The International Organisation for Standardisation periodically updates ISO 27001 and related standards to keep pace with technological developments. The latest versions of ISO 27001 and ISO 27002 were released on 25 October 2022.
ISO 27001 is a vital standard for businesses to get certified for if they are serious about information security and want to demonstrate that to their clients. The requirements in the ISO 27001 standard will protect businesses from most cyber-attacks looking to steal data. ISO 27001 goes further than the Cyber Essentials certification and covers information in all forms, whether it is digital or physical.
The proposed changes to the standards are moderate. The number of controls has decreased from 114 to 93 and they are arranged in 4 sections instead of 14 as in ISO 27002:2013.
There are 11 new controls for businesses to consider. No controls have been removed, although many have been merged to bring the overall total down.
Some of the key updates to ISO 27001:
· The main part of ISO 27001 (clauses 4 to 10) is not changing. These clauses include scope, interested parties, Information security policy, risk management, training and awareness, corrective actions, etc.
· ISO is only updating the security controls listed in ISO 27001 Annex A
· The overall number of controls has decreased from 114 to 93
· Controls are now arranged in 4 sections instead of the previous 14
· There are 11 new controls:
§ 5.7 Threat intelligence
§ 5.23 Information security for use of cloud services
§ 5.30 ICT readiness for business continuity
§ 7.4 Physical security monitoring
§ 8.9 Configuration management
§ 8.10 Information deletion
§ 8.11 Data masking
§ 8.12 Data leakage prevention
§ 8.16 Monitoring activities
§ 8.23 Web filtering
§ 8.28 Secure coding
When should ISO 27001:2022 be implemented?
The absolute deadline for implementing the changes in ISO 27001:2022 is 31 October 2025, however it will be sooner than that for many organisations, depending on your recertification timeline.
How To Prepare for ISO 27001:2022
To get your organisation ready for the change to ISO 27001:2022, OmniCyber recommends:
· Gap assessment against the new controls
· Implement the new controls
· Conduct an internal audit
· Get ready for a certification audit.