Update to the Information Security Management ISO standard published

The new and revised version of the ISO/IEC 27001:2022 was published at the end of October. So far, it is only available in English. The German translation is expected by the end of 2023.

Influence on certifications

Current certifications are valid until October 2025. If the organization’s recertification is due sooner, the new standard must be considered as early as May 2024. Companies can certify against the new revision of the ISO 27001 standard since October 25, 2022.

Content update

The main clauses stayed nearly the same, but the controls in Annex A have been updated significantly – some changes may have a major impact on affected organizations.

The structure of the standard is now identical with the structure that is used for other ISO standards, like ISO 9001 (Quality Management), ISO 22301 (Business Continuity Management) and others. Some chapters have undergone some editorial changes (texts were combined, clauses are structured in a new way, e.g., 9.2 Internal Audit has now two subchapters “9.2.1 General” and “9.2.2 Internal audit programme”. Some clauses have been enhanced with new requirements: e.g., “9.3.2 c) changes in needs and expectations of interested parties that are relevant to the information security management system” or”4.2 Understanding the needs and expectations of interested parties” that adds the requirement that it shall be documented which of the requirements from interested parties will be addressed through the information security management system. Chapter “6.3 Planning of changes” requires that the changes to the ISMS are carried out in a planned manner.

Annex A is now titled “Information security controls reference”. The structure has changed completely:

• • Organizational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)

New controls

The number of controls has decreased from 114 to 93. Some controls have been summarized and eleven new controls have been added:

• • 7 Threat intelligence
  • 23 Information security for use of cloud services
  • 30 ICT readiness for business continuity
  • 4 Physical security monitoring
  • 9 Configuration management
  • 10 Information deletion
  • 11 Data masking
  • 12 Data leakage prevention
  • 16 Monitoring activities
  • 22 Web filtering
  • 28 Secure coding

Especially the requirements regarding 5.30 ICT readiness for business continuity have been significantly increased while some other controls have been slightly enhanced requirements.

Operating the management system

Additional information on how to implement the new controls can be found in the ISO 27002:2022 standard, that has been released earlier this year. If you operate an ISO 27001 compliant ISMS, you should start in time to analyze the gaps to your current ISMS to have enough time for implementing the changes to reflect the new requirements of the ISO 27001:2022.

For further information, questions or assistance regarding the ISO standard or Cyber Security in general please don’t hesitate to contact us.