On February 15, 2022, the ISO/IEC organizations released a new edition of ISO/IEC 27002:2022. There are fewer controls in this edition, 93 instead of 114. However, every control of the 2013 edition remains required. The merging of controls is the reason behind this. In essence, to comply with ISO/IEC 27001:2022 requires more effort. This new standard is set to be released later in 2022.
Changes to ISO/IEC 27001:2022 in a Nutshell
- The core of ISO/IEC 27001, meaning the clauses 4 through 10, will not change.
- Expect an updated security controls list in Annex A of ISO/IEC 27001.
- Annex A of ISO/IEC 27001:2022 will require 93 controls instead of 114 controls in the 2013 edition of the standard.
- There are 4 control areas in Annex A of ISO/IEC 27001:2022. The 2013 edition used to have 14 control areas.
- There are 11 new controls. All controls of the 2013 edition are still present. And many controls are merged.
What are the Changes to ISO/IEC 27001:2022?
The core structure of ISO/IEC 27001, meaning the clauses 4 through 10 will not change. These clauses continue to include:
- 4. Context of the Organization
- 5. Leadership
- 6. Planning
- 7. Support
- 8. Operation
- 9. Performance Evaluation
- 10. Improvement
- Annex A
What are the Changes to ISO/IEC 27001:2022 and ISO/IEC 27002:2022?
Expect an update to the list of security controls in Annex A of ISO/IEC 27001:2022. They will reflect the new ISO/IEC 27002 edition.
In general, the changes to the controls are moderate. The changes made, simplify the implementation.
The four control areas in Annex A of ISO/IEC 27001 and in ISO/IEC 27002 are:
- 5. Organizational controls with 37 controls
- 6. People controls with 8 controls
- 7. Physical controls with 14 controls
- 8. Technological controls with 34 controls
Obviously, the changes in Annex A of ISO 27001:2022 must fully align with the changes in ISO 27002:2022.
The 11 controls that are new are:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
What are the Changes to ISO/IEC 27002:2022?
57 controls of the 2013 edition of the standard merged into 24 controls. A very useful Annex of the new ISO/IEC 27002 is Annex B. It maps the controls of the 2013 edition to the 2022 edition of ISO/IEC 27001 and 27002.
Furthermore, Annex A of ISO/IEC 27002 is also a very helpful implementation tool. For each control it lists:
- Name of the control
- Type of control
- Preventative, Corrective, Detective
- Information security property
- Confidentiality, Integrity, Availability
- Cybersecurity concept
- Identify, Protect, Detect, Respond, Recover
- Operational capability
- for example Governance, Asset Management, etc.
- Security domain
- Defense, Resilience, Protection, Governance and ecosystem
When are these Changes Set to Take Effect?
The changes of ISO/IEC 27001 and ISO/IEC 27002 are set to take effect, the moment the 2022 edition of the ISO/IEC 27001 standard is released. There has been no announcement of the date of this release in 2022, yet.
The release of the 2022 edition ISO/IEC 27002 took place on February 15, 2022. Obviously, the release of ISO/IEC 27001:2022 later in 2022 has an Annex A aligns with those changes.
Already ISO/IEC 27001 certified? How Much Time Do We Have to Comply?
The registrar of your certification body determines how much time you must transition to the new requirements. Usually, you have 2 years after the release of the new edition of ISO/IEC 27001 to update your information security management system, or ISMS. As stated earlier, no release date in 2022 is set for the ISO/IEC 27001 standard.
Your transition will be mainly about reorganizing controls, As well as adding the 11 new controls. And obviously, updating your risk management process. Most likely, no changes in technology is needed.
Your changes will mostly evolve around:
- Plan your 2-year transition for ISO/IEC 27001:2022 certification.
- Update your risk treatment process. Add the new controls.
- Update your Statement of Applicability, or SOA.
- Adapt certain sections in your existing policies and procedures. For example, merge the applicable controls. And update the references to the new edition.
- Update the evidence you collect.
You are Not ISO/IEC 27001 Yet. Shall I Wait Until the Release of the New Standard?
No. The core of the ISO/IEC 27001 standard changes marginally. No elimination of controls took place. So, you can start with implementing the ISMS of the 2013 edition with the controls of the 2022 edition.
However, if you are not bound by a hard date to be certified, you can choose to wait until the ISO/IEC 27001:2022 edition has been released.
In other words, this decision has nothing to do with the release of the new standards. It merely depends on how quickly you need to be ISO/IEC 27001 certified.
Does the Certification Body Need to Check the Changes?
Yes, if your company is ISO/IEC 27001 certified, the certification body will check if you have adapted your practices and your documentation during the transition period. You do this during the regular surveillance audits or recertification audit.
What Does this Change Mean for My ISO/IEC 27001 Foundation, Practitioner, and Auditor Certificate?
Since the main part of ISO/IEC 27001 does not change, your personal ISO/IEC 27001 certificates will remain valid. No additional training will be needed.
Of course, you will be able to attend our training courses on updates to Annex A controls. But, this will not change your certificate.
When will INTERPROM Update its Products?
Shortly after ISO/IEC 27001 is published in 2022, and APMG, our accreditor, has released the new exam requirements, we release our updated ISO/IEC 27001 certification courses.
As always, we do our very best to be first in the market.
Will INTERPROM Help Me to Transition to the New Revision of ISO/IEC 27001?
Yes, of course! INTERPROM will make the transition to the new edition go smoothly for every existing customer. Our affordable CISO Coaching service or our Risk and Control Owner Coaching service is the perfect vehicle to guide to towards continued compliance and certification. Furthermore, we will continue to publish free advice. For anyone seeking compliance or certification. This will be in the form of more blogs, posts, and free webinars. Stay tuned!
Feel free to contact us for advice at any time. We gladly assist you in benefiting from this popular global ISO/IEC standard.