Enquire about our accredited ISO/IEC 27001 training today
The third edition of the International Standard for Information Security Management Systems, ISO/IEC 27002:2022 has been a long time coming and been anticipated since about 2018. Revising the international standards is a collaborative effort by volunteers from organisations, public and private who represent their respective countries on various committees and working groups.
The new edition of 27001 has no major changes to the body of the standard, but there are some slightly more significant changes to Appendix A, the list of required controls which is informed by ISO/IEC 27002:2022 published recently. For organisations already certified against the standard, and therefore demonstrating compliance to the standard’s requirements, this means a little bit of work needs to be done to maintain compliance. As is the norm with ISO standards, there is a transition period of 3 years for currently certified organisations which only begins after ISO 27001 is officially updated and published later this year.
Let’s take a look at what stays the same:
The main body of the standard remains mostly unchanged with a few minor changes to wording to improve clarity. Clauses 4 to 10 of the standard which remain as they were:
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
No controls in Annex A have been removed, although it may seem that way because there are only 93 controls in the new Annex A compared to the previous 114 controls. This is because a number of controls have been merged. There are also 11 new controls which I will take a look at a little later.
Now let’s look at what has changed:
The changes in 27001:2022 all stem from changes made in ISO/IEC 27002:2022, the Information Security Controls guidance published on 15 February 2022.
The first notable change is the replacement of the 14 Control Areas with just 4 high level sections. The four sections are:
- Organisational Controls (contains 37 controls)
- People Controls (contains 8 controls)
- Physical Controls (contains 14 controls)
- Technological Controls (contains 34 controls)
If we take a look at the 93 controls described in Annex A of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 we see that:
- 35 controls remain unchanged apart from minor wording changes for clarity and new control numbering.
- 23 controls have new names and new numbering but remain largely unchanged aside from minor wording changes for clarification.
- 57 controls have been merged primarily to simplify implementation.
- 11 new controls have been added to address the new ways, and pace of change in the ways we handle information. A lot has changed in the 8 years since the second edition was published.
- 1 control was split. The Technical Compliance Review control was split, part of it was included in 3.6 – Compliance with policies, rules and standards for information security and part of it became a part of 8.8 – Management of technical vulnerabilities.
The new controls added, together with the updates and merging of controls, reflect security practices that have emerged since the second edition was published in 2013. The new practices addressed by these updates include the use of cloud services, web filtering, threat intelligence, data masking, data loss protection (DLP). The Secure Coding control is one that addresses both traditional and emerging development lifecycle practices like DevOps and DevSecOps
Digging into some of the more detailed changes in 27002 we find that the updates to Inventory and Ownership of Assets clauses effectively mandate an inventory of “information and associated assets”. Another significant change in 27002, and one I believe may cause some confusion and headaches, is the shift from references to information assets, to the terms: primary assets and supporting assets. 27002 also often refers to associated assets.
Look out for a follow up post in which I will address some frequently asked questions, and next steps for organisations wishing to maintain their 27001 certification.
If you have any questions, or notice any important changes I have neglected in this post, feel free to get in touch or leave a comment below.
The complete list of 93 Controls found in ISO/IEC 27001:2022
Organisational Controls: (37 controls) | People Controls: (8 controls) | Physical Controls: (14 controls) | Technological Controls: (34 controls) |
Policies for information security | Screening | Physical security perimeters | User endpoint devices (updated) |
Segregation of duties | Information security awareness, education and training | Securing offices, rooms and facilities | Information access restriction |
Management responsibilities | Disciplinary process | Physical security monitoring (new) | Access to source code |
Contact with authorities | Responsibilities after termination or change of employment | Protecting against physical and environmental threats | Secure authentication |
Contact with special interest groups | Confidentiality or non-disclosure agreements | Working in secure areas | Capacity management |
Threat intelligence (new) | Remote working | Clear desk and clear screen | Protection against malware |
Information security in project management | Information security event reporting | Equipment siting and protection | Management of technical vulnerabilities. |
Inventory of information and other associated assets | Security of assets off-premises | Configuration management (new) | |
Acceptable use of information and other associated assets | Storage media | Information deletion (new) | |
Return of assets | Supporting utilities | Data masking (new) | |
Classification of information | Cabling security | Data leakage prevention (new) | |
Labelling of information | Equipment maintenance | Information backup | |
Information transfer | Secure disposal or re-use of equipment | Redundancy of information processing facilities | |
Access control | Logging | ||
Identity management | Monitoring activities (new) | ||
Authentication information | Clock synchronisation | ||
Access rights | Use of privileged utility programs | ||
Information security in supplier relationships | Installation of software on operational systems | ||
Addressing information security within supplier agreements | Networks security | ||
Managing information security in the ICT supply chain | Security of network services | ||
Monitoring, review and change management of supplier services | Segregation of networks | ||
Information security for use of cloud services (new) | Web filtering (new) | ||
Information security incident management planning and preparation | Use of cryptography | ||
Assessment and decision on information security events | Secure development life cycle | ||
Response to information security incidents | Application security requirements | ||
Learning from information security incidents | Secure system architecture and engineering principles | ||
Collection of evidence | Secure coding (New) | ||
Information security during disruption | Security testing in development and acceptance | ||
ICT readiness for business continuity (new) | Outsourced development | ||
Legal, statutory, regulatory, and contractual requirements | Separation of development, test and production environments | ||
Intellectual property rights | Change management | ||
Protection of records | Test information | ||
Privacy and protection of PII | Protection of information systems during audit testing | ||
Independent review of information security | |||
Compliance with policies, rules and standards for information security | |||
Documented operating procedures |