Have you evolved to ISO 27001: 2022? Get the updates and how they affect you.
As the digital world rapidly evolves, organizations face growing cybersecurity challenges and the need for robust information security management. To address these concerns, the latest version of ISO 27001 was published on October 25, 2022. This new standard helps organizations protect their information assets and maintain digital trust in today’s interconnected landscape. We will explore the significant changes in ISO 27001:2022 and what they mean for your organization’s information security posture.
Summary – Key Changes in ISO 27001:2022
Editorial Revisions
- Many changes in the new standard are editorial, such as replacing “international standard” with “document” for better international translation and readability.
ISO Harmonization
- The standard aligns with the ISO harmonized approach, including restructured numbering and requirements to define processes needed for implementing the ISMS and their interactions.
- The standard also introduces explicit requirements for organizational communication related to information security.
Core Changes in Annex A
- Annex A underwent significant changes to align with ISO 27002:2022, including a reduction in controls from 114 to 93.
- Some controls have been deleted, while others were merged or revised. Eleven new security controls were added to address emerging threats, such as cloud services security and threat intelligence.
The Organizational Impact of ISO 27001:2022
The changes aim to make it easier for organizations to map and implement appropriate security controls across various business functions. The controls are now grouped into four key areas:
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
This restructuring simplifies the previous 14 areas, making it easier to manage and apply the necessary security measures.
Changes in the Management System
ISO 27001:2022 introduces a few adjustments to clauses 4 through 10 to align with other ISO management standards and Annex SL. Here’s a quick summary of the changes:
- Clause 4.2 (Understanding the needs and expectations of interested parties): Now includes an analysis of the requirements of interested parties that must be addressed through the ISMS.
- Clause 4.4 (Information security management system): Planning for processes and their interactions as part of the ISMS is now explicitly required.
- Clause 5.3 (Organizational roles, responsibilities, and authorities): A phrase was added to emphasize that roles should be communicated internally.
- Clause 6.2 (Information security objectives and planning to achieve them): A new item requires that objectives be monitored.
- Clause 6.3 (Planning of changes): This new clause mandates that changes in the ISMS should be planned.
- Clause 7.4 (Communication): Item (e), which required setting up communication processes, has been removed.
- Clause 8.1 (Operational planning and control): Introduces new requirements for establishing criteria for security processes and implementing them accordingly. The requirement to implement plans for achieving objectives has been removed.
- Clause 9.3 (Management review): A new item clarifies that inputs from interested parties should pertain to their needs and expectations and be relevant to the ISMS.
- Clause 10 (Improvement): The order of subclauses has been rearranged; Continual improvement is now first (10.1), followed by Nonconformity and corrective action (10.2), but the text remains the same.
New Annex A security controls
Some of the new controls in ISO 27002:2022 may resemble the old ones from the 2013 revision. However, for your awareness we have included all controls categorized as new in the latest version.
The article uses ISO 27002:2022 guidelines as its primary source, providing an overview of how to implement them from the technology, personnel, and documentation standpoint.
For a more detailed understanding, consider purchasing the ISO 27002 standard from the ISO website. Remember, adhering to ISO 27002 guidelines is optional for ISO 27001 compliance.
Now, let’s dive in how to implement the 11 new controls:
A.5.7 Threat Intelligence
This control focuses on gathering and analyzing information about potential threats to implement effective mitigation strategies. It includes data on specific attacks, methods, technologies used by attackers, and attack trends. Information can be sourced internally or from external parties such as vendor reports and government agencies.
- Technology: Smaller companies may not need new technology; instead, they can leverage existing systems to extract threat data. Larger companies may require a system for alerts on new threats, vulnerabilities, and incidents. All companies should use threat information to strengthen their systems.
- Organization/Processes: Establish procedures for collecting and using threat intelligence to apply preventive measures in IT systems, enhance risk assessments, and adopt new security testing methods.
- Personas: Educate employees on the importance of reporting threats and train them on how to communicate these threats and to whom.
- Documentation: While ISO 27001 does not mandate documentation, you may wish to include threat intelligence guidelines in the following documents:
- Supplier Security Policy: Outlines how threat information is shared with suppliers and partners.
- Incident Management Procedure: Describes how threat information is communicated within the company.
- Security Operating Procedures: Explains how to gather and handle threat data.
A.5.23 Information Security for Cloud Services
This control mandates setting security requirements for cloud services to safeguard your information in the cloud. It covers the entire lifecycle, from procurement and usage to management and termination of cloud services.
