ISO 27001 is the international standard for Information Security Management Systems (ISMS), providing a framework for organizations to manage and protect sensitive information.
The standard was last updated in 2013, and after eight years, the new version, ISO 27001:2022, was published in October 2022. The transition period from the 2013 version to the 2022 one is set to be 3 years, meaning that current certificates need to be updated to the new version before November 2025.
This blog post will discuss the key changes introduced in the new version and their implications for organizations.
- Scope and Context of the Standard
The scope and context of the standard have been expanded in the new version to align with the latest trends and challenges in information security management. For instance, the new version addresses technologies that emerged after 2013, such as cloud computing, artificial intelligence, and the internet of things (IoT), which were not explicitly mentioned in the previous version.
The context of the standard has also been updated to reflect the changing nature of information security risks, the importance of stakeholder involvement, and the need for risk-based thinking. The new version emphasizes the need for organizations to understand their internal and external context, including their business objectives, legal and regulatory requirements, and the needs and expectations of interested parties.
- Risk Management
Risk management has always been a central part of ISO 27001, but the new version provides more detailed guidance on the risk management process. The new version emphasizes the need for organizations to identify, assess, evaluate, and treat risks systematically and consistently. The new version also provides more guidance on how to determine the criteria for risk assessment and the selection of appropriate risk treatment options.
Moreover, the new version introduces a somewhat new concept of “information security risk appetite.” This concept refers to the amount and type of risk that an organization is willing to accept in pursuit of its business objectives. The new version requires organizations to define their information security risk appetite explicitly and use it to guide their risk management decisions.
- Information Security Controls
The new version of the standard introduces several new controls and enhances some of the existing controls. For instance, the new version introduces controls related to supply chain security, secure development, and management of cryptographic keys. The new version also enhances existing controls related to access control, incident management, and business continuity. By that, the ISO 27001:2022 version becomes more similar, at least in essence, to the well-known and well-accepted SOC 2 standard created and maintained by the AICPA.
The new version also provides more guidance on the implementation of controls, including the use of new technologies such as machine learning and automation. The new version also emphasizes the need for continuous monitoring and improvement of the effectiveness of controls.
- Annex A
Annex A is a critical part of ISO 27001, which provides a list of controls that organizations can implement to manage their information security risks. The new version of the standard has revised the structure and content of Annex A to make it more user-friendly and relevant to modern information security challenges. The new version has also added several new controls to Annex A, including controls related to supply chain security, secure development, and management of cryptographic keys. The new version has also updated the existing controls to reflect the latest industry best practices.
The new version of the standard introduces some changes to the certification process. For instance, the new version requires certification bodies to conduct more rigorous and objective audits, including sampling techniques and the use of technology-based tools. This long-awaited requirement finally puts ISO 27001 inline with the latest developments in the Compliance Automation space. The new version also requires certification bodies to have competent auditors with relevant technical expertise and knowledge. The new version also introduces a new concept of “information security performance evaluation,” which refers to the assessment of an organization’s information security performance against its objectives and targets. The new version requires organizations to conduct regular information security performance evaluations and report the results to relevant stakeholders.
ISO 27001:2022 is a significant update to the previous version of the standard, which reflects the latest trends and challenges in information security management. The new version emphasizes the importance of risk-based thinking, stakeholder involvement, and the need for continuous compliance monitoring using technology tools and automation solutions.
Interested to learn how Cypago can help in achieving ISO 27001:2022 certification?
Sign-up to the free trial today and experience the true power of automation first-hand!
If you have any questions or comments about any of the above, please feel free to contact us.