Everything you need to know about ISO 27001:2022

Understanding ISO 27001 – At a glance

Cloud computing and dependence on cyber storage have become prevalent across all industries. The systematic shift to the cloud computing setup has helped several companies enhance and strengthen their strategies. At the same time, it has augmented the risk possibilities. The cyber and information security risks need a thorough and careful assessment. Thus, the industry standard for information security management (ISMS) system, defined by ISO 27001, delivers a well-planned and structured framework. The systematic framework is critical for optimal data security, risk management, privacy compliance, and operational assurance. 

The objective of ISO 27001 is to provide a comprehensive and robust ISMS framework to promote the management measures of data security requirements.

1. Confidentiality of critical data
2. The integrity of information and setup
3. Availability of data and accessibility 

The changes and challenges 

The 2022 update for ISO 27001 was introduced to strengthen the existing ISMS. The challenges and gaps in the previous clauses and framework of the ISO 27001 certification made it indispensable for bringing the necessary changes. The new alterations in the framework of ISMS cover all the critical aspects related to potential threats, cybersecurity, and privacy obligations. The framework is undoubtedly complicated, but with the correct transition approach it gets simplified. 

ISO 27001: 2022 updates

The certification with the updated norms is now termed – ISO/IEC 27001:2022 for Information Security, Cybersecurity, and Privacy Protection. Annex A of ISO/IEC 27001 has the greatest number of changes, but there are other alterations. The significant changes in the certification include the following – 

1. Clause 4.4 Information security management system – The new clause in ISO 27001 is similar to ISO 9001. One can develop enhanced flowcharts and interactive models for strengthening the information security management system with the newly introduced changes. 
2. Clause 6.2 Information Security objectives – It states that the objectives of information security control need to be available for the stakeholders for optimal transparency. 
3. Clause 6.3 Planning of changes – If an organization proposes a change in the information system, the planning of changes must be documented.
4. Clause 8.1 Operational planning and control – Companies must have a well-defined setup for operational changes. 
5. Clause 9 Performance assessment – The evaluating and monitoring techniques of the organization should deliver analytical and comparable output for a better assessment.  
6. Clause 9.2 Internal audits – The internal assessment procedures must be comprehensive and cover the organizational needs beyond ISO 27001. 

Changes in Annex A – The control changes

Annex A has undergone the maximum changes. The new-age version of ISO 27001 Annex A is comprehensive and has been revised thoroughly. The number of controls in ISO 27001 has reduced to 93 from 114 and the control measures have been categorized into four sections.  

The segmentation has helped in simplifying the security attributes and eliminating possible repetitions. The new sections of the updated version of ISO 27001 contain the – 

• Section 5: Organizational (37 controls) 
• Section 6: People (8 controls) 
• Section 7: Physical (14 controls) 
• Section 8: Technology (34 controls)   

Simply put, 35 controls were not altered and among the rest, 23 controls were renamed. 57 controls were combined to create 24 new controls. Besides these, 11 controls got added as new parts in the ISO framework. 

The added controls in Annex A include the following – 

• Threat intelligence
• Information security for cloud service utilities
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information removal
• Data masking
• Data leakage prevention
• Activity monitoring
• Web filtration
• Protected coding 

The five attributes introduced in the ISO 27001 updated framework are – Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains.

These help organizations to recognize the current status of their ISMS and deduce the shortcomings systematically. Also, it facilitates the adoption of updated security measures and ideal practices for efficient business operations.

Closing note – Make the transition hassle-free

Get a chance to streamline the security measures and improve the ISMS with a trouble-free transition from the older framework to the updated ISO 27001 norms of 2022. With IRQS, you can seek a solution for a transition audit. Get a systematic and expert-led service for the transition audit and streamline the process. The auditor helps recognize the requirements and highlight the shortcomings for a better transition to the updated norms.