ISO 27001 standard updated to 2022 version - what changed?
After nine years, ISO 27001, the world’s leading information security standard, has been updated. The final update for the standard came on 25.10.2022, although the controls list of ISO 27002 had already been updated earlier.
This update brings only moderate changes, but it is important to understand them closely. So what has changed when comparing 2013 vs. 2022 versions and how are these updates visible on Cyberday?
Summary of ISO 27001 2022 update
The main part of the standard, i.e. clauses 4 to 10 in ISO 27001, didn't get significant changes on the revision.
ISO 27002's security controls (or Annex A, if you prefer) in turn did receive moderate changes:
- 11 totally new controls are introduced
- No controls are totally removed from the standards, but many controls get merged
- Due to the merges, the total number of controls ultimately decreased from 114 to 93, although as an entity the controls got more content
- The controls are placed into 4 sections, instead of the previous 14
New controls in ISO 27001/27002:2022
The 11 totally new controls in ISO 27002 are:
- 5.7 Threat intelligence: Organisation needs to have clear processes for how information about security threats is collected and analysed.
- 5.23 Information security for use of cloud services: Organisation needs to have top-level principles for how cloud services are used and how related risks are managed, along with criteria e.g. for selecting secure providers, monitoring the activities or cloud service providers and using agreements to demand sufficient security measures from partners.
- 5.30 ICT readiness for business continuity: Continuity requirements for key ICT services need to be clearly identified and derived from organisation's other key continuity plans.
- 7.4 Physical security monitoring: Organisation needs to clearly define what kind of surveillance systems are used on its physical premises and ensure sufficient monitoring of facilities with critical systems.
- 8.9 Configuration management: Standard templates for secure configurations of data systems, networks and other equipment should be used and other processes exist to monitor the correct configurations.
- 8.10 Information deletion: Data stored in data systems, devices or in any other storage media should be deleted when no longer required.
- 8.11 Data masking: The needs for hiding some sensitive data (e.g. through masking, pseudonymization or anonymization) should be used identified and implemented where necessary.
- 8.12 Data leakage prevention: Data systems, networks and other devices that process, store or transmit sensivite data need to have data leakage prevention measures applied into them.
- 8.16 Monitoring activities: Organisation needs to define clear processes for monitoring networks and data systems for anomalous behaviour and when relevant, continuing the process to security incident management.
- 8.23 Web filtering: Organisation should identify the types of websites to which personnel should and should not have access. Access to not needed, external websites should be managed to reduce exposure e.g. to malware.
- 8.28 Secure coding: Organisation needs to have defined clear rules for secure coding (e.g. minimum security baselines), that ensure software is written and tested properly and reduce the potential for technical vulnerabilities in the created services.
In addition to this, many controls were merged together in this update. This means even more controls are beginning to be quite significant in size and demand carefully planned and pieced execution.
So in addition, smaller changes in the controls included the following:
- 57 controls were merged
- 23 controls were renamed
- 1 control was split
We at Cyberday are happy about these developments. We've already previously seen, that many controls get bigger and bigger and share e.g. 50% of its contents with similar controls on other standards. That's why we have build the generic "task-level" between e.g. ISO controls and tasks in your own ISMS. Tasks tell the more detailed story of how you implement each control.
New control sections in ISO 27001/27002:2022
Controls in the new version are divided into 4 sections. Controls are categorized as...:
- People controls, if they concern individual people
- Physical controls, if they concern physical objects
- Technological controls, if they concern technology
- and otherwise as Organizational controls
This division of security controls nicely highlights the different approaches companies can usually use to combat any kind of cyber threats - organizational, people, technical and physical actions can all be relevant and usually a combination produces the best results. In this way, the standard makes sure organizations aren't e.g. just looking at the technical ways for safeguarding data.
In addition to these 4 main sections, the new standard version provides a lot of additional categorization for the controls. These categorizations can also be used to help organizations ISMS implementation.
Controls are also categorized by:
- Control types - from preventive, detective to corrective controls
- Information security properties - whether they're mainly protecting the confidentiality, integrity or availability of data
- Cybersecurity concepts - Identify, Protect, Detect, Respond or Recover (utilizing the similar method as e.g. NIST CSF has before)
- Operational capabilities - taking the practitioner’s perspective and including e.g. values like Governance, Asset management, Human resource security, Physical security, System and network security and Threat and vulnerability management
The last categorization is relatively close to the 14 domains previously included on the 2013 revision. If you're not feeling instantly comfortable with the 4 main sections, you can look for additional support here.
These categorization also create an improved compatibility from ISO 27001 standard towards other popular information security standards, like NIST CSF, CIS 18 or CSA CCM.
ISO 27001/27002:2022 implementation in Cyberday
We have just published the new ISO 27001:2022 framework in Cyberday. You can activate the new framework in Cyberday's framework library.
The overlap percentage in Cyberday's content is over 90%. This means, over 90% of the tasks you have worked on in the 2013 framework are also increasing your compliance towards the 2022 revision. To make the transition, you basically need to just implement the new 9% of tasks. 👍
ISO 27001:2022 framework is divided to 3 levels similarly to the 2013 version:
- ISO 27001:2022 Core: 20% subset of full ISO 27001. Without these cyber essentials it's very hard to promise your customers that their data is safe.
- ISO 27001:2022 Extended: 50% subset of full ISO 27001. It provides you with advanced controls to improve security but doesn't go to certification-level.
- ISO 27001:2022 Full: Full, certification-level ISMS. Complete set of security controls along with the requirements for proper information security management e.g. related to internal audits and risk management aspects.
We've chosen to utilize the main 4 categorization sections and the operational capabilities categorization in our framework report / Statement of applicability document.
Now this main compliance report also includes the ISO 27001's mandatory requirements, so it serves as a turbocharged SoA document, demonstrating how you comply with the ISMS requirements and how have you implemented the 27002 controls.
You can best all this in action, when you try our new ISO 27001:2022 framework in your own account. If you don't have one yet, sign up for a free trial.
Frequently asked questions
Q: We have worked with the 2013 version in Cyberday. Will I benefit from the work done on the new version?
Absolutely yes! The content overlap percentage in Cyberday for the 2013 vs. 2022 standard revision is over 90%. This means, over 90% of the tasks you have worked on in the 2013 framework are also increasing your compliance towards the 2022 revision. To make the transition, you basically need to just implement the new 9% of tasks. 👍
Q: We have already implemented ISO 27001. How quick do we need to react?
Companies certfied towards the 2013 revision must transition to the 2022 revision before 31.10.2025. This means there's a hefty 36-month transition period.
Q:Will the old standard version stay available in Cyberday?
Yes. During the transition period both 2013 and 2022 versions of ISO 27001 will be available on our framework library.