Latest Updates Released on ISO/IEC27001

The international standard for information security, also known as ISO/IEC2700, specifies the criteria for a data security management system. The right strategy for the Information Security Management System (ISMS) standard is to aid organizations in regulating their Personal Identifiable Information (PII) security by addressing people, processes, and technology.

Besides, the ISO/IEC 27001 Standard is a part of the ISO/IEC 27000 series of information security protocols, widely acknowledged as proof that your information security management system follows the best industry practices. In a nutshell, the ISO/IEC 27001 framework assists enterprises in creating, implementing, running, monitoring, reviewing, maintaining, and continuously improving their ISMS.

As per the reports, the ISO/IEC 27002:2022 was released on February 2022. Although it’s unclear when the new ISO/IEC 27001 Annex A version will be formally available, it’ll undoubtedly be published soon after the ISO/IEC 27002 release.

The distinction between ISO/IEC 27001 and ISO/IEC 27002

Before delving into the updates, it’s crucial to comprehend the significant difference between ISO/IEC 27001 and ISO/IEC 27002.

ISO/IEC 27002 is the guideline for applying the controls (also known as ‘Annex A Controls’), and it thus gives us insight into the modifications. However, the actual certification standard for an organization is ISO/IEC27001. Hence, the revision of ISO/IEC 27001: 2022 depends on the changes in ISO/IEC 27002 guidelines.

ISO/IEC 27001 includes a list of security controls in Annex A but does not explain how to implement them. On the other hand, ISO/IEC 27002 lists the same controls and provides advice on how to implement them. However, the ISO/IEC 27002 guidance is optional, meaning that businesses can choose whether or not to follow it.

Thus, companies can be certified against ISO/IEC 27001, which is the core standard. However, companies cannot be certified against ISO/IEC 27002:2022, which is simply a supporting standard.

What to Expect from ISO/IEC 27002:2022 Updates?

Earlier known as domains, the updated version reduces the 114 controls to just 93 controls that too organized into four simple themes, which are as follows:

• People Controls – 8
• Physical Controls – 14
• Technological controls – 37
• Organizational controls – 37

New Control Areas

This update for 2022 comprises whole new control areas as per the current digitalized market that must be applied in order to be certified.

• Configuration management
• Data leakage prevention
• Data masking
• ICT readiness for business continuity
• Information deletion
• Information security for using cloud services
• Monitoring activities
• Physical security monitoring
• Secure coding
• Threat intelligence
• Web filtering

Further, controls will have five categories of generic attributes that any kind of enterprise can use. These are as follows:

• Control type
• Cyber security concepts
• Information security properties
• Operational capabilities
• Security domains

What to Expect from ISO/IEC 27001:2022 Update?

• The main section of ISO/IEC 27001, namely clauses 4 to 10, will remain unchanged.

The scope, interested parties, context, information security policy, risk management, resources, training and awareness, communication, document control, monitoring and measurement, internal audit, management review, and remedial actions are all included in these provisions.

• The security controls described in Annex A of ISO/IEC 27001 and ISO/IEC 27002 will be updated.

In general, the modifications are minor and were made solely to make implementation easier. The number of controls has been reduced from 114 to 93, which are now divided into four sections rather than the previous 14. There are 11 new controls, no controls have been removed, and numerous controls have been merged. Annex A will be fully linked with ISO/IEC 27002 as of 2022.

• Data must be viewed as a valuable asset.

To link controls to multiple data kinds, you’ll need to construct a data inventory. This significant new criterion brings ISO/IEC 27001 in line with GDPR and other privacy laws that demand data mapping operations.

Steps businesses need to take with the new update

Since the extent of these changes will spread throughout your ISO/IEC 27001 ISMS, companies will have a significant amount of work to do between the current certification or surveillance audit and the next audit cycle. But to change the management system to a new version of a standard, certified organizations can have a two-year transition period.

Moreover, except for documentation, organizations don’t need to make any technological changes. Without deleting or adding any documents, you can follow these strategies:

• Upgrade Statement of Applicability
• Revise risk assessment process and security metrics
• Understand and integrate third-party security tools
• Assess and adapt to all policies and standards