A few weeks ago we posted an article about ISO/IEC 27001, what it is, why organisations go down the path of being certified, and answered some common questions organisations have with regard to 27001. I highly recommend reading that article if you need an overview or you are wondering what’s in it for you and your business.
Today I will be talking about the new 2022 version of ISO/IEC 27001, what the main changes are, and how this will impact those who are already certified to the 2013 version or are looking at certifying for the first time. If you need help uplifting to 2022 or are looking at starting your certification journey, take a look at our ISO/IEC 27001 certification solution page as we specialise in this area.
Now, on to ISO/IEC 27001:2022!
ISO/IEC 27001, ISO/IEC 27002, NIST and Other Control Frameworks
First a bit about the structure of the standard as this provides context to a very beneficial change for many organisations.
The ISO/IEC 27001 standard, in both the 2013 and 2022 versions, has two main parts. First, you have the clauses, which define the Information Security Management System (ISMS) which is the core of how you manage information security. Second, you have Annex A which contains your controls and control objectives. The reason it uses the term ‘control objectives’ is Annex A is not prescriptive on the exact control you must implement, but rather what the objective or outcome you want when implementing the control. The exact control you use is up to you, as long as it satisfies the objective and reduces the risk to an acceptable level. This is why we always hear the term ‘risk-based approach’ with regard to ISO/IEC 27001. Based on your risks, your risk appetite and your risk tolerance, the exact control you implement may be different to other organisations. It’s not a one size fits all approach which is why I love 27001.
This is also where the ISO/IEC 27002 standard comes into play. It cross-references with Annex A and basically provides implementation advice for the objective stated in Annex A. ISO/IEC 27002 is purely optional. It provides advice. I touched on this briefly in my last article, because you can use other control frameworks to satisfy Annex A’s control objectives, such as NIST. We have both past and current clients that leverage NIST within their ISO/IEC 27001 ISMS successfully. Some use NIST solely for Annex A compliance, and some use a hybrid ‘best of both worlds’ approach. It’s completely up to you and the type of controls smorgasbord you choose to consume.
Take a look at our in-depth article from earlier this week that goes into this in detail. If you are thinking of going down this path, now is the perfect time as ISO/IEC 27002:2022 now defines ‘Cybersecurity Concepts’ for each control objective which align with NIST’s five framework functions of Identify, Protect, Detect, Respond and Recover.
What changed in 2022 and why?
ISO/IEC 27002:2022 was the first to be released, on February 15th, 2022. ISO/IEC 27001 followed later in the year, released on October 25, 2022. It’s now 10 years since the last release of ISO/IEC 27001 and 27002, and the world has changed a lot in that time. An update was well overdue to bring 27001 and 27002 in line with changes in the worldwide threat landscape, threat actor advancement, and the risks we now see.
The title of the standard is now ‘Information security, cybersecurity and privacy protection‘ which is a big change from ‘Information technology – Security techniques‘. While it doesn’t look like much, this is huge in and of itself as it now recognises, as all businesses need to recognise, that security is not an ‘IT problem’, it’s a business problem. One of my many triggers is seeing the term ‘IT security’ still used as it’s not an IT problem and security should never be lumped on IT to solve.
I also welcome the clear distinction that it now covers information security AND cybersecurity. The sad thing is, we use these terms interchangeably nowadays. I’m 100% a culprit of this, as the term cybersecurity has been forced on us due to overuse in the media and it’s what people now know so you get strange looks when you talk about ‘information security’. But the two terms are not the same, but that’s a discussion for another article 😁
The addition of ‘privacy protection‘ is also a great addition to the title as the majority of breaches we see are around the exposure of personally identifiable information (PII) and PII is a major target for threat actors. So having this front and centre is a welcome change.
But let’s get into the changes within the body of the standard!
Changes within the management system
The standard has 11 clauses, numbered 0 through 10. These are the basis of your ISMS and cover areas such as your scope, risk management practices, how you run the ISMS, and evaluation and continual improvement of the ISMS.
In the 2022 version of ISO/IEC 27001, the clauses and their structures have remained the same, still numbering 11, but with five small changes.
4.2c – Requirements of interested parties to be addressed.
‘4.2 Understanding the needs and expectations of interested parties‘ ensures that any stakeholders that have some sort of stake in your ISMS and want to get something out of it, have their needs identified and documented, along with what their expectations are.
An additional line item has been added to 4.2 which expands on the documented requirements from 4.2b and requires you to document which of these requirements will actually be addressed through your ISMS. This way it’s clear what stakeholders can expect. After all, just because they have requirements or expectations doesn’t mean you, as a business, have to comply with every request.
6.2 Information security objectives
6.2 addresses establishing security objectives and how they will be achieved. Two additional bullet points have been added that required objectives to ‘be monitored‘ and ‘be available as documented information‘. While these are new, it would be unlikely you were not already performing these tasks to ensure your objectives were documented and monitored for progress.
