ISO/IEC 27001 has changed. What changes do organizations need to consider?
The third edition of the information security standard known and used worldwide was published on October 25, 2022. Almost seven months after the publication of ISO/IEC 27001:2022, organizations wishing to obtain and/or renew their certification in the coming months will be able to do so based on the changes made by the new version of the standard.
What are the main changes?
The standard restructured the numbering and content of some clauses to enable greater clarity of interpretation;
It reinforces the role of the directors of organizations in the ISMS (Information Security Management System) processes;
In addition, it emphasizes the importance of stakeholders such as customers and suppliers in information security management;
The standard evidences the need for a clear definition of processes for implementing the ISMS and for operationalizing services on a going-concern basis.
However, the biggest change occurs in Annex A of the standard and in the reference controls. The controls are now divided into four themes: organizational, people-related, technological, or physical.
Annex A has 11 new controls from a total of 93, as follows:
- A.5.7 Threat intelligence;
- A.5.23. Information Security for Use of Cloud Services;
- A.5.30. ICT Readiness for Business Continuity;
- A.7.4 Physical Security Monitoring;
- A.8.9 Configuration Management;
- A.8.10. Information Deletion;
- A.8.11. Data Masking;
- A.8.12. Data Leakage Prevention;
- A.8.16. Monitoring Activities;
- A.8.23. Web filtering;
- A.8.26. Secure Coding.
The addition of new controls will require an increased effort from organizations in reviewing and/or creating policies and procedures, as well as in including in the information security process various stakeholders that did not previously feature prominently in the standard.
My organization is already certified by the 2013 version, do I have to change anything?
As the changes from the 2013 version to the 2022 version are not substantial, your organization will not have to make changes just yet if it is already ISO/IEC 27001:2013 certified.
The standard will have a two-year transition period so organizations have until October 2025 to comply with it. However, your organization should focus on ensuring that the new controls are in place by this date to avoid non-compliance.
I have a certification scheduled or forecast for this year. Should I follow the 2022 version?
Yes, the organization should adapt its implementation projects and certification to the new version of ISO/IEC 27001. Although companies will be able to receive certification under the 2013 version until October 2023, they will have to ensure that they have made the appropriate changes by October 2025.
When will certification bodies start auditing based on the 2022 version?
Certification bodies will be able to start applying the new ISO/IEC 27001:2022 standards as of October 2023.
This new version proposes to keep pace with the company risk panorama and to include cybersecurity and privacy protection as allies of information security. Organizations should choose the version that is currently most favorable to them but keep in mind the work required to make the necessary changes by October 2025.