What’s new in ISO/IEC 27001:2022?
What’s new in ISO/IEC 27001:2022?
ISO 27001 defines the framework for an Information Security Management System for businesses of any size, structure, or orientation. The title of the ISO/IEC 27001:2022 Standard has been changed from “Information Technology – Security Techniques” to “Information Security, Cybersecurity, and Privacy Protection” in order to cover a broader range of security controls.
What Has Changed In ISO/IEC 27001:2022?
By implementing ISO/IEC 27001:2022, organizations can demonstrate their commitment to protecting their information assets and ensuring the confidentiality, integrity, and availability of their information.
Here are some of the key changes and updates in ISO/IEC 27001:2022:
1- Increased focus on risk management:
The new version of the standard places a greater emphasis on risk management, with a specific focus on identifying, assessing, and treating information security risks.
2- Enhanced guidance on security controls:
The updated standard provides more detailed guidance on implementing security controls, including a new annex with a list of suggested security controls.
3- Revised structure and terminology:
The structure and terminology of the standard have been revised to align with other ISO management system standards, making it easier for organizations to integrate their information security management system with other management systems.
4- Greater emphasis on context and stakeholders:
The new version of the standard emphasizes the importance of understanding the context of the organization and its stakeholders when developing and implementing an ISMS.
5- Updated requirements for documentation:
The standard has updated requirements for documenting information security management processes and procedures, with a focus on ensuring that documentation is relevant and useful for the organization.
The standard refined 06 clauses, added 1 clause, rewrote 1 clause, and split 2 clauses. The description of the clauses are given below:-
Fig 1: – Changes in ISO/IEC 27001:2022
Annex A has undergone the most significant changes
The number of controls in Annex A has been reduced from 114 to 93. The reduction in the number of controls is primarily due to the consolidation of many of them. 35 controls have remained the same, 23 have been renamed, 57 have been merged into 24 controls, and one has been divided into two.
The 93 controls have been divided into four groups or sections.
The 11 new controls are:-
Each control’s layout includes the control’s title, attribute table, purpose, guidance, and other information.
- Control types include preventive, detective, and corrective. These attribute values represent the period of time before, during, and after an incident at which the controls are more effective.
- Information Security types: – Confidentiality, Integrity, and Availability (CIA) are the characteristics of protecting the information.
- Cybersecurity concepts: Identity, Protect, Detect, Respond, and Recover are additional breakdowns of cybersecurity activities that may occur prior to, during, and after incidents.
- Governance of operational capability:- Asset management, information protection, human resource security, physical security, system and network security, application security, information security, information assurance, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationship security, compliance, and legal issues.
- Security Domain:- Governance and Ecosystem, Protection, Defence, and Resilience
Business Benefits Of Deploying ISO 27001-2022
By implementing ISO/IEC 27001:2022, organizations can benefit in a number of ways, including:
- Improved risk management: The standard provides a framework for identifying and managing information security risks, helping organizations mitigate the risk of data breaches and other security incidents.
- Enhanced stakeholder trust: By demonstrating a commitment to information security management, organizations can build trust with customers, partners, and other stakeholders.
- Better alignment with other management systems: The revised structure and terminology of the standard make it easier for organizations to integrate their ISMS with other management systems, such as quality management systems or environmental management systems.
- More effective security controls: The updated guidance on security controls can help organizations to implement more effective measures to protect their sensitive information and assets.
- Regulatory compliance: Implementing ISO/IEC 27001:2022 can help organizations to meet the requirements of data protection and privacy regulations, such as GDPR or CCPA.
Overall, ISO/IEC 27001:2022 provides a comprehensive framework for managing information security risks and protecting sensitive information and assets. By implementing this standard, organizations can demonstrate their commitment to information security and gain a competitive advantage in the marketplace.
-Santosh K. Sharma