On October 25, 2022, the newest version of the ISO/IEC 27001:2022 standard was released. The recent changes to ISO 27001 comprise a substantial change to Annex A, a change in its title, and some minor updates to the clauses. The changes come in the wake of the increasing cyber-attacks and information security risks faced by businesses in Australia and the world.
The standard outlines the guidelines for developing, implementing, maintaining, and constantly improving an information security management system. It also comprises requirements for evaluating and treating information security risks that are customised as per the needs of an organisation.
Hence, the change in the name to – ISO/IEC 27001, ‘Information security, cybersecurity, and privacy protection – Information security management systems – Requirements.’
The most recent version of ISO/IEC 27002 was published in early 2022, and its most recent changes have also impacted ISO/IEC 27001.
Importance of ISO 27001 as per ISO
ISO 27001 is an international standard for information security management. It demonstrates the resilience of your security posture to potential clients and prospects worldwide.
Companies that demonstrate cyber resilience via confident vulnerability rapidly rise as industry giants, setting the bar for their ecosystem.
The systematic approach of ISO/IEC 27001 signifies that the whole Company, not just IT, is protected. Everyone benefits, including people, processes, and technology.
When an Australian business uses ISO/IEC 27001, it shows stakeholders and customers that it is dedicated to information security and safety. It’s an excellent way to market your Company, rejoice in your accomplishments, and show your reliability.
ISO is constantly reviewing and updating its standards, which is extremely crucial given the fast progressions in cyber threats and the growing acceptance that robust cybersecurity security requires a broader cyber resilience methodology.
Top Changes to ISO 27001
Below given are the significant changes in the inclusions, exclusions, and structure of ISO 27001 as per the latest update. We have explained each change in brief.
New Controls included
ISO/IEC 27001:2022 has also included 11 new controls to its Annex A:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Information security for the use of cloud services
This is the main highlight of the recent changes in ISO 27001:2022 introduced by ISO.
With Australian and global organisations shifting their digital base and servers to the cloud networks, and remote formats since the Covid-19 lockdown, cybercriminals have also found another space to exploit and hack. It is called cloud jacking which is increasing due to a lack of timely security detects and complex cloud frameworks.
Yes, it is true that the popular cloud networks like Microsoft 365, Google Workplace and Zoom etc., have made from anywhere quite hassle-free, but many organisations have overlooked their security, and hence these have become one of the key targets of hackers.
Also, given the complex frameworks of the cloud networks, they need a continual information security check to update the system and spot any vulnerability in it at regular intervals.
Hence, securing cloud networks is of utmost importance to secure businesses, their sensitive information, and employees.
Employees form one of the key gateways for cybercriminals to hack cloud networks.
Hence, ISO has noted the importance of offering robust security to the cloud networks with the introduction of this new control – Information security for the use of cloud services.
Suggestions for Cloud Security Checklists
Here is our suggestion for Cloud Security Checklists:
- Security of Information at Rest and in Transit
- Protection of Asset
- Control and visibility
- Partner Network and Security Marketplace that can be trusted upon
- Secure User Administration.
- Integrating Security and Compliance
- Identification and Authentication
- Operational Security
Anitech is also hosting a webinar on the recent changes in ISO 27001:2002 on 9th December 2022.
Key Changes to Controls in Annex A
The most significant changes have occurred in Annex A of ISO/IEC 27001, which is associated with the ISO/IEC 27002:2022 updates released earlier this year.
ISO/IEC 27001:2022 Annex A encompasses modifications to both the number of controls and their categorising. This Annex’s title has also been modified from Reference Control Objectives and Controls to Information Security Controls Reference. As a result, the earlier version of the standard’s reference objectives for every control group have been excluded.
Annex A controls have been reduced from 114 to 93. The reduction in the total number of controls is primarily due to the consolidation of several of them. Furthermore, 35 controls have stayed the same, 23 have been renamed, 57 have been integrated into 24 controls, and one has been split into two. The 93 controls have been split into four control sections or groups.
When it comes to the other sections, Clauses 4 to 10 have undergone minor changes, particularly clauses 4.2, 6.2, 6.3, and 8.1, where new content has been incorporated.
Furthermore, minor changes in terminology and reconfiguration of clauses and sentences are among the other updates.
However, the sequence and title of these clauses have not changed.
Below given are clauses from 4 to 10 with the title and sequence as per the newly changed standard.
- Clause 4 Context of the organization
- Clause 5 Leadership
- Clause 6 Planning
- Clause 7 Support
- Clause 8 Operation
- Clause 9 Performance evaluation
- Clause 10 Improvement
Control Groups or Themes
ISO/IEC 27001:2022 has the following new control groups or themes:
|Group. No.||Control Groups||No of Controls|
New Variable and Attribute
The final update introduces 5 new variables and attributes to simplify the categorisation process. These are:
Control type: Detective, Preventative, Corrective
Cybersecurity concept: Identity, Protect, Respond and Recover
Information security properties: Confidentiality, Integrity, Availability
Operational capabilities: Governance and Asset management
Security domains: Protection, Defense, Resilience
Will ISO/IEC 27001:2022 changes affect the current Certification of Businesses?
The newest changes in ISO/IEC 27001:2022 will have no effect on the existing ISO/IEC 27001 Certification.
Assets for Information Security Management
An asset is defined as any important location within an organisation’s systems where its sensitive information is stored, processed, or accessible by ISO 27001.
An employee’s computer, laptop, or company phone, for example, would be considered an asset. Similarly, sensitive information stored on those devices is an asset.
An asset may also be a component of a company’s critical infrastructure, such as a company server or support system.
What is an Asset Inventory?
To develop an effective ISMS (information security management system) and achieve ISO 27001 certification, companies should complete an asset inventory.
How Can Anitech help?
Anitech is a leading advisory security provider with a reputation for helping Australian businesses for over 15 years. We have a team of expert ISMS Consultants who are familiar with ISM principles and ISO standards. Our team had not only anticipated the update but was also prepared to offer solutions that outline the recently introduced changes!
We adhere to a risk management framework and a well-thought-out strategy. This will assist businesses in meeting the new set of controls required in the updated version.
Our boutique consulting firm has extensive industry experience assisting companies in meeting ISO27001 qualifying criteria, which will make them eligible to get a professional certification. We offer guidance to both businesses with existing ISO 27001 Certification as well as to the new aspiring ones.
If you want our ISMS consultants to help you understand the changes in ISO 27001 and help your organisation update your management system in compliance with it, feel free to drop an enquiry here
You can also call us at 1300 802 163 or email us at email@example.com
Our experienced ISMS Consultants will be happy to help you!