus software, and password managers. Many businesses have also outsourced much of their infrastructure and protection to cloud service providers.
However, this doesn’t mean that shared information is protected from breaches. This is where ISO 27001 comes in: it establishes the foundation for an information security management system (ISMS). It outlines a process for businesses to determine which threats, vulnerabilities, and impacts they face, identify and measure the resulting risks, and then implement a system to mitigate them.
The first version of the ISO 27001 compliance framework was published in 2005 by the International Standards Organization (ISO). The second version was launched in 2013, and we now have the ISO 27001:2022 revision.
What does this mean for your organization? What challenges will you be facing in adjusting to the new compliance requirements? This blog talks about the changes incorporated into this latest version of the ISO 27001:2022.
New Changes in the ISO 27001 Standard Introduced in 2022
The ISO 27001:2022 version is not very different from the ISO 27001:2013 version, but here are the changes that have been introduced:
Context and Scope
You must now determine which “relevant” needs of interested parties will be addressed by the ISMS.
The “processes required and their interactions” are now clearly mentioned in the ISMS.
Information security goals must now be monitored and made “available as documented information”.
The ISMS now includes a new part on planning changes. This does not specify any processes that must be included, so you must figure out how to show that changes to the ISMS have been planned.
The requirements to define who will communicate and the procedures for effecting communication have been replaced by a provision to determine “how to communicate”.
A provision has replaced the requirement to plan how to accomplish information security objectives to create criteria for processes to implement actions identified in Clause 6 and control those processes under the criteria.
Organizations must now control “externally provided processes, products, or services” pertinent to the ISMS rather than just processes.
Performance and assessment
Methods for monitoring, measuring, analyzing, and assessing the efficacy of the ISMS must now be comparable and reproducible.
The management review must now consider changes in the requirements and expectations of interested parties.
Besides this, there have been many notable changes in Annex A, with the addition of 11 new controls, the renaming of 23 controls, and the merging of 57 controls into 24 controls. Incorporating these new changes has only left 35 controls completely unchanged.
Clauses That Have Undergone Changes in the ISO 27001 Standard
The clauses that underwent notable changes are as follows:
- 4.4 Information security management system – This requires that processes and “their interactions” are identified separately. Therefore, you have to design interactions as part of diagrams and flow charts for convenience.
- Annex A controls – Several clauses and notes stipulate that the Annex A controls are not exhaustive by any measure, and should be used as a baseline. However, every organization should look into its internal environments to correctly identify any other necessary control, risks, etc.
- 6.2 Information Security objectives – Information must be documented and available for all stakeholders.
- 6.3 Planning of changes – From now, all changes require documented planning and processing.
- 8.1 Operational planning and control – Organizations must introduce pre-defined criteria for operational processes. However, a criterion can be broad, from a security requirement to a business need or customer request.
- 9.1 Performance evaluation – Methods to assess and monitor your controls should produce comparable results so the organization can evaluate trends and make way for incorporating measures supporting future industry projections.
- 9.2 Internal audits – Internal evaluations must cover all the organization’s requirements and are not limited to ISO 27001. This has broader implications for becoming more comprehensive as a Management System.
What are the major control changes in Annex A?
ISO/IEC 27001:2022 Annex A includes changes to the number of controls and their grouping. The title for this Annex has also been changed from Reference control goals and controls to Information security controls reference. As a result, the prior version of this standard’s reference objectives for each control group has been removed.
Annex A restrictions have been reduced from 114 to 93. The new control categories of ISO/IEC 27001:2022 are:
- A.5 Organizational controls – contains 37 controls
- A.6 People controls – contains 8 controls
- A.7 Physical controls – contains 14 controls
- A.8 Technological controls – contains 34 controls
There are 11 new controls that have been added as part of the ISO/IEC 27001:2022 Annex A, as mentioned below:
- Threat intelligence
- Physical security monitoring
- Configuration management
- Data masking
- Information deletion
- Data leakage prevention
- Web filtering
- Secure coding
- Monitoring activities
- ICT readiness for business continuity
- Information security for the use of cloud services
Besides this, the controls can now be categorized based on five attributes to make it simple. These include:
- Control type (preventive, detective, corrective)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Information security properties (confidentiality, integrity, availability)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
Here is an illustration capturing the key takeaways from the notable changes made to the ISO 27001 compliance standard in its 2022 version:
How Will This Affect Your Organization if You Already Implement ISO 27001?
ISO 27001:2013 will not be retired for another three years. Depending on how far your ISO 27001:2013 implementation project has advanced, you may use the new ISO 27001:2022 Annex A controls as an alternative control set. However, you must still compare these with the 2013 Annex A controls in your Statement of Applicability.
ISO 27002:2022 includes an annex that compares its controls to the 2013 version of the Standard. Before renewing your ISO 27001 certification after three years, you must transition your ISMS to conform with the Standard’s 2022 version.
ISO 27001 Compliance Certification with Akitra!
Establishing trust is a crucial competitive differentiator when prospecting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our service helps customers become certified for the ISO 27001:2022 version, along with other frameworks like SOC 1, SOC 2, ISO 27701, ISO 27017, ISO 27018, HIPAA, GDPR, PCI DSS, FedRAMP, NIST 800-53, NIST 800-171, NIST CSF, CMMC, and other specific frameworks such as CIS AWS Foundations Benchmark, etc. Our compliance and security experts will also provide customized guidance to navigate the end-to-end compliance process confidently.
The benefits of our solution include enormous savings in time, human resources, and cost savings—including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.