6.3 – Planning of changes
6.3 is a completely new addition to section ‘6 – Planning‘ which covers risk management and information security objectives of the ISMS. 6.3 states:
“When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”
It’s pretty straightforward and to be honest, you should have been doing this all along. Any changes to your ISMS need to be planned. All this change requires is that you document your planned changes and make it clear what will be performed. Generally, any changes to the ISMS will be updates to your documentation and how you run your ISMS. You will have been performing reviews and updates yearly and documenting these as part of your review and improvement processes anyway, so there is little to do here except make sure it’s clear what you have done and that you have communicated it. So make sure your communications plan addresses communicating updates to the ISMS.
8.1 – Operational planning and control
The changes to 8.1 are purely wording, with no actual material changes that impact what you need to do to comply.
‘meet information security requirements‘ has changed to ‘meet requirements‘ to align with the broader scope beyond ‘information security’.
Where 2013 discussed implementing plans to achieve information security objectives, it now makes ‘plans’ clearer by breaking this into establishing criteria for processes and then implementing the processes in line with the criteria.
‘The organisation shall keep documented information‘ has changed to ‘Documented information shall be available‘. While ‘keep’ is pretty broad, having information ‘available’ seems a lot broader and open to the myriad of ways you can ensure access to required information is maintained.
‘outsourced processes‘ has been changed to ‘externally provided‘ which is far less prescriptive than ‘outsourced’ and supports a much larger bucket of potential ways an organisation can receive services.
9.3.2c – Changes in needs and expectations of interested parties
9.3, which covers management review, has been restructured for clarity with one new addition tagged 9.3.2c which states:
“changes in needs and expectations of interested parties that are relevant to the information security management system;”
This addresses inclusions for management review. This aligns with the 4.2c addition around interested parties, ensuring that their needs are continually assessed as part of the ISMS review and improvement processes to capture any changes in their needs. This is needed with the 4.2c inclusion or stakeholder requirements would be stagnant and what was initially identified may not remain relevant. It would also mean new stakeholder requirements would not be identified and added to the ISMS.
Changes within Annex A
The biggest changes for 27001:2022 are within the Annex A control objectives. ISO took this chance to overhaul the standard and fix many small niggling issues that often made ISO/IEC 27001 unclear or problematic, mostly around wording, overlapping controls, and placement of controls that did not align with the respective domain..
The overhaul has Annex A now divided into 4 control groups, making each control’s overarching control objective a lot clearer:
- A.5 Organisational controls – 37 controls
- A.6 People controls – 8 controls
- A.7 Physical controls – 14 controls
- A.8 Technological controls – 34 controls
As you may notice from these control counts, there is now only 93 controls, down from 114 found in the 2013 version. This reduction was achieved through control consolidation, with 57 controls merged into 24 controls. Other changes included 23 controls being renamed and one control being split into two controls. But the most important change which impacts organisations certifying to ISO/IEC 27001 is the addition of 11 new controls that now need to be assessed and implemented where necessary.
Below we have a high-level overview of each new control and each control is linked to a full article where we expand on each of the new control objectives in ISO/IEC 27001:2022, why they have been added, what is expected of you when implementing these controls, and advice on where to start.
A.5.7 Threat intelligence
You need to collect and analyse information on potential threats so you can take necessary measures to mitigate them. This information may pertain to specific attacks, methods and technologies employed by threat actors, or trends in attacks. You should obtain this information from both internal sources, such as system logs and incident reports, as well as external sources, including vendor reports, government agency alerts, and other relevant resources.
For a full rundown of exactly what is expected of you, how to comply and the methodology we follow, read the full 5.7 Threat Intelligence article.
A.5.23 Information security for use of cloud services
You must establish security requirements for cloud services to enhance the protection of your information when stored in the cloud. This involves defining security requirements for all stages of the cloud service lifecycle, from procurement and deployment to ongoing management and eventual termination of use.
For a full rundown of what is expected from this control, and how to comply, read the full 5.23 Information Security for Use of Cloud Services article.
A.5.30 ICT readiness for business continuity
Your information and communication technology systems must be prepared to handle potential disruptions, ensuring that critical information and assets are available when required. This involves developing readiness plans, implementing them effectively, maintaining them continuously, and testing them regularly to ensure their effectiveness.
For a full rundown of business continuity requirements expected from this control, and how to comply, read the full 5.30 ICT readiness for business continuity article.
A.7.4 Physical security monitoring
You need to monitor sensitive areas to restrict access only to authorised personnel. These areas may include your offices, production facilities, warehouses, or other premises where access needs to be restricted to protect sensitive information or assets.
For a full rundown of what is expected from this control, and how to comply, read the full 7.4 physical security monitoring article.
