Changes in the ISO 27001: 2022 Revision

Overview

The new version of the ISO 27001:2022 standard was released in October 2022, following the release of the revised ISO 27002:2022 guidance in February 2022.

Organisations have 3 years to transition from ISO 27001:2013 to ISO 27001:2022, with the deadline being October 2025. Many organisations are expected to transition in 2023, and most should have transitioned before the end of 2024.

Certification bodies must start doing audits against ISO 27001:2022 by October 2023, although many will be doing it much sooner.

The 2022 version of ISO 27001 has one major change: Annex A has been re-organised, with a move from 114 controls in 14 sections in ISO 27001:2013, down to 93 controls in 4 sections in ISO 27001:2022. The main ISMS clauses 4 to 10 have had several minor updates.

Of the 93 Annex A controls in the new version, there are 11 new controls, 24 controls are made up of merged controls from the old version, and 16 controls have additional requirements.

Although there are new controls and some additional requirements, many organisations should have much of the new requirements in place, if not formally.

Clauses 4 to 10 Changes

There are several minor updates to the mandatory clauses.

For clause 4.2, understanding the needs and expectations of interested parties, clause 4.2 (c) was added which needs the organisation to determine which relevant requirements of interested parties will be addressed through the ISMS.

Although now new, clause 6.1.3 on information security risk treatment splits out the requirements for a Statement of Applicability into bullet points to emphasise that these points are not optional. The specific points to highlight are the justification of inclusion for the necessary controls and justification for exclusion of any of the Annex A controls.

Clause 8.1 for operational planning and control adds that organisations planning and implementing processes to meet ISMS requirements need to:

· Establish criteria for the processes

· Implement control of the processes in accordance with the criteria

For 9.1 monitoring, measurement, analysis and evaluation of performance, now the methods selected should produce comparable and reproducible results to be considered valid. As a final point for 9.1, the organization now should evaluate the information security performance and the effectiveness of the information security management system, although this should be covered in the management review.

There is an additional input for the management review in clause 9.3.2: changes in needs and expectations of interested parties that are relevant to the information security management system.

So, there are now major changes to clauses 4-10. Clearly with the re-organisation of the Annex A controls, the Statement of Applicability needs reworking, and this is a good opportunity to make sure that the Statement of Applicability has clear justifications for the inclusion or exclusion of each control where applicable.

New Annex A Controls

The 11 new Annex A controls are as follows:

5 Organisational Controls
5.7 Threat intelligence
5.23 Information security for use of cloud services
5.23 ICT readiness for business continuity
6 People Controls
There are no new people controls
7 Physical Controls
7.4 Physical security monitoring
8 Technological Controls
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.13 Monitoring activities
8.23 Web filtering
8.26 Secure coding

Many organisations will have these new controls in place already, if not formally. Dionach go into more detail on these new controls in the ISO 27002 two-part blog

Annex A Controls with Additional Requirements

The Annex A controls that have additional control requirements that organisations should consider are:

5 Organisational Controls
5.1 Policies for information security
5.8 Information security in project management
5.12 Classification of information
5.19 Information security in supplier relationships
5.22 Monitoring, review and change management of supplier services
5.24 Information security incident management planning and preparation
5.27 Learning from information security incidents
5.31 Legal, statutory, regulatory, and contractual requirements
5.34 Privacy and protection of person- al identifiable information (PII)
5.37 Documented operating procedures
6 People Controls
There are no additional requirements for people controls
7 Physical Controls
7.1 Physical security perimeters
8 Technological Controls
8.4 Access to source code
8.15 Logging
8.29 Security testing in development and acceptance
8.30 Outsourced development
8.34 Protection of information systems during audit testing

Some of these just have minor changes, although these may affect an organisation’s approach. For example, 5.1 policies for information security adds that policies shall be acknowledged by relevant personnel and relevant interested parties. Many organisations may already be doing this, and it is now a formal requirement.

A few examples of more significant changes are as follows.

For 5.19 Information security in supplier relationships, the control now requires processes and procedures to be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. In the 2013 version of the standard the 15.1.1 control specifies documenting and agreeing information security requirements.

For 5.24 Information security incident management planning and preparation, the control now requires that an organisation plan and prepare for managing information security incidents by defining, establishing, and communicating information security incident management processes, roles, and responsibilities. The 2013 version is less specific and just requires management responsibilities and procedures in the 16.1.1 control. Organisations need to implement a formal incident response plan based on incident response phases if they haven’t already. The ISO 27035 series provides guidance on information security incident management.

For 8.4 Access to source code, the control specifies that read and write access to source code, development tools and software libraries shall be appropriately managed. The 2013 version of the 9.4.5 control only stated that access to program source code shall be restricted.

As you can see with the examples, they may be significant changes for some organisations, however it is likely that many organisations will already have these additional requirements in place.

Summary

Transitioning to ISO 27001:2022 should be straightforward for organisations once they understand the changes. Many organisations should transition as soon as practical for them, as some of the new Annex A controls reflect more modern cyber security practices, which will be changes they have already made to their ISMS since the 2013 version.

Contact Dionach to get help with transitioning to ISO 27001:2022. Dionach provide an ISO 27001:2022 transition gap assessment to help you understand the changes and to provide you with an action list for transitioning.”, which is what the article is about, to try and get people to ask us for the service.  It think the form and intro is too generic: “Find out how we can help with your cyber challenge | Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]” – happy to discuss.

 

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]