What You Need to Know About ISO 27001:2022

Expert insight from ISO 27001 pioneer Alan Calder

Alan is the Group CEO of GRC International Group PLC, the parent company of IT Governance Europe, and an ISO 27001 pioneer.

He led the world’s first successful implementation of ISO 27001, and has been involved in developing a wide range of information security management training courses.

Alan has also consulted for clients across the globe, and is a regular media commentator and speaker.

In this interview

  • Why ISO 27001 was updated
  • Key dates for transitioning to ISO 27001:2022
  • The relationship between Annex A and ISO 27002
  • Key changes in ISO 27001:2022 and ISO 27002:2022
  • Key considerations for planning your transition project

The latest versions of ISO 27001 and ISO 27002 were published in 2022. Why were the updates necessary?

The previous editions of the Standards were published in 2013. In the intervening nine years, the cyber security world has changed dramatically – which is why we needed the updates.

Mobile device usage has exploded, especially in terms of BYOD [bring your own device], as has remote working. Both fuel arguably one of the biggest changes – and challenges – in cyber security: Cloud uptake.

With the Cloud, people can log in to corporate networks from literally anywhere in the world. So, organisations have to figure out how they’ll make sure that only staff and other authorised entities get access – for example, through zero-trust architecture.

For organisations that haven’t yet transitioned to ISO 27001:2022, what do they need to know?

ISO/IEC 27001:2022 was published in October 2022, with a three-year transition period. This enables certified organisations to transition at their own speed from the 2013 version of the Standard to the 2022 one.

Now, we’re nearly halfway through the transition period – the clock is ticking.

Some 60,000 organisations worldwide are yet to transition. Avoiding eleventh-hour disasters requires a strategic approach: certification bodies won’t be able to accommodate a last-minute flood of recertifications. That means that many organisations will, at the end of October 2025, find themselves out on a limb if they don’t plan.

Certification bodies have already ceased offering recertification to the 2013 standard, so those organisations that have recertification coming up in the next 18 months have no option but to make the transition now.

What’s new in ISO 27001:2022 compared to ISO 27001:2013?

The main ISMS requirements, from Clauses 4–10, have seen minor changes only, largely just aligning ISO 27001 to other recent ISO management systems. That said, even non-dramatic changes need implementing.

Annex A of ISO 27001:2022, on the other hand, has been completely overhauled. This is the reference control set around which you build an ISO 27001 SoA [Statement of Applicability].

Annex A has been updated to reflect the significant changes made to ISO/IEC 27002:2022, which was published before ISO/IEC 27001:2022. [ISO 27002:2022 was published in February 2022, and ISO 27001:2022 in October 2022.]

How are Annex A and ISO 27002 linked?

ISO 27002 sets out an internationally recognised control set, together with generic guidance on how to implement those controls.

Annex A of ISO 27001 captures the names of the controls in ISO 27002 and, again, provides them as a referent control set against which the controls selected for an ISMS must be compared.

Organisations implementing ISO 27001 don’t have to use the Annex A controls, but if you use a different control set, you’ll have to map them against Annex A in your SoA. That gives auditors a clear point of reference.

Also, if you exclude any controls from Annex A, you must document justifications for doing so.

The key thing is to implement the controls that either meet the requirement[s] of an interested party, or are necessary as part of a risk response.

How has the 2022 version of Annex A changed compared to 2013?

For one, it’s structured differently.

Previously, the Standard grouped the Annex A controls around 14 control objectives, each reflecting a concrete area of security – access control, asset management, and so on.

Now, ISO 27002:2022 [and Annex A] groups the controls into 4 themes:

  1. Organisational
  2. People
  3. Physical
  4. Technological

These themes reflect more widely understood information security domains.

In addition, ISO 27002 now contains fewer controls – 93, rather than 114. That’s in spite of introducing 11 new controls, and not removing any. The overall reduction in number comes from merging many of the 2013 controls.

What are the new controls of ISO 27001:2022?

Annex A and ISO 27002:2022 contain the following new controls:

  • Web filtering
  • Data masking
  • Secure coding
  • Threat intelligence
  • Information deletion
  • Monitoring activities
  • Data leakage prevention
  • Configuration management
  • Physical security monitoring
  • ICT readiness for business continuity
  • Information security for use of Cloud services

[Note: We identify these as new controls in line with Annex B of ISO 27002:2022. This free green paper delves deeper into these controls, pointing out the links with controls from the 2013 edition of the Standard.]

What else is new in ISO 27002?

The 2022 edition introduced 5 ‘attributes’:

  1. Control type
  2. Security domains
  3. Operational capabilities
  4. Cyber security concepts
  5. Information security properties

These look at things like:

  • How a control modifies a risk [preventive, detective, corrective];
  • The information security characteristic it’s trying to preserve [confidentiality, integrity, availability]; and
  • To what stage within cyber defence in depth the control falls [identify, protect, detect, respond, recover].

The attributes are very helpful for identifying how to apply the Annex A controls effectively.

To transition, where should organisations start?

With a gap analysis. You must, in effect, audit your existing ISMS against ISO 27001:2022, so you can identify all non-conformant areas.

This enables you to create a transition plan, in which you set out who is responsible for each aspect of each change you need to make to your ISMS. That includes updating all your documentation to refer to the new Standard.

What should organisations do after implementing their transition plan?

Review your risk assessment next – bearing in mind that ISO 27005 was also updated in 2022. [ISO 27005 gives guidance on managing information security risks in line with ISO 27001 and ISO 27002.]

As you’re doing that, consider the applicability of the controls set out in Annex A. Again, you can select controls from whatever source is appropriate and will achieve your risk management objectives, but you must map them against those in Annex A.

Once you’ve determined which of the new controls are applicable, you need to update your SoA and risk treatment plan.

What else must organisations do to comply with ISO 27001?

A key ISO 27001 requirement is that those doing work within the ISMS must be appropriately qualified to do so [in the Standard’s language, “competent”].

Relying on existing qualifications, based on the 2013 Standard, will automatically trigger nonconformities during an audit. So, make sure all your practitioners and auditors take and pass a transition exam that qualifies them to work with the 2022 Standard.

You’ll also need to update your staff awareness training in line with ISO 27001:2022.

Looking to effortlessly select Annex A controls?

CyberComply allows you to automate, review and repeat risk assessments.

Reduce the time spent on risk assessments by up to 80%, and automate the creation of key documents for an ISMS, including the SoA.

Take advantage of CyberComply’s built-in library of controls to treat risks.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our interview with head of GRC consultancy Andrew Pattison on pragmatic ISO 27001 risk assessments?

Alternatively, explore our full index of interviews here.

This blog post updates one originally published in 2022.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.