ISO 27001:2022 – What businesses need to know about the changes and their impact
On October 25, 2022, ISO/IEC published a new version of ISO 27001, reflecting the need to address ever-expanding threats to the information security management systems (ISMS) of organisations. While most changes are cosmetic—with existing requirements restructured and refined—the updates include objectives and controls for organisations to best arm themselves against emerging threats.
ISO 27001: 2022 is an updated version of the ISO 27001 standard. Its previous version, called ISO 27001:2013, contained 114 controls. These controls were divided across 14 domains. "Annex A" of ISO 27001: 2022 includes the following changes:
- 11 new controls added,
- 1 control separated into 2,
- 57 controls merged into 24,
- 23 controls renamed,
- 3 controls removed, and
- 35 controls remain unchanged.
Even the title of this Annex has been changed from "Reference control objectives and controls" to "Information security controls reference." In the latest version published in 2022, the number of controls has been reduced to a condensed set of 93 Annex A controls and grouped differently across four themes instead.
Annex A controls are grouped into four top-level categories.
ISO 27001: 2022 controls, 93 in total, under the updated standard have now been placed into the four themes. These four themes are the following:
1. Organisational controls
- Number of controls: 37
- Control numbers: ISO 27001 Annex A, 5.1 to 5.37
This theme encompasses the laws, regulations, and operations of the organisation in relation to its approach towards information security over a broad range of matters. Organisational controls are designed to address the issues focused on whether the organisation has a clear set of policies mapped out for keeping its ISMS secure, the security roles and responsibilities are clearly defined and effectively communicated, and proper access controls are in place.
- Information security policies
- Supplier relationships
- Access controls
- Asset management
- Compliance
Other controls, including information security incident management and information security aspects of business continuity management, are newly added and are described under the 11 new controls section.
2. People controls
- Number of controls: 8
- Control numbers: ISO 27001 Annex A, 6.1 to 6.8
This theme focuses on how an organisation's personnel should interact with its data and information systems in order to alleviate risks pertaining to human factors. These controls cover secure human resource management, personnel security, and awareness and training. People controls require every employee in a company to be aware of their information security responsibilities, including security incident reporting and non-disclosure agreements.
3. Physical controls
- Number of controls: 14
- Control numbers: ISO 27001 Annex A, 7.1 to 7.13
Physical controls are safeguards employed to ensure the security of tangible assets and, therefore, preserve confidential information. In general, an organisation should be protecting all the physical locations where it stores sensitive data, including offices, data centres, customer-facing premises, etc.
- Guidelines for clear desk policies,
- guest access logs,
- retention and disposal protocols,
- entry and access control systems.
4. Technological controls
- Number of controls: 34
- Control numbers: ISO 27001 Annex A, 8.1 to 8.34
Technological controls are about measures that organisations should adopt to maintain a protected and compliant IT infrastructure. The measures include authentication and encryption of data and data loss prevention, which enable an organisation to secure data digitally and control access rights and network security.
Key areas of technological controls:
- Cryptography: The standard requires companies to document their encryption techniques and demonstrate that appropriate encryption is used according to business needs.
- Operational Security: Protection of information processing facilities and ISMS systems.
- Network Security: Protection against attacks through network configurations, firewalls, and detection systems.
- System Acquisition, Development, and Maintenance: Security at every stage of information security systems.
11 new controls introduced in the ISO 27001: 2022 revision
- A.5.7: Threat intelligence – Requires companies to collect threat information both internally and externally to protect against specific attacks and technologies.
- A.5.23: Information security for the use of cloud services – Describes the management and protection of information in cloud services.
- A.5.30: ICT-Readiness – Requires that ICT readiness for business continuity objectives is planned, implemented, maintained, and tested.
- A.7.4: Physical security monitoring – Mandates the monitoring of sensitive areas such as offices and production facilities.
- A.8.9: Configuration management – Ensures that IT configurations are defined, documented, monitored, and reviewed.
- A.8.10: Information deletion – Requires companies to delete data once its purpose has been fulfilled.
- A.8.11: Data masking – Utilizes data masking techniques like encryption to protect sensitive data.
- A.8.12: Data leakage prevention – Implements measures to minimize the risk of unauthorized data disclosure.
- A.8.16: Monitoring activities – Calls for continuous monitoring of networks, technological resources, and software applications.
- A.8.23: Web filtering – Protects companies from websites containing potentially harmful code.
- A.8.28: Secure coding – Requires security measures to minimize vulnerabilities in code.
