In October 2022, ISO 27001 introduced new changes. The internationally recognised standard on how to manage your information security was first launched in 2005 and underwent its last update in 2013. Since then, new technologies have emerged to dominate the business landscape, such as cloud computing, which has brought new security challenges. It’s estimated that global cybercrime is expected to grow by 15% per year, totaling a staggering $10.5 trillion by 2025. The latest revision to ISO 27001, called ISO 27001:2022, reflects the state of cyber security today, with a view to improving and managing your organisation’s resilience to cyber threats and vulnerabilities.
In this blog, we tell you everything you need to know about ISO 27001’s newest improvements, including the key changes, what it means if your business is already certified to ISO 27001:2013, and what to do if you’ve already begun your ISO 27001 implementation.
What are the key changes to ISO 27001?
Here’s a rundown of the key amendments to ISO 27001:
- A name change
- 11 new controls have been added to Annex A
- The number of controls has decreased from 114 to 93
- The controls are grouped into 4 sections, instead of the previous 14
- Editorial changes to clauses 4 to 10
ISO 27001 has a new title
The first noticeable change to the standard is its name: ISO/IEC 27001:2022 Information Security, Cyber Security and Privacy Protection. The expansion of the name to include ‘cyber security and data protection’ better reflects the purpose of the standard, broadening its scope to include the more technical aspects of cyber security, cloud services, threat intelligence, and the human elements of privacy protection.
Annex A: 11 new controls
The biggest change to ISO 27001 sees the introduction of 11 new controls to Annex A. Annex A defines the controls that can be used to minimise information security risks that are identified during the risk assessment process. The new controls reflect the changes in technology, the evolution of cyber threats, and to address risks that the previous version does not. They include:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Bear in mind that not all controls are mandatory. Certification bodies will allow companies to exclude a control if you’ve identified no related risks, or there are no legal or regulatory requirements to implement a particular control.
Restructuring of controls
The number of controls has reduced from 114 to 93. They are now split into four themed categories, instead of the previous 14. They are:
- People (8 controls)
- Organisational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
The reason for reducing the number of categories is to simplify the implementation of your Information Security Management System (ISMS) and to add clarity to the process. For example, businesses will have different people that are responsible for implementing different sets of controls. Reducing the number of controls, and introducing the four groups to which they belong, will make life easier for the implementation team to understand who inside the organisation is responsible for each set of controls. Though it may seem at first like a minor administrative change, it can have real impacts on the way the standard is implemented.
What about changes to the clauses?
In broad strokes, ISO 27001:2022 is the same standard as before, with the same aims. However, there have been some minor editorial changes to clauses 4-10, with the revisions designed to offer greater clarity to businesses. This does mean that you do need to review both the application of the new controls in Annex A as well as the clauses, to make sure you have addressed everything. Some particular areas to look at include:
- Clause 4.2 – Understanding the needs and expectations of interested parties
- Clause 5.3 – Organisational roles, responsibilities and authorities
- Clause 6.1.3 – Information security risk treatment
- Clause 6.2 – Information security objectives and planning to achieve them
- Clause 6.3 – Planning of changes
- Clause 7.4 – Communication
- Clause 8.1 – Operational planning and control
- Clause 9.3 – Management review
What do the new changes to ISO 27001 require you to do?
I am already certified, so how will the new changes affect my business?
If your organisation is already certified to ISO 27001:2013, your certification will remain valid, and organisations have up to 3 years to transition to the new standard. However, it is worth checking with your certification body, as some may stop certifying to the 2013 version of the standard earlier than this.
Certification bodies themselves will naturally go through a transitional period to ensure a certification scheme exists that aligns with the new changes, while also getting auditors up to scratch with the revised scheme. The formal transition requirements are defined here, and they describe the steps required to transition to ISO 27001:2022.
What happens if I am in the middle of an implementation?
There’s no need to panic if you’re mid-way through implementation, as you can still certify to the 2013 version until 2025 assuming your chosen certification body allows this. Depending on the timescale of your project, it will be more efficient to certify to ISO 27001:2013 and update to the newer version at a later date. Alternatively, if you are only at the beginning, you could use the new Annex A controls from 27001:2022 and compare these with the 2013 version of the controls in the Statement of Applicability.
What happens if I am starting an implementation?
This will depend on the length of your project. If you believe you can implement an ISMS within 3-6 months, it is likely that you will end up certifying to the old 2013 standard as the certification bodies may not be ready to certify to the new version of the standard. However, as mentioned above, you could implement the new 2022 Annex A controls and compare these to the 2013 version of the controls in your Statement of Applicability, so that you are part of the way to transitioning to the new standard. If implementation is likely to take longer, it’d be wise to prepare for ISO 27001:2022. Chat with your consultant to gauge the best option for certification.
Remember, preparation is key. So, we wouldn’t advise leaving it until the last minute to meet the new requirements of the standard. If you think you’re approaching readiness to certify against the 2022 edition, invest in an ISO 27001 gap analysis. This will outline where you are, where you need to be, and give you a handy list of things you need to achieve to become ISO 27001:2022 ready.
- ISO 27001 has been updated and its changes address global cyber security challenges and evolving business environments
- Annex A has been overhauled to include 11 new controls to reflect changes in technology and risks that were not previously covered
- The controls have been restructured to make it easier and quicker for businesses to implement
- Businesses have up to 3 years to transition to the new standard
- The changes to ISO 27001 are not vast, however it will take time to understand the structure and new controls without the additional burden of implementing or running your ISMS