A.8.9 Configuration management
You must manage the entire security configuration lifecycle of your technology to ensure a sufficient level of security and prevent any unauthorised changes. This includes defining the configuration, implementing it, monitoring it, and regularly reviewing it to identify any potential issues and ensure it remains effective over time.
For a full rundown of what is expected from this control, and how to comply, read the full 8.9 configuration management article.
A.8.10 Information deletion
You must delete data when it is no longer necessary, in order to prevent the unauthorised disclosure of sensitive information and comply with applicable privacy regulations and other requirements. This may involve deleting data from your systems, removable media, or cloud services, and ensuring that it is performed securely and irreversibly.
For more details on what is involved in the control, and how to comply, read the full 8.10 Information deletion article.
A.8.11 Data masking
You must use data masking in conjunction with access control mechanisms to restrict the exposure of sensitive information, particularly personal data that is regulated by privacy laws. This control may also apply to other categories of sensitive data and involves ensuring that only authorised individuals have access to the information they need to perform their job functions, while the rest of the data is masked to limit its visibility.
This one is actually a lot more complex than it sounds and goes beyond traditional ‘masking’. For more details, read the full 8.11 Data masking article.
A.8.12 Data leakage prevention
You need to apply data leakage prevention measures to prevent the unauthorised disclosure of sensitive information and to detect any such incidents in a timely manner. This includes implementing safeguards to protect information stored in IT systems, networks, or any other devices from leakage or theft, as well as establishing monitoring and alerting mechanisms to identify and respond to any suspected or actual data breaches.
This is a complex control and can be costly to implement if you take the wrong path. For details on how to reduce the scope of this requirement, reducing cost and effort, read the full 8.12 Data leakage prevention article.
A.8.16 Monitoring activities
You must monitor your systems to identify any unusual activities and take appropriate incident response measures if necessary. This involves monitoring your IT systems, networks, and applications to identify any suspicious activity, and having established procedures in place to respond quickly and effectively to any incidents that may occur.
For more details on how to comply with this requirement, read the full 8.16 Monitoring activities article.
A.8.23 Web filtering
You must manage and control which websites your users are accessing to protect your systems. This helps prevent your systems from being compromised by malicious code, as well as restricts users from accessing illegal or inappropriate materials from the Internet. This may involve implementing content filtering technologies or using other mechanisms to block access to unauthorised websites while ensuring that legitimate business needs are not impeded.
For more details, and how to ensure this control doesn’t impact critical business processes, read the full 8.23 Web filtering article.
A.8.28 Secure coding
You must establish and apply secure coding principles to your software development processes to minimise security vulnerabilities in the software. This involves implementing secure coding practices before, during, and after the coding phase, including activities such as code review, vulnerability testing, and patch management. By adopting secure coding principles, you can reduce the risk of software vulnerabilities being exploited by attackers.
There is a lot more to secure development in the new standard as they have changed a number of other controls, and we expand on this control and the changes to the other 9 controls from ISO/IEC 27001:2013 in the full 8.28 Secure coding article.
What if I’m already certified to ISO 27001:2013?
If you are already certified to ISO/IEC 27001:2013, there is a 3-year grace period from the date ISO/IEC 27001:2022 was released. This means you have until October 31, 2025 to transition to 2022. The reason for the 3-year grace period is 27001’s audit cycle. Your external audits are tied to a 3-year cycle, with your main external audit in year 1, followed by what’s called a surveillance audit in years 2 and 3. The surveillance audits ensure you are staying on top of your ISMS and doing what you said you would do. This grace period covers those organisations that certified for the first time around October 2022 or had the start of their 3-year cycle at that time. It gives them a full cycle to transition.
Of course, you will need to start transitioning well before that date to make sure you are ready and finished by the cut-off date as you will not be recertified to ISO/IEC 27001:2013 beyond that date.
What if I’m just starting my journey or about to certify?
An organisation that is certifying for the first time can still certify to ISO/IEC 27001:2013 up until October 31, 2023. Halloween party!!!! I hear you say 😂 So organisations that are in the middle of preparing for their first certification when the update was released have been given a 1 year grace period, which is pretty lenient. This means organisations already underway don’t have to suddenly change track and try and comply with a new standard. Of course after that date, you will then only have 2 years to transition to ISO/IEC 27001:2022 as you used up one of your years in this grace period.
I say one year is pretty lenient but I’m sure for some organisations they may be freaking out, as getting to where they currently are could have taken them years. All I can say is it’s very achievable if you have the support of the right people. Shameless plug, but in our experience, we haven’t taken more than 12 months to get an organisation from kick-off to certification, so the one-year grace period is more than enough. Please reach out if you need help or just want some advice.
Hopefully, this article clarifies the changes and makes it clearer what you can expect when working with ISO/IEC 27001:2022. If you have any questions, post in the comments below or contact us. We are always open for a coffee and a chat to get you on the right path.
0 Comments