Blog ISO27001 Toolkit Version 11A – The New Controls

The New Controls

If you haven’t heard, the new set of controls specified in ISO27002:2022 consists of 93 individual controls organised into four themes, namely:

• Clause 5. Organizational controls
• Clause 6. People controls
• Clause 7. Physical controls
• Clause 8. Technological controls

Many of the controls from the previous version have been merged and there are eleven new ones to contend with, which are:

• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

Decision Time

What this means is that organizations that are either already certified to the ISO27001 standard, or are working towards certification, have a choice to make of when to adopt the new control set. Many will undoubtedly simply wait until the new version of ISO27001 appears and then use the transition period (usually around 2 years) to make the switch.

However, there is an opportunity for some to get ahead of the change and to start the adoption of the new controls sooner. And that is what this update to the ISO27001 Toolkit is all about.

Version 11A of the Toolkit

In Version 11A we have added a new folder called ISO27002 2022 – New controls which provides a total of 25 additional documents covering the 11 new controls. These are a combination of policies, processes, reports and spreadsheet tools that allow an organization to start to address the new control requirements, whilst maintaining their current ISO27001:2013 ISMS (information security management system).

The list of new documents is as follows:

• ISO27001 2013 Statement of Applicability (with mapping to the new controls)
• ISO27002 2022 Control attributes
• ISO27002 2022 Gap Assessment Tool
• ISO27002 2022 Statement of Applicability
• Threat Intelligence Policy
• Threat Intelligence Process
• Threat Intelligence Report
• Cloud Services Policy
• Cloud Services Process
• Cloud Services Questionnaire
• Business Impact Analysis Process
• Business Impact Analysis Report
• Business Impact Analysis Tool
• CCTV Policy
• Configuration Management Policy
• Configuration Management Process
• Configuration Standard Template
• EXAMPLE Configuration Standard Template
• Information Deletion Policy
• Data Masking Policy
• Data Masking Process
• Data Leakage Prevention Policy
• Monitoring Policy
• Web Filtering Policy
• Secure Coding Policy

Of course, you’ll need to consider whether all of these controls are applicable to your organization in the usual “ISO27001 Statement of Applicability” way.

What Comes Next

When ISO publishes the new version of the ISO27001 standard (understood to be in 2022) we will be updating the CertiKit ISO27001 Toolkit accordingly (to Version 12) and this will also be available free of charge for those who qualify for our lifetime updates scheme. (This depends on the date you purchased your ISO27001 toolkit, speak to our team if you have any queries).

We expect there to be a transition period for the new standard, and it may well take some time for registered certification bodies to train their auditors up to certify against it, so the first certificates for ISO/IEC 27001:2022 may not be seen until 2023.

In summary, it’s an exciting but possibly confusing time for ISO27001 so don’t forget we’re here to help via our toolkits and related services, so feel free to get in touch.

More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources