ISO/IEC 27001 is widely recognized as the de facto information security standard that specifies requirements for establishing, implementing, maintaining, and continuously improving information security management systems.
The first version of ISO/IEC 27001 was published in 2005, evolving from the BS 7799 standard. In the final month of his second iteration, published in 2013, an updated version was finally published on 25th October 2022.
2022 update
Given the advancement and maturity of the cybersecurity industry, new versions are inevitable. Additionally, even before the pandemic’s forced changes, the way we work is steadily evolving towards remote/hybrid/from-anywhere work, and as such requires updated security guidelines and controls.
Revision details are provided in the list of specific changes (see below).
In summary, the new ISO/IEC 27001:2022, in combination with ISO/IEC 27002:2022, is highly consistent with recent cybersecurity trends and techniques to address the corresponding threats and vulnerabilities. Additionally, new attribute-matching structures and taxonomies improve interoperability and enable cross-referencing with other well-known standards and frameworks, such as the NIST Cyber Security Framework. This benefits organizations that choose to adopt multiple standards and frameworks in the process of securing their organization. As ISO states, cybersecurity compliance is more than just a tick-box exercise for an organization, it’s a roadmap to good information security.
What’s next
The ISO/IEC 27001:2022 version will be translated or localized for each country in the coming months. Check with your local standards body for updates. Accreditation bodies around the world will be ready to implement the 2022 version of certification in late Q1/early Q2 2023.
For organizations that have been accredited in 2013 and are looking to recertify, or are looking to be accredited for the first time in 2022, White Label Consultants can help simplify the accreditation process and provide relevant information needed for certification. You can help by evaluating and prioritizing controls. It can also strengthen your organization’s security posture in the long term.
Prepare for ISO 27001 assessment and implementation
White Label Consultancy has a comprehensive program to help your organization along its journey, from initial assessment through implementation and preparation for certification. We begin with a clear scope definition and gap analysis to assess your current level of readiness. The discovery phase facilitates an overall risk assessment followed by strategic prioritization for implementing relevant controls to address identified risks. The result is a clear readiness implementation plan to prepare your organization for certification audits.
Why Choose White Label Consulting?
- Extensive experience in strategic, tactical, operational, and implementation of cybersecurity in various industries and technology areas
- Certified ISO/IEC 27001 Lead Implementer
- WLC Proven Methodology.Leverage best practice processes, templates and guidelines for each stage of the certification process
- A balanced approach to certification compliance requirements and related security controls aligned with your organization’s needs and priorities.
Click here to access the ISO/IEC 27001:2022 standard. https://www.iso.org/standard/82875.html
list of specific changes
The revised contents of the 2022 edition are as follows.
The first is a core document that focuses on information security management system (ISMS) lifecycle processes such as implementation, maintenance, change management, and operations.
- Removed executive summary section
- Updated preface section
- Update to Section 3
- Add Referral URL
- Update to Clause 4.1
- Revised sub-clause references to new versions of ISO 31000 in Notes section
- New Clause 4.2 c)
- Update to Clause 4.4
- Requirements that define the processes and interactions necessary to implement and maintain an ISMS
- Added note to section 5.1
- Update to Clause 5.3
- Explicit requirements for communicating organizational roles related to information security within the organization
- Update to Clause 6.2
- New requirements for monitoring information security objectives by adding sub-clauses d) and g)
- Addition of clause 6.3 “Plan for Change”
- Update to Clause 7.4
- The new requirement to ensure that an organization determines what, when, with whom and how it communicates by collapsing and restating the previous sub-clauses d) and e)
- Update to Clause 8.1
- New requirements to establish operational process standards and implement process controls
- Replaced “Outsourced” with “Outsourced” and expanded scope to reflect industry trends
- Updates to Section 9.2:
- Reorganized into Section 9.2.1 “General” and Section 9.2.2 “Internal Audit Program”
- Updates to Section 9.3:
- Reorganized into Clauses 9.3.1 General, 9.3.2 Management Review Inputs, and 9.3.3 Management Review Results
- New clause 9.3.2 c)
- Clause 10.1 becomes “Continuous Improvement” and Clause 10.2 becomes “Nonconformity and Corrective Action”.
- Overall: restructuring of sub-numbering (clauses) to align with harmonized approach
- Overall: Rearrange some English sentences and syntax to allow easier and more accurate translation into other languages. This will allow localized non-English versions to be published sooner than previous versions.
- Overall: Replaced “International Standard” with “Document” throughout
The second is to realign Annex A to directly correspond to ISO/IEC 27002:2022 published earlier this year.
- Removed reference to control objectives as they are not in either Annex A or ISO/IEC 27002:2022
- The 14 management objectives have been revamped into four management categories: organization, people, physical and technical management.
- 114 controls have been improved and consolidated into 93 controls, including new topics such as:
- threat intelligence
- Information security when using cloud services
- ICT support for business continuity
- physical security monitoring
- Configuration management
- Delete information
- data masking
- Data leakage prevention
- monitoring activities
- web filtering
- secure coding
