Secured integration to the future

Secured integration to the future

The new version of ISO/IEC 27001:2022: What should you know?

Нова версія стандарту ISO/IEC 27001:2022: що варто знати?

11.08.2023
The ISO/IEC 27001 standard s essential for businesses of all sizes and industries as it guides how to design, implement, maintain, and continuously improve information security management systems. Those interested in this topic have already heard that a new version of the ISO/IEC 27001 standard has been released.
In this article, we will talk about what has appeared in the updated version of ISO/IEC 27001:2022, which was published in October 2022. The catalog of security controls was published in February 2022, meaning that the changes to the list in the new standard were foreseen in advance.

ISO/IEC 27001:2022 provides an Information Security Management System (ISMS) framework for companies of all sizes and industries. Information Security Management Systems (ISMS) are gaining importance due to the increasingly important role of risk management in many companies. With new cyber threats emerging almost daily and constant change, it is significant for companies seeking to protect their business processes and information to be able to identify and effectively manage such risks.
The updated standard pays particular attention to best practices in risk management. The list of information security controls contained in the regulatory Annex A of the new version of ISO/IEC 27001:2022 is based entirely on the revised guidance of ISO/IEC 27002:2022.
What's new in ISO 27001:2022? What changes are worth knowing about?
Let's consider the main points. The text of mandatory clauses 4 to 10 has been changed only partially, mainly to align with ISO 9001, ISO 14001, and other management system standards.
Points of ISO 27001:2022 that have changed:● 4.2 Understand stakeholder needs and expectations. Paragraph (c) has been added to require an analysis of which stakeholder requirements should be met by the ISMS.● 4.4 Information security management system. A phrase has been added that requires the planning of processes and their interaction as part of the ISMS.● 5.3 Roles, responsibilities, and authorities within the organization. A phrase has been added to clarify that roles are shared within the organization.● 6.2 Information security objectives and planning for their achievement.Added paragraph (d) requiring monitoring of objectives.● 6.3 Change planning. This clause requires that any changes to the ISMS are made in a planned manner.● 7.4 Communications.Paragraph (d), which required communication processes, has been removed.● 8.1 Operational planning and control. New requirements have been added to establish criteria for security processes and implement processes per these criteria. In the same clause, the need to implement plans for achieving objectives has been removed.● 9.3 Management review. A new paragraph, 9.3.2(c), has been added to clarify that input from stakeholders should be related to their needs and expectations and relevant to the ISMS.● 10 Improvements.The subsections have been reversed so that the first one is now “Continuous Improvement” (10.1), and the second one is “Non-conformity and Corrective Action” (10.2). The text of these clauses has stayed the same.  At first glance, it may appear that Annex A has changed a lot — the number of controls has been reduced from 114 to 93, and it now consists of four sections, compared to 14 units in the previous 2013 edition. However, a closer look reveals that the changes to Annex A are minor.
New controls were introduced — organizational and physical powers. While no rules have been removed, many have been merged, reducing the total number of controls. It is worth noting that hashtags can now be used to facilitate search and navigation.

In the new ISO/IEC 27001:2022 standard, the control objectives have been canceled, and the controls have been revised, updated, and supplemented. That is, the list of rules in Annex A has become more straightforward, more modern, and grouped into four main domains:
1. Organizational Controls (Process and Policies) (includes 37 measures);2. Personal control measures (People) (includes 8 measures);3. Physical control measures (Physical) (includes 14 measures);4. Technical control measures (Technical) (includes 34 measures). 
In total, Annex A of the new version of ISO 27001:2022 now contains 93 control measures, with 11 new ones added, among other things:1. Threat analytics2. Information security when using cloud services3. ITS readiness for business continuity4. Physical security monitoring5. Configuration management6. Deleting information7. Masking data8. Preventing data leakage9. Activity monitoring10. Web filtering11. Secure coding 
Annex A is limited to a list of controls. However, the ISO/IEC 27002:2022 implementation guide provides a way to classify them. Each command is given five attributes that can be used for filtering or sorting:● Type of the control. An attribute that represents controls in terms of how they affect information security risks.● Information security properties. An attribute for a control in terms of what its purpose is. ● Cybersecurity concepts. An attribute that considers controls as they relate to the cybersecurity framework described in ISO/IEC TS 27110.● Operational capability.An attribute of controls in terms of their information security capability.● Security domains. An attribute that considers controls in terms of the four information security domains.
There are four main steps to take to meet the new requirements of ISO 27001:2022:● Step One — Review the risk register and the risk handling methods applied to ensure compliance with the revised standard.● Step Two — Revise the Statement of Application (SoA) to align it with the updated Annex A.● Step Three — Review and update documentation, including policies and procedures, to ensure they meet the new control requirements.● Step four — Get audited against the new version of ISO 27001:2022.
ISO certification is valid for 3 years, with surveillance audits required in the 2nd and 3rd years. Unlike full system audits, surveillance audits are mini-audits that assess whether the certified client's management system remains compliant with ISO 27001.
What will happen to those companies that have already been certified under the old version of ISO27001:2013?
There is no cause for concern, as the old version of the standard can be used until 31 October 2025. After this date, any ISO 27001 audit must be based on the new version. Anyone planning to be certified shortly can be certified to the old standard until 30.04.2024, but in the first year, they are required to switch to the new version of ISO/IEC 27002:2022. Technical supervision is also carried out according to the latest version. We advise our clients to undergo training and certification according to the new standard. If you want to be certified according to the old standard, you will actually need to undergo training and audit two times.
We invite you to a business meeting, where we will build a plan for certification for your company according to ISO/IEC 27002:2022.