The majority of business processes are driven by the information and data stored within their architectural environment. Businesses must be able to protect their information-driven daily operations, along with critical data and cyber threats that impose significant risks to the organization. It’s also imperative that businesses of all sizes have a standard to meet both compliance and regulatory processes.
After nearly 10 years, the revised ISO 27001 was published on October 25, 2022. This is an Information Security Management standard that provides a list of compliance requirements for organizations that intend to go through certification. It also helps organizations establish, implement, maintain, and improve these systems.
Some of these required updates include a major restructuring of Annex A, minor updates to various clauses, and a change in the title of the standard. ISO 27001 was developed as a standard to protect the confidentiality, availability, and integrity of organizations and information assets to meet the ever-evolving security challenges. The main changes in the ISO 27001 2022 revision include the following:
The number of controls has decreased from 114 to 93
The controls are placed into four sections instead of the previous 14
There are 11 new controls, and many of these were merged with existing controls
The changes in Annex A are only considered to be moderate and can be mostly implemented by adding new controls to the existing documentation
Thirty-five controls have remained the same
Twenty-three controls were renamed
Fifty-seven controls were merged into 24 controls, and one control has been divided in half
The 93 controls have been restructured to four control groups or sections; these new control groups of ISO 27001 are:
Organizational controls, which contain 37 controls, A.5, A.6 – People controls contain eight controls
A.7 – Physical controls contain 14 controls. A.8 – Technological controls contain 34 controls
ISO 27001 has also added 11 new controls to its Annex A:
Information Security for the use of cloud services
ICT Readiness for Business Continuity
Physical Security Monitoring
Data Masking, Data Leakage Prevention
Monitoring activities, Web Filtering, Secure coding
The changes in Annex A are significant but were designed to align with the structure and form with current technologies and to refine various control groupings by aligning them to common control attributes such as People, Organization, and Physical controls
Timelines for compliance
Organizations that have received their full certification will have until late 2025 to transition to the 2022 standard of ISO 27001. If an organization is currently undergoing certification, those organizations can certify against the 2013 standard. These organizations will then have two years to transition to the 2022 standard of ISO 27001.
Companies can certify against the 2013 revision before October 31, 2023. Such organizations must transition to the 2022 revision by October 31, 2025. The new 2022 revision of ISO 27001 gives them the ability to certify against the 2022 revision from October 25, 2022.
The changes to ISO 27001 with not have an immediate impact on compliance, and the revised changes should not be considered a reason to postpone audit preparation. With these changes being implemented in October of this year, it’s heavily considered very unlikely that any additional changes will be forthcoming in the immediate future as applied to the current standard. There will likely be a three-year transition period before documentation edits and control implementation are required for compliance to ISO 27001.