New Version ISO 27001:2022

Currently, there is an undeniable need to implement effective cybersecurity measures in organizations due to the growing trend of security attacks. Therefore, companies seek to demonstrate trust to their customers and commitment to the security of the information they handle.

As a consequence, the implementation of the well-known ISO standards is a reality. These are standards developed and published by the International Organization for Standardization (ISO) and their main objective is to regularize specific processes in different areas.

In this case, we will focus on information security, addressed in the so-called ISO 27000 family where its main standard, ISO 27001:2022, stands out. This specific standard specifies the requirements to establish, implement, maintain, and continuously improve an Information Security Management System (ISMS).

Recently, the standard discussed in this article has been updated and includes some new features. A new version of it was published on October 25, 2022. This version has brought multiple changes to the standard, creating a need for adaptation for all organizations certified in it. The most relevant updates that have been made will be detailed below.

Although in general terms, the sections that comprise the PDCA (Plan-Do-Check-Act) of the standard have not undergone many changes, it is necessary to highlight some of them.

Starting with section 4 of Context of the Organization, the only modification has been implemented in point 4.4 called Information Security Management System. It reflects the new need for mapping the company’s processes against the PDCA itself and the controls.

On the other hand, in section 5 of leadership, a mention has simply been added explicitly to the need to communicate roles and responsibilities within the organization. This action was already carried out with the previous version in most organizations, but it was not explicitly detailed in the standard.

Continuing with point 6 of the standard, Planning, two relevant changes can be distinguished. Regarding the information security objectives and their planning for achievement, it has been established that the objectives must be monitored and available as documented information. In addition, a new point has been created, 6.3 Planning of changes, which states that when the organization determines the need for changes in the ISMS, these changes should be carried out in a planned manner.

Finally, in section 8 of Operation, specifically in point 8.1 (Operational planning and control), it is indicated that, in addition to the processes contracted by external parties, their products and services must also be controlled. Likewise, own processes must also be controlled.

It could be said that the bulk of the ISO 27001:2022 update focuses on security controls. This is because, following the new version of ISO 27002 published on February 16, 2022, Annex A of the standard that collects these controls has undergone a complete reorganization.

The 2013 version had 114 controls divided into 14 domains. However, in the 2022 version, they have been reduced and now consist of 93 controls arranged in 4 large groups of controls.

The new groups and the organization of their controls are detailed below:

• Organizational Controls: 37 controls of which 3 are new.
• People Controls: 8 controls, unchanged from the previous version.
• Physical Controls: 14 controls of which 1 is new.
• Technological Controls: 34 controls of which 7 are new.

The new controls that did not exist in the previous version are as follows:

• 7 Threat intelligence.
• 23 Information security for use of cloud services.
• 30 ICT readiness for business continuity.
• 4 Physical security monitoring.
• 9 Configuration management.
• 10 Information deletion.
• 11 Data masking.
• 12 Data leakage prevention.
• 16 Monitoring activities.
• 23 Web filtering.
• 28 Secure coding.

On the other hand, it should be mentioned that a total of 57 controls from the old version have been merged into 24, hence the reduction in the number of controls.

Likewise, of the rest of the existing controls in the 2013 version, some of them have undergone modifications that will require adaptation changes for organizations.

The issuance of the new standard version was on October 25, 2022. However, this publication does not require immediate adaptation to the changes discussed, but rather offers time for adjustment to the new standard.

First, the availability of certification in the new ISO/IEC 27001:2022 is estimated for February/April 2023, but it will mainly depend on the Accreditation Bodies. However, the last date established for audits against the previous 2013 version will be 18 months after the new publication, that is, in April 2024. This date includes both initial and recertification audits.

Finally, it should be noted that, after 3 years from the new publication, that is, October 2025, all certificates of the 2013 version will be invalidated.

At GlobalSuite Solutions, we will support you in implementing the ISO 27001:2022 standard for its official certification. We can start from scratch with an initial diagnosis of compliance with the regulations or help you update your Information Security Management System based on the ISO 27001:2013 standard by introducing the relevant changes in the security control catalogs, in the PDCA, etc. Additionally, with its management through GlobalSuite® Security you can achieve the following benefits:

• You will save time in managing ISO 27001 processes and use fewer resources with the use of the software, thereby obtaining better results and consolidation.
• You will achieve greater efficiency in conducting risk analyses with a specific platform.
• You will perform the continuous improvement cycle faster, without duplication of information and having more reliable results.
• You will monitor staff actions through automatic recording of modifications, avoiding loss of information and controlling data modifications.
• You will be able to synchronize the system with other software in your company to take advantage of management in other areas, for example, employees, processes, incidents, etc.
• And you will avoid application maintenance as it falls to the provider: application security, backups against information loss, availability, etc.