- Technology: Generally, no new technology is needed as most cloud services come with built-in security features. You may need to upgrade to a more secure service or switch providers if necessary. In most cases, simply maximizing existing cloud security features will suffice.
- Organization/Processes: Establish a process to set security criteria for selecting cloud providers and define acceptable cloud use and security measures for discontinuing services.
- Personas: Educate employees about cloud security risks and train them to use cloud security features effectively.
- Documentation: ISO 27001 doesn’t require specific documentation, but smaller companies may include cloud service rules in the Supplier Security Policy. Larger companies may create a separate policy focused on cloud security.
A.5.30 ICT Readiness for Business Continuity
This control ensures that your information and communication technology (ICT) is prepared for disruptions, allowing access to essential information and assets when needed. It involves planning, implementing, maintaining, and testing readiness measures.
- Technology: If you haven’t invested in resilience and redundancy solutions for your systems, you may need to consider options such as data backup or redundant communication links. These solutions should be planned based on your risk assessment and the desired speed of data and system recovery.
- Organization/Processes: Alongside planning, account for risks and business recovery needs. Also, establish maintenance procedures for your technology and testing processes for your disaster recovery and business continuity plans.
- Personas: Educate employees on potential disruptions and train them to maintain IT and communication systems for readiness.
- Documentation: While ISO 27001 doesn’t mandate documentation, smaller companies might incorporate ICT readiness into documents such as:
- Disaster Recovery Plan: For planning, implementation, and maintenance.
- Internal Audit Report: For readiness testing.
A.7.4 Physical Security Monitoring
This control mandates the monitoring of sensitive areas to restrict access to authorized individuals. It applies to locations such as offices, production sites, warehouses, and other facilities.
- Technology: Based on your risk assessment, you may need to implement alarm systems, video surveillance, or consider a non-technical approach like stationing a guard to monitor the area.
- Organization/Processes: Establish responsibilities for monitoring sensitive areas and set up communication channels for incident reporting.
- Personas: Educate employees about the risks of unauthorized physical access and train them to use monitoring technology effectively.
- Documentation: ISO 27001 doesn’t mandate documentation, but you may include physical security monitoring in the following documents:
- Physical Security Procedures: Define what’s monitored and who manages the monitoring.
- Incident Management Procedure: Outline how to report and handle physical security incidents.
A.8.9 Configuration Management
This control involves managing the entire lifecycle of technology security configuration, including definition, implementation, monitoring, and review, to maintain security and prevent unauthorized changes.
- Technology: Configuration management applies to software, hardware, services, and networks. Smaller companies may not need additional tools, but larger companies might require software for enforcing configurations.
- Organization/Processes: Establish a process for proposing, reviewing, and approving security configurations, along with managing and monitoring them.
- Personas: Educate employees on the importance of controlling security configurations and train them on defining and implementing configurations.
- Documentation: ISO 27001 mandates documentation of this control. Small companies can include configuration rules in Security Operating Procedures, while larger companies might create separate procedures for configuration management.
A.8.10 Information Deletion
This control focuses on deleting data when no longer needed to prevent sensitive information leaks and ensure compliance with privacy and other regulations. This involves data deletion in IT systems, removable media, and cloud services.
- Technology: Use secure deletion tools in accordance with regulatory or contractual requirements and risk assessment.
- Organization/Processes: Establish a process to define which data should be deleted and when, specifying responsibilities and methods.
- Personas: Train employees on the importance of proper data deletion and how to perform it.
- Documentation: ISO 27001 does not require documentation, but you may include information deletion rules in documents such as Disposal and Destruction Policy, Acceptable Use Policy, and Security Operating Procedures.
A.8.11 Data Masking
This control involves using data masking alongside access control to limit sensitive information exposure, primarily for personal data due to privacy regulations, but also for other types of sensitive data.
- Technology: Companies can use pseudonymization, anonymization, encryption, or obfuscation tools to mask data in line with privacy regulations.
- Organization/Processes: Define processes to identify which data should be masked, who can access specific types of data, and which masking methods to use.
- Personas: Educate employees on the importance of data masking and train them on which data to mask and how to do it.
- Documentation: ISO 27001:2022 doesn’t require documentation, but you might include data masking rules in:
- Information Classification Policy: Identifies sensitive data and which categories need masking.
- Access Control Policy: Specifies who can access masked or unmasked data.
- Secure Development Policy: Outlines the technology used for data masking.
