The new ISO 27001:2022 Standard and what it means for your organisation

Published on: November 7,2022 Published in: Cyber Security ISO News

On Tuesday 25 October 2022, an update to the ISO/IEC 27001 main Standard was published.

The Standard is a revision to the 27001:2013 iteration, nine years since it was last updated. And it’s long overdue. With the digital landscape transforming rapidly over the last decade, the complexity and number of cyber threat vectors increases by the day.

This latest iteration is designed to address such threats, as well as ‘improve digital trust’ by focusing on future proofing organisations through an internally recognised framework, flexible enough to respect the objectives, priorities and tasks associated with that organisation.

What’s changed?

There have been a number of changes to the structure of the standard to better align with the ISO harmonised approach. These include;

  • A numbering re-structure 
  • Context and Scope – you must now identify the relevant requirements of interested parties and how they will be addressed within the ISMS (Information security Management system). The requirement to define processes needed for implementing the ISMS and their interactions
  • Leadership – The explicit requirement to communicate information security roles have been assigned and communicated to the organisation 
  • Planning  – Security objectives must now be monitored and made available as documented information. Along with a new clause 6.3  Planning of Changes to show how changes to the ISMS have been planned 
  • Support – As part of clause 7.4 a new requirement to ensure the organisation determines how to communicate
  • Operation – New requirements to establish criteria for operational processes and implement control of the processes
  • Performance and Evaluation – the management review now also needs to consider the changes to the needs and expectations of interested parties
  • Annex A – controls have now been aligned to the ISO27002:2022 Standard. These controls have been consolidated and 11 new controls added, there is more information on this below.

The core changes to the Standard apply to updates to the current controls in Annex A to align the Standard better with the recent changes to ISO/IEC 27002 – Information security, cybersecurity and privacy protection.

The Standard is still risk based and requires the organisation to have a statement of applicability to show how and why controls have been implemented.

The Core Changes to Annex A Controls in ISO/IEC 27001: 2022

1. The number of controls has reduced from 114 to 93

The total number of controls available for selection has been reduced from 114 to 93, although the decrease in controls is a result of some being merged, removed, updated and new controls introduced.

11 new security controls have been added, these are: 

  • A.5.7 Threat intelligence  
  • A.5.23 Information security for use of cloud services  
  • A.5.30 ICT readiness for business continuity  
  • A.7.4 Physical security monitoring  
  • A.8.9 Configuration management  
  • A.8.10 Information deletion  
  • A.8.11 Data masking  
  • A.8.12 Data leakage prevention  
  • A.8.16 Monitoring activities  
  • A.8.23 Web filtering  
  • A.8.28 Secure coding  

2. The structure has been consolidated into four key areas

The core changes see a movement from a prescribed Standard to more of a framework. There are four key areas (previously 14):

  • Organisational 
  • People
  • Physical  
  • Technological  

3. The concept of attributes has been introduced

Five attributes have been introduced in order to help organisations understand their security posture better:

  • Control type 
  • Information security properties 
  • Cybersecurity concepts 
  • Operational capabilities 
  • Security domains

Information for organisations currently going through certification

If you are currently in the middle of ISO 27001 implementation, you still have time to transition to the new controls as the changes are an amendment rather than a full revision, so this will minimise impact. If you are towards the end of implementation and close to certification, you are advised to continue with the existing controls.

Information for organisations with ISO 27001:2013 certification

All current existing certifications to ISO 27001:2013 have up to three years to transition. After this point, all ISO 27001:2013 certifications will no longer be valid. Your certification body will need to conduct an assessment within this time period and issue an updated certificate before then revalidating your certification.

Advice for organisations without ISO 27001 certification

If you are considering ISO 27001 implementation or it is a requirement for your organisation, i3Secure can support you through the process, right through to certification, aligning to the new ISO 27001:2022 Standard so that you are up to date and compliant for the future.

Organisations that adopt ISO/IEC 27001 can quickly demonstrate to stakeholders and their customers a commitment to managing information securely.

Key dates:

We’re here to help

Our specialist teams are well informed on the recent updates and what this means for your organisation so we are perfectly placed to support you in helping you transition and adopt the ISO/IEC 27001:2022 Standard.

Our experts can support you with your ISO 27001 compliance, minimise your information security risk, improve your data security, reduce the risk of data and security breaches, and help improve your cyber security posture from implementation right through the certification process. Find out more about ISO 27001 Consultancy here.

For an informal, no obligation chat, contact our team of specialists today or call +44 (0) 7593 579 984.

Related Insights

Cyber Security News Perspectives

Celebrating International Women’s Day with Head of Defence, Louise Percival

March 8,2024

Giving Back in Our Communities: Consultant Fraser Bruce and his Work with Cyrenians

December 19,2023
Forces Friendly News

Remembrance Day – What it Means to Me

November 8,2023
Forces Friendly Insights News

Harnessing the Value of Mentorship: From the RAF to i3Secure

October 26,2023

i3Secure Receives Prestigious Award from the Ministry of Defence for Outstanding Support for the Armed Forces Community

October 12,2023

On 5 October 2023, i3Secure joined 18 employers from across the Lowlands of Scotland to formally receive a prestigious award from the Ministry of Defence for their outstanding support for the Armed Forces Community.