Information security is a corporate governance responsibility. It cannot be seen as an isolated initiative of the Information Technology team and should be handled as a business strategy topic. Within this perspective, organizations have struggled to protect controlled, critical, or confidential information from improper access that could cause irreversible damage to the business.

The ISO 27000 family of standards helps organizations secure information assets. Adopting this family of standards helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. ISO/IEC 27001 is the best-known standard of this family and covers the requirements for the information security management system (ISMS).

The revision

After nine years, on October 25, 2022, ISO 27001 was updated and the new ISO/IEC 27001:2022 was published, which created some expectations in the market.

This new version came to help organizations manage controls more effectively, grouping them into four clear “topics”: organizational, personal, technological, and physical. This fundamental shift aims to achieve greater clarity, focus and accountability for information security inside an organization.

Even if this revision brings only moderate changes, it is important to study them closely. Therefore, in this post I will comment on all the changes and compare this revision from 2022 with the old version from 2013.

ISO 27001 is not ISO 27002

Before we start with the new features of the latest version, let’s discuss an important topic that still raises a lot of questions: don’t mix up ISO 27001 with ISO 27002.

To clarify, ISO 27001 is the standard to which you can certify your business, while 27002 is the supporting standard that provides guidance on implementing security controls. The most important difference is that ISO 27002 is not mandatory for ISO 27001 certification and your company cannot be ISO 27002 certified.

New revision, new title

An interesting change, reflecting technological evolution and the scope of topics associated with security, and that we can see right away is related to the new title of the standard.

Unlike ISO/IEC 27001:2013, the full title of the new version is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection. In Portuguese, we can see the subtle but important difference:

Old version (ISO/IEC 27001:2013): “Information technology – security techniques – information security management systems”.

New version (ISO/IEC 27001:2022): “Information security, cyber security and privacy protection — Information security management systems — Requirements”.

This change will not generate impacts for your company, just remember to update your documents where the standard is mentioned, informing both the new name and the new version.

Annex A with a new look

At first glance, Annex A has changed a lot – the number of controls has dropped from 114 to 93 and is organized into just four sections versus the 14 sections in the 2013 revision. However, upon closer look, it becomes obvious that the changes to Annex A are only moderate and are in line with updates to ISO/IEC 27002:2022, published in early 2022.

Annex A of ISO/IEC 27001:2022 has changed both in the number of controls and in their listing in groups. First, the annex title has been slightly changed from Objectives and Reference Controls to Information Security Controls Reference.

Returning to the reduction in the number of controls, it is mainly due to the merger of many of them. Let’s look at the numbers: 35 controls stayed the same, 23 were renamed, 57 controls were merged into 24, and one control was split into two. As we mentioned earlier, this reformulation was conducted to reflect technological updates and a more comprehensive approach to security domains. See how the 93 controls have been restructured into four large groups:

  1. A.5 Organizational controls – contains 37 controls
  2. A.6 Human resources controls – contains 8 controls
  3. A.7 Physical controls – contains 14 controls
  4. A.8 Technological controls – contains 34 controls

The new version also brought 11 new controls as mentioned below:

  1. Threat intelligence – gain information about threats, analyze them and take appropriate mitigation actions.
  2. Information security for the use of cloud services – establish security requirements for cloud services.
  3. ICT readiness for business continuity – ensuring that ICTs are prepared for disruptions and that information and assets are ready when needed.
  4. Physical security monitoring – physical monitoring of sensitive areas for access control.
  5. Configuration management – full technology cycle management (define configuration, implementation, monitoring and revision).
  6. Deleting information – ensure the deletion of information when it is no longer needed, as a way of preventing information leaks, in particular, for sensitive and private information.
  7. Data masking – use “data masking” techniques combined with controls and access to limit exposure of sensitive information.
  8. Data leakage prevention – implement measures to prevent unauthorized disclosure of information.
  9. Monitoring activities – monitoring systems to delete abnormal behavior and potential information security incidents.
  10. Web filtering – protection of IT systems by managing which websites users have access.
  11. Secure coding – establish secure coding principles, applying them from software development.

Will the revision affect your current ISO/IEC 27001 certificate?

Good news! The new changes to ISO/IEC 27001:2022 will not affect your current ISO/IEC 27001 certificate. But it is important to be aware of the transition period.

According to the document “Transition Requirements for ISO/IEC 27001:2022″ from the International Accreditation Forum, for companies already certified by ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by October 31, 2025.

Certification bodies should start certifying companies according to the new version from October 31, 2023, but certainly most of them will start much earlier. So, for those who are not yet certified, stay tuned for changes to incorporate them before starting your audit.

Final summary – how you will be impacted

As changes to the controls, and to the standard as a whole, are very minor, the transition to the new standard version will be smooth. It may be necessary to adapt and update a couple of requirements, but nothing too substantial. If the company is already certified, it is only necessary to implement the updates to maintain compliance with the new controls.

To summarize, changes to the main part of the standard are minor and can be done quickly, with only minor changes to documentation and processes. Changes to Annex A controls are moderate and can be handled primarily by adding the new controls to existing documentation.

Of course, expectations for the revision were high, and many professionals in the field expected more sweeping changes. But I’m sure companies that are already certified by the 2013 revision will be relieved that the work to be done is not that significant.

Technology to assist in the security of your company’s information

SoftExpert offers the most comprehensive and advanced software solution for information security management that meets the needs of the most stringent global regulations. SoftExpert Excellence Suite helps companies adhere to ISO/IEC 27001, reducing compliance costs, maximizing success, increasing productivity and reducing risk.

SoftExpert’s solution allows organizations to easily meet the requirements of ISO 27001, guaranteeing the three pillars of information security: Confidentiality, Integrity, and Availability (CIA). It assists in managing risks, controls, information security policies, assets, incidents, suppliers, KPIs, processes, among other needs. This drives organizational efficiency and reduces rework and waste. Do you want to learn more? Contact one of our experts who will be delighted to present our solution to you.

Talk to an expert

 

Camilla Christino

Author

Camilla Christino

Business Analyst at SoftExpert, completed a Bachelor's in Food Engineering at Instituto Mauá de Tecnologia. She has solid experience in the quality area in the food industries with a focus on monitoring and adapting internal and external auditing processes, documentation of the quality management system (ISO 9001, FSSC 22000, ISO / IEC 17025), Quality Control, Regulatory Affairs, GMP, HACCP and Food Chemical Codex (FCC). She is also certified as a leading auditor in the ISO 9001: 2015.

You might also like:

All Content

SWOT Analysis: what it is and how to do it

Regardless of where your company is in its evolution, planning for the future is essential. Planning helps in preparing for adverse situations and to project actions for the company’s development. In this article, we will discuss one of the most useful tools for organizational planning: the SWOT analysis. What is SWOT analysis? SWOT is an … Continue reading “SWOT Analysis: what it is and how to do it”

Read more
Get free content in your inbox!

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy.

Please, fill out the form to download

Required field
Required field
Required field
Please enter a valid phone number
Required field

By clicking the button below, you confirm that you have read and accept our Privacy Policy