In this post, I will show you what to expect from the newly updated ISO 27001: 2022.
ISO 27001:2013 is a globally recognized standard of information security that allows businesses to protect their information using a clear and universally accepted framework.Â
However, data privacy and information protection laws have changed over time, resulting in the need for an update. ISO 27001:2022 is that update, and it is expected to be released later this year.
The new update will provide some vital amendments and updates to the current standard. Here’s what to expect:
Table of Contents
What’s Changing With The ISO 27001: 2022?
One of the essential things to note is that while you can earn certification in ISO 27001:2013, you cannot do the same in ISO 27001: 2022.Â
ISO 27001:2013 will remain the primary standard, and ISO 27001: 2022 will become a supporting control and provide guidance on how to best to utilize the main standard.
What Will Be Different Once The Update Is Released?
The new standard itself is significantly longer than the previous version, with many changes to the controls. A number of them have been reordered, updated, merged, and some removed.Â
ISO 27001:2022 lists 93 controls rather than the previous 114, but these have been updated to reflect the standard best.
The controls are grouped into 4 ‘themes’ rather than 14 clauses. These are:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
Controls that didn’t previously exist are:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The new controls have been given five ‘attributes’ to make them easier to categorize:
- Control type (preventive, detective, corrective)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Information security properties (confidentiality, integrity, availability)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
Other changes include the removal of terms such as ‘Control Objectives’ and ‘Code of Practice.’
When Will The New Changes Happen?
ISO 27001:2022 was released on February 15th, 2022, and the updates to ISO 27001:2013 are expected to be published in October, though this could be subject to change.
Companies currently in the process of implementing ISO 27001:2013 are advised to continue to do so and then wait for the update later this year.
Your organization will still have to align with the current ISO 27001:2013 standards, so if certification is not urgent for your business, you should wait until the update is released and then commence the certification requirements.
What Does This Mean For Certification?
As mentioned, ISO 27001:2013 is a standard that companies are certified against, while ISO 27001:2022 is a reference guiding the implementation and use of the new update.
Accreditation bodies will give companies sufficient time to implement the new update, engage with ISO 27001 consultants where necessary, and make relevant changes in their practice. The expected transition time is around 12 months, so there will be ample time to introduce the new update and apply for accreditation.Â
It is suspected that there may be a cut-off for issuing ISO 27001:2013 by the end of 2023. Therefore, businesses are still trying to achieve this accreditation, and they are recommended to do so as early as possible.
What Are The Benefits Of Achieving ISO 20071 Accreditation?Â
Achieving accreditation is recommended due to ISO 27001 being the globally recognized standard. Having this certification gives you the confidence that your business is protected securely with recognized controls.
Other benefits include lowered IT expenses, improved business coherence, and competitiveness over other organizations. Having these benefits will help you gain your customers’ confidence and promote relationships with other businesses.
READ ALSO: Website Security Check: How Secure Is Your Website?
ISO 27001:2022: FAQs
ISO 27001:2022 is the latest version of the international standard for information security management systems (ISMS). Here are some key questions answered:
What is ISO 27001:2022?
ISO 27001:2022 specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS. An ISMS is a framework that helps organizations manage information security risks.
What’s new in ISO 27001:2022 compared to the previous version?
The 2022 update focuses on a more risk-based approach, streamlining the structure, and aligning with the latest management system standards. Some key changes include:
- Emphasis on understanding the context of the organization and its information security needs.
- Stronger focus on threat intelligence and vulnerability management.
- Updated terminology for better clarity.
- Consolidation of controls in Annex A (the recommended security controls).
Is ISO 27001 certification mandatory?
No, ISO 27001 certification is not mandatory for most organizations. However, it demonstrates your commitment to information security and can be a valuable differentiator when competing for business or attracting investors.
What are the benefits of implementing ISO 27001:2022?
Implementing ISO 27001 offers several benefits:
- Reduced risk of data breaches and cyberattacks.
- Improved information security posture.
- Enhanced customer trust and confidence.
- Stronger compliance with data protection regulations.
- Systematic approach to managing information security.
How do I get started with ISO 27001:2022?
Here are some steps to get started:
- Familiarize yourself with the standard’s requirements.
- Conduct a gap analysis to identify areas where your organization needs improvement.
- Develop an implementation plan.
- Implement the necessary controls and procedures.
- Seek certification from an accredited certification body (optional).
What are Annex A controls in ISO 27001:2022?
Annex A provides a list of recommended security controls categorized into four areas: organizational, people, physical, and technological. Organizations can select and implement the controls relevant to their specific information security risks.
INTERESTING POSTS
- Notorious TrickBot malware updated to evade detection
- Implementing SaaS Security – A Checklist
- Biggest-ever Monthly Security Updates: Microsoft June Patch Tuesday fixes 129 bugs
- WhatsApp Hacked: Update Your WhatsApp Now
- Electric Vehicles: How New Technologies Are Changing Motorsport
- Why Is ISO 27001 Important For Small Businesses?
- Compliance In The Cloud: Why IAM Is Critical
- Securing Your Apple: The Best Protection Tools for Mac in 2024
About the Author:
Daniel Segun is the Founder and CEO of SecureBlitz Cybersecurity Media, with a background in Computer Science and Digital Marketing. When not writing, he's probably busy designing graphics or developing websites.