ISO 27001:2022 is Coming: What Do the Changes Mean for You?
By Jonathan Boes
March 25, 2022
As published in the March Issue of SubTel Forum Magazine
This year, the ISO 27002 standard has undergone its first major revision since 2013. Businesses certified to ISO 27001 will see these changes reflected in the security controls of Annex A. But what do these changes mean for your business and your security?
What is ISO 27001?
ISO/IEC 27001 (usually shortened to “ISO 27001”) is an Information Security Management System standard written jointly by the International Organization for Standardization and the International Electrotechnical Commission. This standard lays out universal best practices for creating and maintaining an information security management system (ISMS).
This standard helps organizations protect the confidentiality, integrity, and availability of their information. These three elements form the basis good information security. ISO 27001 helps protect information in any form, but cybersecurity—which protects digital information—plays a major role.
Why does it matter?
Information security matters more than ever. Even small businesses can’t afford to leave data unprotected.
According to a CNBC report from 2019, 43% of cyberattacks target small businesses. Many businesses never recover from these attacks. Almost every day, you hear about another company losing valuable information in a breach.
Other circumstances compound the problem. Since the Covid-19 pandemic, more and more businesses have taken their operations online. Telework has become the norm in many companies. All these factors serve to increase cybersecurity risk.
Often, cyberattacks compromise customer information. For their own protection, today’s customers want to work with businesses who make security a priority.
Because of this, many businesses face ISO 27001 as a customer requirement. ISO 27001 certification proves that you follow internationally-recognized security practices, building trust with customers and partners. ISO 27001 certification also helps businesses earn points toward many government contracting vehicles.
In short, every business needs information security. ISO 27001 certification proves to the world that your company follows information security best practices.
ISO 27001 and ISO 27002
Like other ISO management system standards, the requirements of ISO 27001 are built to shape around your business processes. But due to the technical nature of information security, this standard includes specific security controls for organizations to follow. ISO 27001 lists these in Annex A.
However, Annex A does not provide detail on these controls. For that, you need to consult the ISO/IEC 27002 Security Techniques and Code of Practice for Information Security Controls. This standard contains the full security controls outlined in ISO 27001’s Annex A. You can think of Annex A as a “table of contents” for ISO 27002:2022
ISO 27001 and ISO 27002 are both ISO/IEC standards, but companies only certify to ISO 27001. ISO 27002 simply serves as a guidance document, explaining the security controls referenced by the ISO 27001 certification standard.
The 2022 updates apply to the security controls of ISO 27002. Annex A of ISO 27001 will also be updated to reflect those changes
Why has the standard been updated?
All ISO standards undergo a review process at least every five years. But that review doesn’t always bring about major changes.
However, in the case of ISO 27002, the recent review has resulted in some significant updates.
There’s a good reason for this. Nearly a decade has passed since the last major revision. The previous version saw publication in 2013, but it was written even earlier than that.
Much has changed during that single decade. The cyber threat landscape has evolved and grown more complex. New technologies have come into play. More and more businesses have gone online and adopted telework, operating virtually with cloud applications.
Information security in 2022 simply isn’t the same as information security in 2013. It requires more vigilance and more diligence than ever before.
These ISO 27002/Annex A changes may require some extra effort. But ISO 27001 is the international standard for information security, and these are the best practices for protecting your data. In 2022, these practices matter more than ever, even for small businesses.
What has changed?
While the actual clauses of ISO 27001 haven’t changed, the ISO 27002 guidance standard has undergone a major overhaul. You will soon see these changes reflected in Annex A of the ISO 27001 standard.
The security controls of Annex A make up a good amount of the technical work behind ISO 27001 implementation. So even though only Annex A has changed, the update will impact your entire management system.
The previous version of Annex A (found in ISO 27001:2013) contained 114 controls across 14 families. The new version contains 93 controls in 4 families.
Technically, the new version contains fewer controls. But much of that decrease comes from redundant controls which have been removed or merged.
In fact, ISO 27002:2022 actually adds 11 new controls to Annex A:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
These additional controls add new layers of information security to the standard.
Another change: the updated version of the standard now requires documented operating procedures. The previous version only required policies. Policies provide high-level goals and parameters for your information security management system. Procedures lay out the operational steps you’ll take to pursue those goals. These newly-required procedures will make the documentation side of certification a more in-depth, detailed process.
At this point, it might seem like the changes have only made Annex A more complicated, but these important updates also provide clearer guidance and more comprehensive explanations than previous versions of the standard. The updated ISO 27002 is a much heftier document, but it provides greater clarity on the specifics of each control.
The updated version also provides a new organizational scheme for the controls. The security controls are now sorted by five attributes:
- Control type
- Cybersecurity concept
- Information security properties
- Operational capabilities
- Security domains
These new attributes help businesses prioritize the correct controls for their context. For example, if your primary concern is confidentiality, you can use these attributes to sort the controls by that one information security property.
In summary: the 2022 updates add extra responsibilities to ISO 27001 certification, but they also provide clearer guidance and organization.
What does this mean for you?
Every ISO 27001-certified business will face some level of extra work to comply with the updates.
If you’re currently certified to ISO 27001:2013, you will need to make the transition to ISO 27001:2022 before your first surveillance or recertification audit of 2023. Depending on the date of your next audit, you might need to have the changes in place as early as January. Don’t wait to get started.
Depending on the scope of your ISMS, you could be required to implement up to 11 new controls. Before your audit, those controls need to be put in place, enforced with policies and procedures, and tested.
Since the ISO 27002 security controls have been merged and renumbered, even the controls that haven’t technically changed will require some organizational updates. You will need to relabel your existing documents and create an updated statement of applicability to reflect the changes.
In short, don’t underestimate the time and resourced needed to prepare. The best course of action is to start now.
You can begin by buying a copy of the updated standard. Look through the new requirements and perform a fresh risk assessment for your information security management system.
In all likelihood, you’re already doing more than you think. After all, these are universal best practices. If you’re already committed to good security, you’re likely already compliant with some of the new controls—maybe even with all of them.
But again, don’t assume this will be the case. You can’t know how much work you’ll face until you dive in, learn the new controls, and assess your current security posture. Your deadline is the 2023 audit.
When it comes to evaluating your security posture and learning the new controls, you have a few options.
First, you can try to tackle the transition alone. With the right internal resources, a business can make this happen. But many businesses—especially smaller businesses—don’t have security experts on staff. The new controls cover some advanced technical ground. Without the right in-house expertise, a business can easily misinterpret or misapply the new controls, leading to costly rework and additional audits.
Second, you can work with a Managed Service Provider (MSP). Many businesses already outsource their IT responsibilities to an MSP. But keep in mind that many MSPs don’t specialize in cybersecurity or ISO certification.
Third, you can work with cybersecurity experts to provide consulting and technical solutions specific to ISO 27001. These services usually provide training or consulting for ISO 27001 compliance and certification. Some of these services also offer managed software solutions to help meet the technical security controls.
With the right help, any business can apply ISO 27001 to keep their information protected and build trust with customers.
That covers the ISO 27001 changes in a nutshell.
Much has changed, but the core principles remain the same. Every business, regardless of size, has information to protect. By following proven best practices, you can protect your information, secure your business, and build customer trust.
Jonathan Boes is a Digital Communications Specialist at Core Business Solutions, Inc. in Lewisburg, Pennsylvania. He writes article and video content to teach businesses about ISO 27001, ISO 9001, NIST/CMMC, and other certification standards.