Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The New ISO27001:2022 Standard is Published

After a false start, where the update was put forward as an Amendment rather than a new version, the new ISO27001 2022 has been published by the ISO and is available via their website at the sum of 118 Swiss Francs. It’s been nine years, to the month, since the previous version came out, so what’s new in this edition, and where do we go from here?

It’s fair to say that this update has been driven almost exclusively by two forces; a desire to make the management system requirements match up with the latest Annex SL structure and wording, and the need to align Annex A of the standard with the 2022 version of the ISO27002 guidance.

Let’s take these two factors in turn and explore what’s changed.

New ISO27001 Standard image

The management system

ISO27001 was one of the first standards to adopt the Annex SL high level structure back in 2013 and since then the structure has been tweaked a little by ISO with the release of updates to ISO9001 and others from 2015 onwards. But the changes are small and are unlikely to give most certified organizations any sleepless nights.

Wording changes

Firstly, there are some wording changes in the following clauses:

  • 4.2 Understanding the needs and expectations of interested parties
    • A third bullet is added to specify “which of these requirements will be addressed through the information security management system”.
  • 4.4 Information security management system
    • The phrase “including the processes needed and their interactions” is added, requiring more definition of the processes of the ISMS.
  • 5.3 Organizational roles, responsibilities and authorities
    • The phrase “within the organization” is added at the end of the first sentence.
  • 6.1.3 Information security risk treatment
    • The notes are replaced.
  • 6.2 Information security objectives and planning to achieve them
    • The need to monitor objectives is added to the list.
  • 7.4 Communication
    • The current wording about communication processes has been replaced with a simple “how to communicate”.
  • 8.1 Operational planning and control
    • The need to establish criteria for the processes of the ISMS has been added.

Changes to headings

There’s a new sub-clause 6.3 Planning of changes which deals with changes to the management system and requires any changes to be considered from the point of view of their purpose and consequences, the integrity of the ISMS, the resources available, and whether any changes to responsibilities and authorities are involved. This will require a simple planning process to be in place, with evidence that these areas have been considered.

Within Clause 9 (Performance evaluation) sub-clauses 9.2 (Internal audit) and 9.3 (Management review) have been further subdivided into 9.2.1 General, 9.2.2 Internal audit program, 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results respectively. The two sub-headings in Clause 10 have been swapped around. This is mainly to aid readability and to match the latest definition of Annex SL (also known as the “Harmonized Structure”).

The New Annex A Control Set

There has already been a lot written about the changes to Annex A, as we have known exactly what will change for some time, since the revision to the ISO27002 guidance document was published in early 2022.

As expected, there are now a total of ninety-three controls, grouped into four themes:

  • A.5 Organizational controls
  • A.6 People controls
  • A.7 Physical controls
  • A.8 Technological controls

Since the 2013 version had one hundred and fourteen controls, you would think that the number of controls had reduced by twenty-one. But no, the clear statement is that not only are all of the previous controls incorporated into the new set, there are in fact eleven new ones:

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding

Some of these could rightly be seen as clarifications of previous controls (such as Physical security monitoring and Secure coding), some bring in content that was previously within other standards (for example, Information security for use of cloud services, from ISO27017), and some really are new – I don’t remember there being any reference to Threat intelligence in the old control set.

As well as the eleven new ones, there are twenty-four that have been merged, and fifty-eight revised – total ninety-three.

What happens now?

So the 2022 ISO27001 is more “harmonized” and has a shiny new set of Annex A controls. What happens now? Well, if your organization is already certified to the standard then you have three years to move across to the new version. The earliest you will probably be able to do this will be around the end of Q3 2023 as the certification bodies need to get their accreditation first.

If you’re currently working towards certification to the 2013 version, that last date you will be able to do this will be April 2024. The big decision then, will be to decide whether to carry on in that direction, or to move your efforts across to the 2022 version of the standard straight away.

The ISO27001 Toolkit has been updated and is in line with the 2022 standard, available to purchase on our website. We’ve also hosted a webinar ISO27001:2022 – The New Standard. Click the link to watch the recording.

 


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Great library of documents that helped tremendously in the development of our respective systems. The organization and hierarchy of the documents were easy to follow.

GC&E Systems Group, Inc.
USA

View all Testimonials