A support engineer working in a dark server room with her laptop
Information Security

Key changes to ISO 27001 – updated November 2022

Published: October 13, 2022
A support engineer working in a dark server room with her laptop
Information Security

In accordance with ISO’s regular approach to reviewing their management system standards, an update to ISO 27002 was released on 15 February 2022. The update to ISO 27001 has been released, which includes within Annex A of the Standard the new and updated controls outlined within ISO 27002:2022. Read on to find out about the key changes to the standard. 

Information included within this article is based on information available at the time of publishing – 8 November 2022 


Key Details

  • The update to ISO 27001 was released in October 2022. 
  • ISO 27002 was updated in February 2022.
  • The controls in 27002 have been reorganised into 4 chapters and classified into control domains.
  • ISO 27002 is no longer referred to as a “Code of Practice”.
  • 11 new controls have been added to 27002, with others removed or reorganised to have 93 controls in total (down from 114 in the prior revision).

The main focus of the review and changed control objectives is to reflect the changing technical environment and threats. The new controls include:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Data masking
  • Monitoring activities
  • Data leakage prevention 
  • Configuration management
  • Web filtering 
  • Information Deletion 
  • Secure coding 

This article provides a summary of the key changes to the standards and their impacts. Whilst we refer to the standards as ISO 27001 and ISO 27002 within this article, it should be taken to mean ISO/IEC 27001 and ISO/IEC 27002 respectively.

What has changed?

Structure of controls

Controls have been updated to reflect the change in the way we handle data in today’s information security climate. In the update, controls have been divided into one of four main chapters:

  • Organisational (37 controls) – relating to the organisation itself, e.g. policies for information 
  • People (8 controls) – relating to individuals, e.g. confidentiality
  • Physical (14 controls) – relating to physical objects, e.g. security of offices
  • Technological (34 controls) – relating to technology, e.g. information deletion

The updates to the controls can be better adapted for the organisation’s use and reflect the environment in which information security operates today. 

In addition, organisations can now use attributes to make it easier to categorise controls and create different views. The attributes can be used to sort, filter, or present controls in different ways for different audiences. Use of attributes is not mandatory. Each control will be tagged for each of the following attributes:

Control type 

  • Preventive
  • Detective
  • Corrective.

Information security properties 

  • Confidentiality
  • Integrity
  • Availability.

Cybersecurity concepts

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

Operational capabilities

  • Governance
  • Asset management
  • Information protection
  • Human resource security
  • Physical security
  • System and network security
  • Application security
  • Secure configuration
  • Identity and access management
  • Threat and vulnerability management
  • Continuity
  • Supplier relationships security
  • Legal and compliance
  • Information security event management 
  • Information security assurance.

Security domains

  • Governance and ecosystem
  • Protection
  • Defence
  • Resilience.

The organisation is also able to define their own attributes specific to their own needs. 

How long do you have?

For organisations that are certified to ISO 27001, there is typically a 3 year transition period to enable sufficient time for organisations to update their management systems and approach. JAS-ANZ and the International Accreditation Forum (IAF) should release guidance relating to this in the coming days. Liaise with your conformity assessment body to confirm your transition timeframe.

For uncertified organisations that use ISO 27001 as a guide or structure for their management systems, there are no formal external requirements to realign to the new standard, however individual stakeholders may have their own views on transition timeframe.

Impact on ISO 27001

There is expected to be minimal impact on the management system elements of ISO 27001 itself. The annex to the standard – Reference control objectives and controls – will be updated to align with the changes to ISO 27002.

The primary link between the management system for information security and the specific controls to mitigate information security risks will be the Statement of Applicability (SoA). This SoA is a linking document between the organisation’s risk assessment and the controls of ISO 27002, providing justification for the exclusion of any controls from the organisation’s control environment. As organisations look to transition to the 2022 version of ISO 27001, they may review the existing controls included within their SoA and align them with a current risk assessment of their information security environment, threats and vulnerabilities.

