ISO 27001 modifications: new controls for 2022 | Compliance point

Given the rapidly changing cybersecurity environment, many security standards are updated every few years. This has not been the case with ISO/IEC 27001, an entirely risk-based standard designed to provide requirements for the establishment, implementation, maintenance and continual improvement of a risk management system. information security (ISMS). The current operating version, ISO27001: 2013, is widely used around the world and the certification is accepted in 168 countries around the world.

As one of the most beloved information security standards on the planet, it’s somewhat surprising that it hasn’t been updated in almost a decade. But the wait is coming to an end, after delays caused in large part by the pandemic, the International Organization for Standardization (ISO) is expected to publish a new version of the ISO/IEC 27001 standard by the end of 2022.

What changes

The critical elements needed to certification in the first semester ISO 27001: 2013, Clauses 4 to 10, should not change in the upcoming 2022 version. In February this year, however, the ISO organization released ISO 27002:2022, which supersedes its earlier version ISO 27002:2013.

ISO/IEC 27002 essentially mirrors all of the controls in Annex A of ISO 27001 and provides very detailed implementation guidance for each control. When the new version of ISO/IEC 27001 is released, expect the controls in Annex A to match those of the new ISO 27002:2022. So we can take ISO/IEC 27002:2022 as a helpful guide on what to expect.

It is important to note that unlike the clauses in the first half of the ISO/IEC 27001 document, which must be fully complied with for ISO 27001 certification, ISO 27002 controls are not required, but a baseline set of security controls. generic information designed for use by organizations:

  • As part of an information security management system (ISMS) based on ISO/IEC 27001
  • To implement information security controls based on internationally recognized best practices
  • To develop organization-specific information security management guidelines

For 2022 updates, the number of controls has decreased from 114 to 93 and are placed in 4 sections instead of the previous 14. The decrease in controls is the result of mergers, not deletions.

The following 11 new controls have been added:

A.5.7 Threat Intelligence

This control requires organizations to collect and analyze information about threats and mitigate them appropriately. Types of information can include data about specific attacks, methods used by attackers, and types of attacks. Information should be gathered internally and from external sources such as supplier reports, government agencies and industry announcements.

A.5.23 Information security for the use of cloud services

Requires security requirements for cloud services to be defined for the protection of sensitive information in the cloud. This control should include policies on purchasing, using, managing, and terminating the use of cloud services.

A.8.23 Web filtering

This control requires the management of security measures for all websites that users can access in order to ensure the protection of computer systems.

The ISO 27001 change schedule

As mentioned, the publication of the ISO/IEC 27001:2022 standard is scheduled for the fourth quarter of this year.

Assuming the change follows the typical pattern of new versions of the ISO standard, accreditation bodies will grant a grace period of 12 to 24 months, giving you time to update processes and documentation, train employees, etc This means that if your ISMS is already certified, all the recertification audit scheduled for 2022 will be done according to the 2013 Standard.

If you are currently planning your first certification and you obtain your first ISMS certification in 2022 or early 2023, the 2013 standard will also apply.

This means that organizations should plan to start implementing elements of the new standard in 2023, whether recertifying or certifying for the first time, and moving completely from mid to second half of 2023 depending certification dates. It is likely that the 2013 standard will expire in 2024

Transitioning to the new standard for currently certified customers will be a necessity and for those on their first trip you will need guidance on timing. Wherever you are on the path, having a trusted advisor is essential.

Comments are closed.