Key changes to ISO 27001 - updated November 2022

A support engineer working in a dark server room with her laptop

In accordance with ISO’s regular approach to reviewing their management system standards, an update to ISO 27002 was released on 15 February 2022. The update to ISO 27001 has been released, which includes within Annex A of the Standard the new and updated controls outlined within ISO 27002:2022. Read on to find out about the key changes to the standard.

Information included within this article is based on information available at the time of publishing – 8 November 2022

Key Details

The update to ISO 27001 was released in October 2022.
ISO 27002 was updated in February 2022.
The controls in 27002 have been reorganised into 4 chapters and classified into control domains.
ISO 27002 is no longer referred to as a “Code of Practice”.
11 new controls have been added to 27002, with others removed or reorganised to have 93 controls in total (down from 114 in the prior revision).

The main focus of the review and changed control objectives is to reflect the changing technical environment and threats. The new controls include:

Threat intelligence
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Data masking
Monitoring activities
Data leakage prevention
Configuration management
Web filtering
Information Deletion
Secure coding

This article provides a summary of the key changes to the standards and their impacts. Whilst we refer to the standards as ISO 27001 and ISO 27002 within this article, it should be taken to mean ISO/IEC 27001 and ISO/IEC 27002 respectively.

What has changed?

Structure of controls

Controls have been updated to reflect the change in the way we handle data in today’s information security climate. In the update, controls have been divided into one of four main chapters:

Organisational (37 controls) – relating to the organisation itself, e.g. policies for information
People (8 controls) – relating to individuals, e.g. confidentiality
Physical (14 controls) – relating to physical objects, e.g. security of offices
Technological (34 controls) – relating to technology, e.g. information deletion

The updates to the controls can be better adapted for the organisation’s use and reflect the environment in which information security operates today.

In addition, organisations can now use attributes to make it easier to categorise controls and create different views. The attributes can be used to sort, filter, or present controls in different ways for different audiences. Use of attributes is not mandatory. Each control will be tagged for each of the following attributes:

Control type

Preventive
Detective
Corrective.

Information security properties

Confidentiality
Integrity
Availability.

Cybersecurity concepts

Identify
Protect
Detect
Respond
Recover.

Operational capabilities

Governance
Asset management
Information protection
Human resource security
Physical security
System and network security
Application security
Secure configuration
Identity and access management
Threat and vulnerability management
Continuity
Supplier relationships security
Legal and compliance
Information security event management
Information security assurance.

Security domains

Governance and ecosystem
Protection
Defence
Resilience.

The organisation is also able to define their own attributes specific to their own needs.

How long do you have?

For organisations that are certified to ISO 27001, there is typically a 3 year transition period to enable sufficient time for organisations to update their management systems and approach. JAS-ANZ and the International Accreditation Forum (IAF) should release guidance relating to this in the coming days. Liaise with your conformity assessment body to confirm your transition timeframe.

For uncertified organisations that use ISO 27001 as a guide or structure for their management systems, there are no formal external requirements to realign to the new standard, however individual stakeholders may have their own views on transition timeframe.

Impact on ISO 27001

There is expected to be minimal impact on the management system elements of ISO 27001 itself. The annex to the standard – Reference control objectives and controls – will be updated to align with the changes to ISO 27002.

The primary link between the management system for information security and the specific controls to mitigate information security risks will be the Statement of Applicability (SoA). This SoA is a linking document between the organisation’s risk assessment and the controls of ISO 27002, providing justification for the exclusion of any controls from the organisation’s control environment. As organisations look to transition to the 2022 version of ISO 27001, they may review the existing controls included within their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.

It is worth noting that ISO has updated the High Level Structure that informs management systems standards, adding a standard “Management of change” clause to element 6.3 and changing the way documented information is referenced in the standard (removal of the terms “retain” or “maintain” in favour of “keep”). It is unclear currently if ISO 27001:2022 will follow this amended structure.

Overview of controls

The new standard will include:

11 new controls,
Consolidate 19 previously individual controls,
3 controls from the 2013 revision of the standard will be removed,
61 controls will remain unchanged, although restructured.

New controls

The new controls included in 27002 (and therefore to be reflected in the revised ISO 27001) are:

Organisational

5.7 Threat intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity.

People

Nil.

Physical

7.4 Physical security monitoring.

Technological

8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring services
8.22 Web filtering
8.28 Secure coding.

Consolidated controls

Included below are the new clauses which consolidate existing controls included within ISO 27002:2013. Clause numbers from ISO 27002:2013 have been included in brackets.

5.1 Policies for information (5.1.1, 5.1.2)
5.9 Inventory of information and other associated assets (8.1.1, 8.1.2)
5.10 Acceptable use of information and other associated assets (8.1.3, 8.2.3)
5.14 Information transfer (13.2.1, 13.2.2, 13.2.3)
5.15 Access control (9.1.1, 9.1.2
5.16 Identity management (9.2.1, 9.4.3
5.17 Authentication information (9.2.4, 9.3.1)
5.18 Access rights (9.2.2, 9.2.5, 9.2.6)
5.22 Monitoring, review and change management of supplier services (15.2.1, 15.2.2)
5.29 Information security during disruption (17.1.1, 17.1.2, 17.1.3)
6.8 Information security event reporting (16.1.2, 16.1.3)
7.10 Storage media (8.3.1, 8.3.2, 8.3.3)
8.1 User endpoint devices (6.2.1, 11.2.8)
8.8 Management of technical vulnerabilities (12.6.1, 18.2.3)
8.15 Logging (12.4.1, 12.4.2, 12.4.3)
8.24 Use of cryptography (10.1.1, 10.1.2, 18.1.5)
8.25 Secure development lifecycle (14.1.1, 14.2.1)
8.26 Application security requirements (14.1.2, 14.1.3)
8.29 Security testing in development and acceptance (14.2.8, 14.2.9)
8.31 Separation of development, test and production environments (12.1.4, 14.2.6)
8.32 Change management (12.1.2, 14.2.2, 14.2.3, 14.2.4).

Whilst many of these controls have been combined within the standard, each organisation should undertake a risk assessment of their information security environment, including threats, vulnerabilities, and control effectiveness and co-dependencies prior to removing or updating any controls.

Where to from here

The path forward for the release of the new standard varies depending on organisational and individual needs.

Currently certified organisations, determine a transition timeframe in consultation with your conformity assessment body/certification body. The expected maximum time frame is 3 years from release of the new standard.
Uncertified organisations, consult with your stakeholders to determine an appropriate transition timeframe.
Auditors, complete accredited update training or an appropriate bridging course to become familiar with the new requirements.
Other practitioners, complete appropriate update training or bridging courses for the new standard and stay on top of information published from reputable sources about the new standard, such as direct from ISO and the information security, cybersecurity and privacy protection technical committee, ISO/IEC JTC 1/SC 27.