The information security management standard ISO 27001 was first published in 2005. It was revised in 2013 and has been updated again in 2022, and significant changes to Annex A are included. If your company is certified to ISO 27001, you will see these updates reflected in the security controls contained in Annex A.
What Is ISO 27001?
ISO 27001 is an information security management system standard that defines international best practices for developing and maintaining ISMS – information security management system. It helps companies protect the availability and integrity of their information.
What’s Changing in ISO 27001?
The structure of ISO 27001 – Annex A has undergone a complete overhaul. The updated version of ISO 27001 has been restructured and revised. First, the modified ISO 27001 does not identify with the commonly used phrase ‘code of practice’. This helps outline its purpose through the set of information security controls.
Secondly, the number of controls has decreased from 114 to 93 in the new version of ISO 27001. These security controls are now divided into four chapters instead of the previous 14. The new domains of ISO 27002:2022 are:
- Chapter 5: Organizational (37 controls)
- Chapter 6: People (8 controls)
- Chapter 7: Physical (14 controls)
- Chapter 8: Technology (34 controls)
In the newly revised ISO 27001, 35 controls remained unchanged, 23 controls have been renamed, and 57 controls have been merged to form 24 controls. Only one control was divided into two: Control 18.2.3 – Technical Compliance Review has been split into 8.8 – Management of technical vulnerabilities and 5.3.6 – Conformity with policies and standards of information security. Eleven new controls have been added to the latest version:
- Threat Intelligence
- Physical security monitoring
- Data masking
- Information security for cloud services
- Monitoring activities
- ICT readiness for business continuity
- Data leakage prevention
- Configuration management
- Web filtering
- Information deletion
- Secure coding
The merging and addition of new controls create five major security attributes that make them easier to group. They are control types, operational capabilities, security domains, cybersecurity concepts, and information security properties.
How Will 2022 Changes Affect My Current ISO 27001 Certificate?
The new updates do not impact your existing certification against the ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently.
Still, even now that the updated version of ISO 27001 has been released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls and as guidance to understand the changes.
Planning to Certify to ISO 27001? Should You Wait Until the certification bodies can certify to the new version?
No! Even though the new 2022 version is published, you shouldn’t wait to certify. Waiting for the ability to get certified against the new standards will likely leave your organisation at a greater risk.
Contact Best Practice Biz today and learn how we can help you get ISO 27001 certification.