Larger companies, especially those needing compliance with the EU GDPR or similar privacy regulations, should also maintain:
- Privacy Policy / Personal Data Protection Policy: Sets overall data masking responsibilities.
- Anonymization and Pseudonymization Policy: Describes how data masking is implemented within the context of privacy regulation.
A.8.12 Data Leakage Prevention
This control requires measures to prevent unauthorized disclosure of sensitive information and detect potential incidents quickly. This involves data across IT systems, networks, and devices.
- Technology: Use monitoring systems for potential leakage channels such as emails, storage devices, and mobile devices. Implement prevention measures such as disabling downloads to removable storage, email quarantining, restricting copy-paste, and encrypting data.
- Organization/Processes: Establish processes to identify sensitive data, assess risks of various technologies (e.g., smartphone photography risks), monitor potential leakage channels, and select technology to block data exposure.
- Personas: Educate employees on the types of sensitive data handled by the company and the importance of preventing leaks. Train them on permissible and prohibited actions when handling sensitive data.
- Documentation: Although ISO 27001 does not mandate documentation, you might include data leakage prevention rules in:
- Information Classification Policy: Higher sensitivity requires more prevention measures.
- Security Operating Procedures: Guidance on monitoring and prevention systems for administrators.
- Policy on Acceptable Use: Defines allowable and prohibited user activities.
A.8.16 Monitoring Activities
This control mandates monitoring your systems to detect unusual activities and, if necessary, trigger incident response. It encompasses IT systems, networks, and applications.
- Technology: Monitor security tool logs, event logs, access, main administrator activities, traffic flow, code execution, and system resource performance.
- Organization/Processes: Establish a process to determine which systems will be monitored, assign monitoring responsibilities, and choose monitoring methods. Create a baseline for unusual activities and set up a process for reporting events and incidents.
- Personas: Inform employees that their activities will be monitored, and define what constitutes normal behavior. Train IT administrators in using monitoring tools.
- Documentation: ISO 27001 does not require documentation, but smaller companies might include monitoring rules in Security Operating Procedures. Larger companies might create separate procedures detailing system monitoring.
A.8.23 Web Filtering
This control involves managing which websites your users access to safeguard your IT systems. By controlling access, you can avoid malicious code and prevent the use of illegal internet content.
- Technology: Use tools to block specific IP addresses and implement anti-malware software. You can also create a list of forbidden websites for users to avoid.
- Organization/Processes: Develop processes to identify prohibited website types and manage web filtering tools effectively.
- Personas: Educate employees on internet risks and provide guidance on safe use. Train system administrators in web filtering techniques.
- Documentation: ISO 27001 does not mandate documentation, but smaller companies might include web filtering rules in:
- Security Operating Procedures: Outline rules for system administrators on implementing web filtering.
- Acceptable Use Policy: Specify acceptable internet usage for all users.
A.8.28 Secure coding
Description: Implement secure coding practices throughout your software development process to minimize security vulnerabilities in your software. This includes activities before, during, and after coding.
- Technology: Use tools to maintain an inventory of libraries, protect source code from tampering, log errors and attacks, and conduct testing. Additionally, incorporate security components such as authentication and encryption.
- Organization and Processes: Establish processes to define a minimum baseline for secure coding in both internal software development and third-party software components. Monitor emerging threats and secure coding guidance. Develop processes for choosing external tools and libraries, as well as for activities before, during, and after coding, including review, maintenance, and modification.
- Personas: Educate your software developers on the importance of secure coding principles and provide training on methods and tools for secure coding.
- Documentation: While ISO 27001 does not require documentation, smaller companies may choose to include secure coding rules in their Secure Development Policy. Larger companies may create specific procedures for secure coding for each of their software development projects.
Transition Period
For businesses currently certified under ISO 27001:2013, the International Accreditation Forum (IAF) has set a transition deadline to ISO 27001:2022 for October 31, 2025. Certification bodies already started certifying organizations to the new standard by October 31, 2023.
Tip: If you have already adopted the 2013 version of the standard and are looking to transition to ISO 27001:2022, we recommend you to talk with one of our ISO 27001 experts for guidance.
How Qalea Can Help
Adopting the new ISO 27001:2022 standard will strengthen your organization’s information security posture and support your digitization strategy. By implementing the changes, you can reduce the risk of breaches and enhance trust in your brand.
Qalea offers the platform and support to help your organization understand the changes and transition smoothly to the updated standard. With Qalea, ISO 27001 certification is not just a goal—it’s a reality within reach. Talk to an expert today to kickstart your ISO 27001 certification journey with Qalea.