Navigating ISO Standard Changes

After a period of almost 10 years the global “gold standard” for proving robust cybersecurity – ISO 27001 is updated, more commonly referred to as the ISO 27001:2022. Certification to ISO standards is not new to the IT sector, however, the demand for ISO certification has been increasing consistently. This means Tech giants across the globe practice the ISO27001 norm as a standard to not only differentiate themselves from competitors but also to be able to satisfy the increasingly challenging vendor approval requirements and conditions which organizations are applying to their supply chain. For a more centred focus on information security threats and to protect an organization’s information assets by establishing robust policies/procedures and the technical controls required to protect the confidentiality, integrity, and availability of information a quick transition to the updated norms is necessary. With all the complexities around the changes, a simple way of understanding what it means and what you must do to make the process swift here is a breakdown of the major aspects to be kept in mind and followed.??

Main changes in the ISO 27001 2022 revision:?

• The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.?
• The changes in Annex A security controls are moderate.?
• The number of controls has decreased from 114 to 93.?
• The controls are placed into 4 sections, instead of the previous 14.?
• There are 11 new controls, while none of the controls was deleted, and many controls were merged.?

To get the gist of it -there are no excluded controls, A total of 23 controls have had their names changed for the sake of easier understanding; however, their essence remained the same as in the old standard. A total of 57 controls have been merged into 24 new controls and there is only one control that was split:??

18.2.3 Technical compliance review was split into 5.36 Conformance with policies, rules and standards for information security and 8.8 Management of technical vulnerabilities?

Lastly, a total of 35 controls remained the same, only changing their control number.?

When compared to the 2013 revision, the changes in the ISO 27001:2022 revision are small to moderate. A brief clause-wise overview of the changes in ISO 27001:2022:?

• In clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.?
• In clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.?
• In clause 5.3 (Organizational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.?
• In clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.?
• Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.?
• In clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.?
• In clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.?
• In clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.?

In clause 10 (Improvement), the sub-clauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.?

Now let’s move towards the 11 new controls that deserve most attention -keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control. some of these new controls are very similar to old controls from the 2013 revision;?

• A.5.7 Threat intelligence- This control requires you to gather information about threats and analyze them, in order to take appropriate mitigation actions. You should gather this information internally, as well as from external sources information could be about particular attacks or attack trends etc. No documentation is required by ISO 27001; however, you might include rules about threat intelligence in the following documents: Supplier Security Policy, Incident Management Procedure, Security Operating Procedures??
• A.5.23 Information security for the use of cloud services - This control requires you to set security requirements for cloud services in order to have better protection of your information in the cloud including purchasing, using, managing, and terminating the use of cloud services.No documentation is required by ISO 27001; the smaller company might include rules about cloud services in the Supplier Security Policy; Larger companies might develop a separate policy that would focus specifically on security for cloud services.?
• A.5.30 ICT readiness for business continuity- This control requires your information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. No documentation is required by ISO 27001; for smaller companies, you might include the ICT readiness in the following documents: Disaster Recovery Plan, Internal Audit Report; For a larger organizations, or if you implemented ISO 22301, then you should document readiness through the Business Impact Analysis etc.?
• A.7.4 Physical security monitoring- This control requires you to monitor sensitive areas in order to enable only authorized people to access them. No documentation is required by ISO 27001; however, might include physical security monitoring in the following documents: Procedures that Regulate Physical Security & Incident Management Procedure?
• A.8.9 Configuration management- This control requires you to manage the whole cycle of the security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. ISO 27001 requires this control to be documented.?
• A.8.10 Information deletion- This control requires you to delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services. No documentation is required by ISO 27001; however, you might consist of rules about information deletion in the following documents: Disposal and Destruction Policy, Acceptable Use Policy & Security Operating Procedures.?
• A.8.11 Data masking- This control requires you to use data masking together with access control in order to limit the exposure of sensitive information No documentation is required by ISO 27001; however, you might include rules on data masking in the following documents: Information Classification Policy, Access Control Policy & Secure Development Policy?
• A.8.12 Data leakage prevention- This control requires you to apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner No documentation is required by ISO 27001; however, you might include rules on data leakage prevention in the following documents: Information Classification Policy, Security Operating Procedures & Policy on Acceptable Use.
• A.8.16 Monitoring activities- This control requires you to monitor your systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. No documentation is required by ISO 27001.?
• A.8.23 Web filtering- This control requires you to manage which websites your users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code and prevent users from using illegal materials from the Internet. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about web filtering in the following documents: Security Operating Procedures and Acceptable Use Policy.
• A.8.28 Secure coding- This control requires you to establish secure coding principles and apply them to your software development in order to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding. No documentation is required by ISO 27001.

These controls have somewhat of a generalized set of attributes that form their base, the control attributes are as follows:?

• Control Types: Preventive, Detective, and Corrective.?
• Information Security Properties: Confidentiality, Integrity, and Availability
• Cybersecurity Concepts: Identity, Protect, Detect, Respond, and Recover
• Operational Capabilities: Governance, Asset Management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
• Security Domains: Governance and ecosystem, Protection, Defense, and Resilience

These attributes will make it easier to understand which controls are applicable according to criteria relevant to the business (i.e., not related only to information security), as well as the integration of ISO 27002 controls to other similar security frameworks, like the NIST Risk Management Framework.?

To summarize, changes in the main part of the standard are only small and can be done rather quickly, with only slight changes in the documentation and processes. Changes in the Annex A controls are moderate and can be mostly dealt with by adding the new controls to the existing documentation.?

According to the document “Transition requirements for ISO/IEC 27001:2022” from the International Accreditation Forum, for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by October 31, 2025. So tighten your seat belts for this transition trip is going to test your art of racing in the rain!?