What’s new in ISO/IEC 27001:2022?

Later this year, 2022, the standards organisations the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) will publish the third edition of ISO 27001 officially named ISO/IEC 27001:2022. Our lead Information Security consultant, Etienne Shardlow takes a look at what has changed.

Enquire about our accredited ISO/IEC 27001 training today

The third edition of the International Standard for Information Security Management Systems, ISO/IEC 27002:2022 has been a long time coming and been anticipated since about 2018. Revising the international standards is a collaborative effort by volunteers from organisations, public and private who represent their respective countries on various committees and working groups.

The new edition of 27001 has no major changes to the body of the standard, but there are some slightly more significant changes to Appendix A, the list of required controls which is informed by ISO/IEC 27002:2022 published recently. For organisations already certified against the standard, and therefore demonstrating compliance to the standard’s requirements, this means a little bit of work needs to be done to maintain compliance. As is the norm with ISO standards, there is a transition period of 3 years for currently certified organisations which only begins after ISO 27001 is officially updated and published later this year.

Let’s take a look at what stays the same:

The main body of the standard remains mostly unchanged with a few minor changes to wording to improve clarity. Clauses 4 to 10 of the standard which remain as they were:

  1. Context of the organization
  2. Leadership
  3. Planning
  4. Support
  5. Operation
  6. Performance evaluation
  7. Improvement

No controls in Annex A have been removed, although it may seem that way because there are only 93 controls in the new Annex A compared to the previous 114 controls. This is because a number of controls have been merged. There are also 11 new controls which I will take a look at a little later.

Now let’s look at what has changed:

The changes in 27001:2022 all stem from changes made in ISO/IEC 27002:2022, the Information Security Controls guidance published on 15 February 2022.

The first notable change is the replacement of the 14 Control Areas with just 4 high level sections. The four sections are:

  1. Organisational Controls (contains 37 controls)
  2. People Controls (contains 8 controls)
  3. Physical Controls (contains 14 controls)
  4. Technological Controls (contains 34 controls)

If we take a look at the 93 controls described in Annex A of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 we see that:

  • 35 controls remain unchanged apart from minor wording changes for clarity and new control numbering.
  • 23 controls have new names and new numbering but remain largely unchanged aside from minor wording changes for clarification.
  • 57 controls have been merged primarily to simplify implementation.
  • 11 new controls have been added to address the new ways, and pace of change in the ways we handle information. A lot has changed in the 8 years since the second edition was published.
  • 1 control was split. The Technical Compliance Review control was split, part of it was included in 3.6 – Compliance with policies, rules and standards for information security and part of it became a part of 8.8 – Management of technical vulnerabilities.

The new controls added, together with the updates and merging of controls, reflect security practices that have emerged since the second edition was published in 2013. The new practices addressed by these updates include the use of cloud services, web filtering, threat intelligence, data masking, data loss protection (DLP). The Secure Coding control is one that addresses both traditional and emerging development lifecycle practices like DevOps and DevSecOps

Digging into some of the more detailed changes in 27002 we find that the updates to Inventory and Ownership of Assets clauses effectively mandate an inventory of “information and associated assets”. Another significant change in 27002, and one I believe may cause some confusion and headaches, is the shift from references to information assets, to the terms: primary assets and supporting assets. 27002 also often refers to associated assets.

Look out for a follow up post in which I will address some frequently asked questions, and next steps for organisations wishing to maintain their 27001 certification.

If you have any questions, or notice any important changes I have neglected in this post, feel free to get in touch or leave a comment below.

The complete list of 93 Controls found in ISO/IEC 27001:2022

Organisational Controls: (37 controls) People Controls: (8 controls) Physical Controls: (14 controls) Technological Controls: (34 controls)
Policies for information security Screening Physical security perimeters User endpoint devices (updated)
Segregation of duties Information security awareness, education and training Securing offices, rooms and facilities Information access restriction
Management responsibilities Disciplinary process Physical security monitoring (new) Access to source code
Contact with authorities Responsibilities after termination or change of employment Protecting against physical and environmental threats Secure authentication
Contact with special interest groups Confidentiality or non-disclosure agreements Working in secure areas Capacity management
Threat intelligence (new) Remote working Clear desk and clear screen Protection against malware
Information security in project management Information security event reporting Equipment siting and protection Management of technical vulnerabilities.
Inventory of information and other associated assets   Security of assets off-premises Configuration management (new)
Acceptable use of information and other associated assets   Storage media Information deletion (new)
Return of assets   Supporting utilities Data masking (new)
Classification of information   Cabling security Data leakage prevention (new)
Labelling of information   Equipment maintenance Information backup
Information transfer   Secure disposal or re-use of equipment Redundancy of information processing facilities
Access control     Logging
Identity management     Monitoring activities (new)
Authentication information     Clock synchronisation
Access rights     Use of privileged utility programs
Information security in supplier relationships     Installation of software on operational systems
Addressing information security within supplier agreements     Networks security
Managing information security in the ICT supply chain     Security of network services
Monitoring, review and change management of supplier services     Segregation of networks
Information security for use of cloud services (new)     Web filtering (new)
Information security incident management planning and preparation     Use of cryptography
Assessment and decision on information security events     Secure development life cycle
Response to information security incidents     Application security requirements
Learning from information security incidents     Secure system architecture and engineering principles
Collection of evidence     Secure coding (New)
Information security during disruption     Security testing in development and acceptance
ICT readiness for business continuity (new)     Outsourced development
Legal, statutory, regulatory, and contractual requirements     Separation of development, test and production environments
Intellectual property rights     Change management
Protection of records     Test information
Privacy and protection of PII     Protection of information systems during audit testing
Independent review of information security      
Compliance with policies, rules and standards for information security      
Documented operating procedures      

Secure Your Spot: Elevate Your Change Skills Before the Year Ends!

Join our final Organisational Change Management course of 2024

Secure Your Spot: Elevate Your Change Skills Before the Year Ends!

Join our final Organisational Change Management course of 2024