The first publication of the Information Security Management Standard ISO 27001 was in 2005 with two subsequent revisions thereafter in 2013 and the latest in October 2022. The most significant changes made, has been to the Security Controls contained in Annex A.
What is ISO 27001?
ISO 27001 is an Information Security Management System (ISMS) standard, that gives you guidelines for the International Best Practices on the development and maintenance of an ISMS.
What has changed in the new 2022 ISO 27001 revision
The structure of ISO 27001 – Annex A has undergone a complete overhaul. The updated version of ISO 27001 has been restructured and revised. First, the modified ISO 27001 does not identify with the commonly used phrase ‘code of practice’. This helps outline its purpose through the set of information security controls.
Secondly, the number of controls has decreased from 114 to 93 in the new version of ISO 27001. These security controls are now divided into four chapters instead of the previous 14. The new domains of ISO 27002:2022 are:
- Chapter 5: Organizational (37 controls)
- Chapter 6: People (8 controls)
- Chapter 7: Physical (14 controls)
- Chapter 8: Technology (34 controls)
In the newly revised ISO 27001, 35 controls remained unchanged, 23 controls have been renamed, and 57 controls have been merged to form 24 controls. Only one control was divided into two: Control 18.2.3 – Technical Compliance Review has been split into 8.8 – Management of technical vulnerabilities and 5.3.6 – Conformity with policies and standards of information security. Eleven new controls have been added to the latest version:
- Threat Intelligence
- Physical security monitoring
- Data masking
- Information security for cloud services
- Monitoring activities
- ICT readiness for business continuity
- Data leakage prevention
- Configuration management
- Web filtering
- Information deletion
- Secure coding
The merging and addition of new controls create five major security attributes that make them easier to group. They are control types, operational capabilities, security domains, cybersecurity concepts, and information security properties.
Do I need new certification?
Absolutely not!
The revised ISO 27001 standard does not impact your existing certification, but there will be collaboration between accreditation bodies and certification companies on a transition period to allow all currently certified organisations, to move to the newer certification version.
It is however important to note that your Statement of Applicability (SoA) should refer to the ISO 27001:2013 Annex A, and ISO 27001:2022 should only be a reference guide to the revised controls of 2022.
You should not wait for accreditation bodies to be able to certify you on the new revision ISO 27001.
Waiting for the accreditation bodies, will leave your organisation open to risks.
Contact Van Dijk Auditing and Consulting for your ISO 27001 certification via email : carien@vdac.co.za
