Top 5 Changes Under ISO 27001 and 27002:2022
March 02, 2022 / Haroon Juma / ISO Standard
ISO 27001 Information security in today’s digital economy is a prerequisite to assure business continuity in operating your enterprises functions and all stakeholder information. Whether physical or digital, information and data are the essential oil driving efficient processes connecting internal functions and customers or suppliers to your enterprise.
ISO/IEC 270001 is a globally recognised information security standard. Originally published in 2005 to help organisations managing risks to the security of information, the standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving your Information Security Management System (ISMS).
The role of ISO 27001 in the new digital age takes greater prominence as a result of cybersecurity control. Therefore, the natural evolution of ISO 27001 is taking place to help organisations to ensure that information security controls continue to meet the organisation’s information security needs on an ongoing basis.
The ISO 27001 Information Security Management System Standard and its code of practice ISO 27002 have been updated a few times over the years.
This blog highlights the significant changes coming this year. In February 2022, the official ISO 27002 2022 revision was published so there is a substantial interest in what will change.
Here are the top 5 facts about the changes.
TOP 5 IMPORTANT FACTS
What is the difference between ISO 27001:2022 and ISO 27002:2022?
The ISO/IEC 27001 is the main standard, organisations can attain certified for. It also provides requirements for organisations that are seeking to establish, implement, maintain, and continually improve an Information Security Management System.
The ISO/IEC 27002 is used as a reference and guidance on the best practices of information security management helping organizations in selecting, implementing, and managing controls. As such, organisations cannot get certified against it.
Every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organisation and conceive its framework, you should use ISO 27001 but if you want to implement controls, you should use ISO 27002.
What are the Main Changes to ISO 27001:2022 and ISO 27002:2022?
In general, the changes are only moderate and were made primarily to simplify the implementation. The changes in ISO 27001:2022 Annex A will be fully aligned with changes in ISO 27002:2022. ISO 27002 needed improvement to fulfill its role as guidance for implementation of ISO 27001 Annex A controls – these are not only about controls but also how to organise and use them. This will also make it easier for organisations to comply with the standard.
Clause: In assessing the update, specific Clauses 4 to 10 of ISO 27001 have not changed. They affect:
- Clause 4 – Context of the Organisation
- Clause 5 – Leadership
- Clause 6 – Planning
- Clause 7 – Support
- Clause 8 – Operation
- Clause 9 – Performance evaluation
- Clause 10 – Improvement
Security Controls: The security controls listed in ISO 27001 Annex A will be updated
Number of Controls: The number of controls has decreased from 114 to 93 controls, covered into four sections.
- Organisational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
There will also be 11 new controls, as stated in the following:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
Despite the number of controls being reduced, none of the controls were deleted in the latest version of the standard, however many controls are merged. Two examples of merged clauses are shown below:
- Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security were merged into 5.1 Policies for information security.
- Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas were merged into 7.2 Physical entry.
ISO 27002 phrase: The phrase “Code of Practice” has been removed from the title of the updated ISO 27002 standard.
Name Change: The standard will be renamed to ISO 27001:2022. This renaming is in line with the latest edition of the ISO 27001 series, which is also being updated in 2022.
When are these changes going to take place?
The new update of ISO 27002 was published in February 2022, and a revised version of ISO 27001 is expected to be published by October 2022.
If you are already certified to ISO 27001:2013, do we need to change it immediately?
For organisations that are currently certified to the 2013 version of the standard, there will be a transition period of 2 years to revise your management system to comply with a new version of a standard, so there will be enough time to make the necessary changes.
It is not advisable to leave it till the last minute to meet your new obligations, so when you renew your certification during the transition period, you could work against the new control set.
The advantage of implementing the updated standard is you will be able to update your standard with the new controls, update your processes, reduce the compliance burden, or help you see how to better integrate your security processes so it would be easier to implement and manage your Information Security Management Standard.
What Should organisations wait until changes are published or should we start now?
No, you will lose nothing by implementing Information Security Management System that complies with ISO 27001:2013 and uses the existing Annex A control set, whether for direct implementation or as a reference against other controls.
But for organisations that have an existing or potential client who expects your organisation to get certified, then you should start as soon as possible.
In other words, this decision has nothing to do with standards – this depends on how quickly you need the ISO 27001 certificate.
If your organisation is certified to ISO 27001:2013, you will need to update your certification to comply with the revised standard in 2022. The good news is that the changes that are coming in 2022 are minor, and most organisations should be able to make the updates without too much difficulty.
Most organisations will choose to migrate their implementation prior to their next audit, to be in line with stakeholder expectations.
Speak to an ISO 27001 expert at +971 43445338
About SimplySolved
SimplySolved is an ISO 9001 & 27001 Certified company and a Exemplary Accredited training center. We know how to help you successfully realise the full potential of implementing ISO standards and QMS.
Subscribe to mailing list
Partner With SimplySolved
SimplySolved is an ISO 9001 & 27001 Certified company and a Exemplary Accredited training center. We know how to help you successfully realise the full potential of implementing ISO standards and QMS.
From documentation toolkits to full spectrum consulting, whether a small or large enterprise, our approach is tailored to implement the right standards successfully to maximise your investment.