Organizations collect, store, and use a lot of data nowadays for various operations. Data about the workplace, inventory, clients, trade secrets, and financial and communication records can be found in almost every organization. When organizations don’t keep this information safe, it can lead to data security breaches, which can be very expensive for an organization in terms of money as well as reputation. To deal with this problem, the International Standardization Organization (ISO) created ISO/IEC 27001 standard.
What is ISO 27001 standard?
ISO 27001 is a globally applicable standard for information security. It covers everything an organization needs to do to lower its information security risk. Information Security Management System (ISMS) is what ISO 27001 focuses on. ISMS is a systematic approach that includes people, processes, and technology that help you protect and manage all of your organization’s information security management.
What’s new in ISO 27001?
The long-awaited update to ISO 27001 is eventually here. As anticipated, ISO 27001:2022 is not considerably different from ISO 27001:2013; however, there are some slight variations to the standard’s clause sections, such as the monitoring of information security objectives.
The new version of ISO/IEC 27001:2022 was released on October 25, 2022. Some of the most significant updates to ISO/IEC 27001:2022 include a major revision to Annex A, minor revisions to the clauses, and a new title for the standard.
Primary changes in ISO/IEC 27001:2022
The new version of ISO/IEC 27001 that is ISO/IEC 27001:2022 comes with a new title: “Information Security, Cybersecurity, and Privacy Protection.” The new version of ISO 27001 indicates the increasing focus of the standard on cybersecurity and privacy.
The revised ISO 27001:2022 contains minor to moderate changes. The primary section of the standard, which addresses the Information Security Management System (ISMS), consists of 10 clauses. Some subclauses contain minor additions and deletions of requirements.
|Major changes||Old 2013 version||New 2022 version|
|Number of clauses in the main part of the standard||11 (implementable and auditable clauses are 7: Clause 4 to 10)||11 (implementable and auditable clauses are 7: Clause 4 to 10)|
|Number of security controls in Annex A||114||93|
|Number of control groups in Annex A||14||4|
The mandatory clauses 4–10 have been slightly modified.
Clause 4.4: Information security management system
The term was added to require process planning and interaction as part of the ISMS.
Clause 5.3: Organizational roles, responsibilities, and authorities
This term was added to clarify that roles are communicated internally within the organization.
Clause 7.4: Communication
Item (e) was deleted, which necessitated the establishment of communication processes.
Clause 10: Improvement
The sub-clause has been shifted so that the first is a continual improvement (10.1), and the second is nonconformity and corrective action (10.2), while the text of those clauses remains unchanged.
As for the other parts, there have been a few small changes to clauses 4 through 10, especially in clauses 4.2, 6.2, 6.3, 8.1, and 9.3, where new information has been added.
Clause 4.2: Understand the needs and expectations of the interested parties
The addition of new item (c) requires the organization to determine which interested party requirements must be addressed by the ISMS.
Clause 6.2: Information security objectives and planning to achieve them
Item (d) was added that mandates monitoring and objectives
Clause 6.3: Planning of changes
New clauses were added, requiring that any changes in the ISMS need to be done in a planned manner.
Clause 8.1: Operational planning and controls
For creating criteria for security processes and putting those criteria into practice, new requirements have been established. And in the same clause, the requirement to implement plans for achieving objectives was deleted.
Clause 9.3: Management review
A new term (9.3.2 c) was added that clarifies that inputs from interested parties need to be reviewed about their needs and expectations, which is relevant to the ISMS.
The part of ISO/IEC 27001 that has changed the most is Annex A, which is now in line with ISO/IEC 27002:2022. From 114 to 93, the number of controls has been reduced.
11 new controls have been added to Annex A security controls.
A.5.7: Threat intelligence
A.5.23: Information security for using cloud services
A.5.30: ICT readiness for business continuity
A.7.4: Physical security monitoring
A.8.9: Configuration management
A.8.10: Information deletion
A.8.11: Data masking
A.8.12: Data leakage masking
A.8.16: Monitoring activities
A.8.23: Web filtering
A.8.28: Secure coding
ISO/IEC 27001:2022’s new control groups
A.5: Organizational controls – Clause 5, contains 37 controls
A.6: People controls – Clause 6, contains 8 controls
A.7: Physical control – Clause 7, contains 14 controls
A.8: Technological control – Clause 8, contains 34 controls
ISO 27001 with InfosecTrain
ISO 27001 certification shows an organization’s dedication to continuous improvement, growth, and security of information assets by executing appropriate risk assessments, regulations, and controls. InfosecTrain offers training for ISO 27001 certification examinations. We are one of the top IT security and consulting firms specializing in various IT security training. Highly qualified instructors with years of industry experience will facilitate interactive training sessions for the ISO 27001 standard certification exam.