What’s New in ISO 27001:2022

The 2022 revisions of ISO 27001 and ISO 27002 bring substantial updates designed to improve information security management practices. These updates streamline the structure, reduce the number of controls, and introduce new elements to enhance implementation and compliance.

Revised Structure and Sections

ISO 27002:2022 has simplified its structure from 14 sections to four main sections and two annexes:

• Organisational Controls: Contains 37 controls related to various organisational issues.
• People Controls: Focuses on 8 controls related to human resources security.
• Physical Controls: Includes 14 controls related to the physical environment.
• Technological Controls: Encompasses 34 controls related to technological solutions.
• Annex A – Using Attributes: Provides a matrix of all the new controls, compares their attributes, and offers suggestions on their application.
• Annex B – Correspondence with ISO/IEC 27002:2013: Maps the controls from the 2022 version to the previous 2013 edition.

This streamlined structure, along with the annexes, simplifies understanding the applicability of controls and assigning responsibilities.

Updated Control Count and New Elements

The number of controls has been reduced from 114 to 93, reflecting advancements in technology and a better understanding of security practices. New elements introduced in each control include:

• Attribute Table: Presents attributes associated with the control, such as control types (Preventive, Detective, Corrective), information security properties (Confidentiality, Integrity, Availability), cybersecurity concepts (Identify, Protect, Detect, Respond, Recover), operational capabilities, and security domains.
• Purpose: Explains why a control needs to be implemented, providing rationale such as ensuring integrity or defining roles.

These additions help organisations better understand, sort, and justify the use of controls, making the framework more accessible and practical.

New Controls

Eleven new controls have been introduced to address emerging security challenges:

• Organisational Control 5.7: Threat intelligence
• Organisational Control 5.23: Information security for use of cloud services
• Organisational Control 5.30: ICT readiness for business continuity
• Physical Control 7.4: Physical security monitoring
• Technological Control 8.9: Configuration management
• Technological Control 8.10: Information deletion
• Technological Control 8.11: Data masking
• Technological Control 8.12: Data leakage prevention
• Technological Control 8.16: Monitoring activities
• Technological Control 8.23: Web filtering
• Technological Control 8.28: Secure coding

These new controls reflect the latest in security threats and technological developments, ensuring organisations can protect their digital environments more effectively.

Renamed and Merged Controls

To improve clarity, 23 controls have been renamed while maintaining their original essence. Additionally, 57 controls from the 2013 version have been merged into 24 new controls. This consolidation helps focus on information security aspects more efficiently and reduces redundancy.

Examples of renamed controls include:

• Teleworking to Remote working
• User registration and de-registration to Identity management
• Secure log-on procedures to Secure authentication

Examples of merged controls include:

• Policies for information security and Review of the policies for information security merged into Policies for information security
• Management of secret authentication information of users and Use of secret authentication information merged into Authentication information

No Excluded Controls

While the total number of controls has been reduced, no controls have been excluded. Instead, related controls have been merged to provide a more comprehensive approach.

Split Controls

One control from the previous version was split:

• Technical compliance review split into Conformance with policies, rules and standards for information security and Management of technical vulnerabilities

Transition Period

Organisations already certified under ISO 27001:2013 have a three-year transition period starting from 25 October 2022 to comply with the new standards. This transition period allows ample time to adapt to the updated requirements.

Implications for Information Security Management Systems (ISMS)

The changes in ISO 27001:2022 and ISO 27002:2022 aim to make the standards more practical and easier to implement. Organisations will benefit from a more streamlined and coherent set of controls that reflect the current technological landscape and emerging security threats. The introduction of new controls and the reorganisation of existing ones help in addressing the latest security challenges, including cloud security, data protection, and threat intelligence.

The 2022 updates to ISO 27001 and ISO 27002 represent a significant evolution in information security standards, providing a more structured and practical framework for organisations to protect their digital assets. By adopting these new standards, organisations can enhance their security posture, ensure compliance with regulatory requirements, and better manage emerging threats. These revisions demonstrate a commitment to keeping the standards relevant and effective in a rapidly changing digital landscape, ensuring robust protection and trust in information security practices.

About CyberPulse

CyberPulse envisions a world where digital security is simple, seamless, and centred around our customers. Founded by a team of decorated security leaders, including former Chief Information Security Officers (CISOs), cybersecurity experts, and ex-law enforcement operators, CyberPulse has carved a niche in the cybersecurity landscape. Our mission is to foster a secure and trusted cyber world by revolutionising the way organisations design, consume, and protect IT services.

Stay Connected

Follow us on LinkedIn and Twitter or Contact us to speak with us to speak to a Cybersecurity expert.

Your Trusted Cybersecurity Partner: At CyberPulse, integrity and experience define us. We are dedicated to transforming IT service design, consumption, and security, delivering everything with unwavering passion and integrity.