ISO 27001 Annex A changes
ISO 27001 certification impact
ISO 27002:2022 updates
ISO 27002:2022 Updates and Their Impact on ISO 27001 Certification
Their Impact on ISO 27001 Certification
ISO 27002:2022 Updates and Their Impact on ISO 27001 Certification
Introduction
The 2022 revision of ISO 27002 brought substantial changes to align with evolving security threats and technologies. This article guides readers through these changes and how they affect ISO 27001 certification, including timelines for transition and practical steps for successful updates.
Major Updates
The following are the major update brought about by the 2022 version;
-
Control reduction: A key update made by ISO 27002: 20220 was to significantly reduce the number of controls from 114 to 93. This involved the consolidation of overlapping areas that characterized the ISO 27001:2013 standard.
-
Controls restructure: The 2022 version of ISO 27001 also restructured its main control themes into four parts, which are organizational, people, physical, and technological. This restructuring provided convenience for the users as the document is easier to navigate than ever. This has also brought more clarity and better mapping potential on the part of compliance professionals.
-
New controls: Eleven (11) new controls were introduced as follows;
Control No. (A) |
Control |
Intent |
5.7 |
Threat Intelligence |
Cyber threats are increasing on a larger scale than ever before. This control allows organizations to gather and use intelligence on potential and emerging threats. This is useful in improving the effectiveness of security decisions |
5.23 |
Information Security for Use of Cloud Services |
Information Security for Use of Cloud Services (A.5.23) |
5.30 |
ICT Readiness for Business Continuity |
This control focuses on the resilience of ICT systems to be able to continue supporting business in the event of major disruption. |
7.4 |
Physical Security Monitoring |
The inclusion of this control in the 2022 version strengthens physical security by requiring organizations to monitor and detect unauthorized physical access or environmental threats. |
8.9 |
Configuration Management |
Most attacks happen due to security misconfigurations, and ISO added this control to assist organizations in establishing and maintaining secure configurations for systems and software. This will help to reduce vulnerabilities and maintain integrity. |
8.10 |
Information Deletion |
A 8.10 was added to enable organizations to ensure the secure removal of information that is no longer needed. This pertains to both physical and electronic data information. |
8.11 |
Data Masking |
Data masking is a new control designed to ensure that unauthorized individuals cannot access real data while still enabling its use for operational purposes. Data is masked from the point of view of unauthorized users. |
8.12 |
Data Leakage Prevention |
The addition of this control will assist organizations in preventing unauthorized disclosure of information. It calls for the blocking of potential data leaks, whether accidental or deliberate, across networks and endpoints. |
8.16 |
Monitoring Activities |
Every control will need to be monitored to ensure that it is operating effectively and as intended. This control will therefore allow the organization to detect suspicious behaviour and respond promptly to potential incidents. |
8.23 |
Web Filtering |
The web is a source of vulnerabilities in most systems. The inclusion of this in ISO 27001 control will ensure that information from the web is included, thus helping compliant organizations to mitigate risks associated with websites. |
8.28 |
Secure Coding |
Because code is one of the major sources of vulnerabilities, this control was added to ensure the adoption of secure coding practices. This will ensure the easier identification of vulnerabilities within the Software Development Life Cycle (SDLC) |
Impact On ISO 27001 Certification
The new updates to the ISO 27002 have impacted organizations seeking certification both positively and negatively, as discussed below;
-
Attributes for controls: With the new changes, each control referenced in the standards now includes attributes such as purpose, technology, or operational impact. This has made filtering through the document simpler while making reporting easier.
-
Integration with emerging threats: The new additions have kept pace with current developments in the technological field. Users can now use the standard to design controls that focus on emerging aspects of technology, such as technologies, remote work, supply chain security, and zero-trust principles. This has made the standard relevant in this contemporary era of cybersecurity.
-
New control themes: The new controls divided into the four (4) themes as explained above places more emphasis on important aspects while were previously not required. These are necessary for a holistic, secure environment in any organization. However, it also means that organizations must invest in putting the necessary infrastructure to ensure compliance with the new controls.
- Transition considerations: Organizations can take advantage of the transitional arrangements available for the full implementation of the new standard version. While this may involve extra work, the benefits are huge for organizations that transition to the new version. The good point to note from the 2022 updates is that certification bodies allow 2–3 years to transition to the new version.
Conclusion
The above key changes to the ISO 27001 controls have necessitated a shift in compliance across many organizations. While the standards provide transitional arrangements, organizations must always ensure that they start the process of alignment early to ensure controls are addressing the most current risks at any given time. Significant investments in controls implementation and compliance processes should also be expected.
