The main change to the 2022 edition of ISO/IEC 27001 is the update of Annex A to reflect ISO/IEC 27002:2022 which we are going to discuss in this article.
1- Introduction
The International Accreditation Forum (IAF) has indicated that starting from the publication of ISO 27001:2022, organizations have 36 months to make the transition (source). Below is a summary of the new changes for ISO 27001:2022 and ISO 27002:2022.
2- Highlights ot changes
The main part of ISO 27001 clauses 4 to 10 has not changed.
- 114 existing controls reduced to 93.
- 35 controls remained unchanged.
- 23 controls have been renamed.
- 24 merged controls.
- 58 controls updated.
3- Changes in Chapters and Categories
The current 14 categories have now been regrouped to 4 main categories or themes, making them easy to find.
- Chapter 5: Organisational (37 controls) – if they concern the organisation, such as policies for information, return of assets, information security for use of cloud services.
- Chapter 6: People (8 controls) – if they concern individual people, such as remote working, screening, confidentiality or non-disclosure agreements.
- Chapter 7: Physical (14 controls) – if they concern physical objects, such as storage media, equipment maintenance, physical security monitoring, or securing offices, rooms and facilities.
- Chapter 8: Technological (34 controls) – if they concern technology, such as secure authentication, information deletion, data leakage prevention, or outsourced development.
4- New Controls Comparison
ISO 27001:2022 ISO 27001:2013 Equivalent
- A.5.7 Threat intelligence A.6.1.4 Contact with special interest groups
- A.5.16 Identity management A.9.2.1 User registration and de-registration
- A.5.23 Information security for use of cloud services A.15.x Supplier relationships
- A.5.29 Information security during disruption A.17.1.x Information security continuity
- A.5.30 ICT readiness for business continuity A.17.1.3 Verify, review and evaluate information security continuity
- A.7.4 Physical security monitoring A.9.2.5 Review of user access rights
- A.8.9 Configuration management A.14.2.5 Secure system engineering principles
- A.8.10 Information deletion A.18.1.3 Protection of records
- A.8.11 Data masking A.14.3.1 Protection of test data
- A.8.12 Data leakage prevention A.12.6.1 Management of technical vulnerabilities
- A.8.16 Monitoring activities A.12.4.x Logging and monitoring
- A.8.23 Web filtering A.13.1.2 Security of network services
- A.8.28 Secure coding A.14.2.1 Secure development policy
- A.5.3.6 Conformity with Policies of information security A.18.2.3 Technical Compliance Review & A.18.2.2 Labelling of information
- A.8.8 Management of Technical vulnerabilities A.18.2.3 Technical Compliance Review & A.12.6.1 Management of technical vulnerabilities
5- The New Attributes Feature
The new Attributes feature can be used to filter, sort or present controls in different views for different audiences. Note, the use of ‘attributes’ is not mandatory. ISO/IEC 27002, Annex A example
- Control Types – preventative, detective, corrective
- Information Security Properties – confidentiality, integrity, availability
- Cybersecurity Concepts – identify, protect, detect, respond, recover
- Operational Capabilities – governance, asset management, information protection, human resources security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, legal and compliance, information security event management, information security assurance
- Security Domains – governance and ecosystem, protection, defence, resilience
At Rezilens we can help you to implement ISO27001 standard to make sure that you are cyber resilient!
Gilbert Chee
Business Development Lead