This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
Home > Insights > ISO 27001 : 2022 Key Changes
  • ISO 27001 : 2022 Key Changes
Article:

ISO 27001 : 2022 Key Changes

05 April 2023

Cybersecurity threats are escalating around the globe and can affect any organization. The International Organization for Standardization (ISO) developed standards to provide solutions to these types of global challenges.
 
On February 15, 2022, ISO issued an update to ISO 27002 (which impacts the Annex A of ISO 27001). The goal was to make the standards more relevant and up-to-date with the latest technologies and security threats. The changes will also make it easier for organizations to comply with the standard.
 
Notable changes include:

  • Name Change – The standard has been renamed from ISO 27002:2013 to ISO 27002:2022
  • Control Changes
    • Decreased the number of information security controls in Annex A from 114 to 93
    • Introduced 11 new controls and merged controls to avoid redundancy
  • Restructured the sections - 4 main domains now (instead of the previous 14)
  • Greater Attention and Emphasis on Cyber risks 

 

What Are the Differences Between ISO 27001 and 27002?

ISO/IEC 27001 and ISO/IEC 27002 (their formal names) are the primary ISO standards designed to enhance the security of an organization’s information.

  • ISO 27001 is the certification standard for organizations – they get certified against it. As the globally recognized standard, it provides the requirements to establish, implement, maintain, and continually improve an organization’s information security management system. The current version, ISO27001:2013, will be renamed ISO/IEC 27001:2022.
  • ISO 27002 provides guidance to organizations on selecting, implementing and managing information security controls listed in Annex A of ISO 27001. Organizations cannot get a certification against ISO 27002 since it is a supporting standard containing guidance - not requirements. The updated name is now ISO/IEC 27002:2022.

 

What Are the New Controls?

The 11 new control topics introduced are:

  1. Threat intelligence (5.7)
  2. Information security for the use of cloud services (5.23)
  3. ICT readiness for business continuity (5.30)
  4. Physical security monitoring (7.4)
  5. Configuration management (8.9)
  6. Information deletion (8.10)
  7. Data masking (8.11)
  8. Data leakage prevention (8.12)
  9. Monitoring activities (8.16)
  10. Web filtering (8.22)
  11. Secure coding (8.28)

 

What Are the Section Changes?

ISO restructured the sections from 14 total sections to 4 sections and 2-annexes.

Sections

  1. Organizational Controls (37) – Now Domain 5
  2. People Controls (8) – Now Domain 6
  3. Physical Controls (14) – Now Domain 7
  4. Technological Controls (34) – Now Domain 8

Annexes

  1. Annex A, which includes guidance for the application of attributes, and
  2. Annex B, which corresponds with ISO/IEC 27002:2013.

When Do the Changes Take Place?

  • ISO 27002 was updated on February 15, 2022 (ISO 27002:2022)
  • Annex A of ISO 27001 has been aligned with these changes on October 25, 2022 (ISO 27001:2022)

What Does This Mean for Organizations?

Organizations already certified to ISO 27001:2013 will need to update their certification to align with the revised standard. They may also want to:

  • Purchase the new guide
  • Review and update policies, procedures, and documentation (i.e., Internal Audit Plan/Policy, Statement of Applicability, Risk Assessment, Asset Inventory, and other components)
  • Perform a gap analysis
  • Inform their certification body on the planned timing to certify to the new standard

When Must Organizations Comply/Adopt?

Certified organizations will have a transition period to update their certification, and any company currently certified against ISO 27001:2013 has time until October 31, 2025, to transition to the new revision.
Organizations without a certification should certify to the new 2022 standard.

Benefits of ISO 27001 Certification?

  • Improved security – By identifying and addressing information security risks, organizations are better positioned to protect their data and reduce the risk of a data breach.
  • Address global customer requirements – Having ISO 27001 certification can help an organization meet the security compliance requirements of global customers.
  • Competitive advantage – By demonstrating your organization meets the highest standards for information security, it can increase trust and transparency with your customers.
  • Mitigate risks – Certification can help mitigate the risk of cyberattacks and data breaches that may cause organizations to lose customers, incur regulatory fines, and damagetheir brand and reputation.

Potential Impacts of Cybersecurity threats?

Cyberattacks and data breaches may cause organizations to lose customers, incur regulatory fines, and damage their brand and reputation. That is why cybersecurity is critical for all organizations.

How BDO Can Help?

Choosing the right service auditor is critical to an organization’s success. Our trusted and experienced team collaborates with organizations to develop a comprehensive and defensible compliance program to meet various security standards.

We can help existing clients during the transition and can help new clients get their certifications.

Original content by BDO USA.