It is worth noting that ISO has updated the High Level Structure that informs management systems standards, adding a standard “Management of change” clause to element 6.3 and changing the way documented information is referenced in the standard (removal of the terms “retain” or “maintain” in favour of “keep”). It is unclear currently if ISO 27001:2022 will follow this amended structure.

Overview of controls

The new standard will include:

  • 11 new controls,
  • Consolidate 19 previously individual controls,
  • 3 controls from the 2013 revision of the standard will be removed,
  • 61 controls will remain unchanged, although restructured.

New controls

The new controls included in 27002 (and therefore to be reflected in the revised ISO 27001) are:

Organisational

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity.

People

  • Nil.

Physical

  • 7.4 Physical security monitoring.

Technological

  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring services
  • 8.22 Web filtering
  • 8.28 Secure coding.

Consolidated controls

Included below are the new clauses which consolidate existing controls included within ISO 27002:2013. Clause numbers from ISO 27002:2013 have been included in brackets.

  • 5.1 Policies for information (5.1.1, 5.1.2)
  • 5.9 Inventory of information and other associated assets (8.1.1, 8.1.2)
  • 5.10 Acceptable use of information and other associated assets (8.1.3, 8.2.3)
  • 5.14 Information transfer (13.2.1, 13.2.2, 13.2.3)
  • 5.15 Access control (9.1.1, 9.1.2
  • 5.16 Identity management (9.2.1, 9.4.3
  • 5.17 Authentication information (9.2.4, 9.3.1)
  • 5.18 Access rights (9.2.2, 9.2.5, 9.2.6)
  • 5.22 Monitoring, review and change management of supplier services (15.2.1, 15.2.2)
  • 5.29 Information security during disruption (17.1.1, 17.1.2, 17.1.3)
  • 6.8 Information security event reporting (16.1.2, 16.1.3)
  • 7.10 Storage media (8.3.1, 8.3.2, 8.3.3)
  • 8.1 User endpoint devices (6.2.1, 11.2.8)
  • 8.8 Management of technical vulnerabilities (12.6.1, 18.2.3)
  • 8.15 Logging (12.4.1, 12.4.2, 12.4.3)
  • 8.24 Use of cryptography (10.1.1, 10.1.2, 18.1.5)
  • 8.25 Secure development lifecycle (14.1.1, 14.2.1)
  • 8.26 Application security requirements (14.1.2, 14.1.3)
  • 8.29 Security testing in development and acceptance (14.2.8, 14.2.9)
  • 8.31 Separation of development, test and production environments (12.1.4, 14.2.6)
  • 8.32 Change management (12.1.2, 14.2.2, 14.2.3, 14.2.4).

Whilst many of these controls have been combined within the standard, each organisation should undertake a risk assessment of their information security environment, including threats, vulnerabilities, and control effectiveness and co-dependencies prior to removing or updating any controls.

Where to from here

The path forward for the release of the new standard varies depending on organisational and individual needs.

  • Currently certified organisations, determine a transition timeframe in consultation with your conformity assessment body/certification body. The expected maximum time frame is 3 years from release of the new standard.
  • Uncertified organisations, consult with your stakeholders to determine an appropriate transition timeframe.
  • Auditors, complete accredited update training or an appropriate bridging course to become familiar with the new requirements.
  • Other practitioners, complete appropriate update training or bridging courses for the new standard and stay on top of information published from reputable sources about the new standard, such as direct from ISO and the information security, cybersecurity and privacy protection technical committee, ISO/IEC JTC 1/SC 27.

Information included within this article is based on information available at the time of publishing – 8 November 2022 

We will be covering the updated ISO/IEC 27001 standard in our upcoming virtually delivered Information Security Management Systems course on 30 November – 2 December. If you’ve already attended one of our Information Security Management Systems courses, watch this space for information on our upcoming online bridging course that will bring your skills and knowledge up to date. 

Back to Insights

“Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

“The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

“Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

“It is rare to find a trainer with extensive practical and current industry knowledge of the topic. This is a real world training course for real world application. 100% recommend Pat to conduct any training in future.”

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.

×
Menu