What's Inside

In October 2022, the International Organization for Standardization (ISO) published a new version of ISO 27001 and its complement, ISO 27002. The update was prompted by the recognition that the 2013 editions of these standards were not fully aligned with the rapid advancements in technology and cybersecurity. An overhauled set of controls and their implementation guidelines is now available.

Organizations pursuing an ISO 27001 certification must transition to the new standard no later than October 2025, when ISO 27001:2013 certifications will be officially withdrawn. Even if certification is not a short-term goal, implementing ISO 27001:2022 should start as soon as possible.

Without a directed information security management system (ISMS), companies remain vulnerable to security incidents and data breaches. These attacks now cost an average of $4.45 million in damages, according to the IBM Cost of a Data Breach Report.

There is some good news:

• ISO 27001:2022 still applies to all company industries and sizes.

• The number of controls has been reduced from 114 to 93.

• Eleven new controls, in line with the current security industry and technological advancements, have been added.

• Automation software can considerably simplify preparing for compliance and monitoring your evolving compliance posture.

This article walks you through the notable changes that ISO27001:2022 brought and sets your baseline for implementing it, preparing for the certification, and managing an ISO 27001 audit.

What Are the New Requirements in ISO 27001:2022?

In addition to an improved standard format that includes a more polished and user-friendly structure, ISO 27001 includes changes to the ISMS clauses and Annex A controls, which are elaborated on below.

It’s worth noting that these changes are also reflected in the new (2022) complementary standards: ISO 27002 (providing comprehensive guidance for implementing Annex A controls) and ISO 27005 (which is the ISO framework for information security risk management).

ISMS Clauses: A Few Extra Requirements for the ISMS Implementation

While we will not address minor structural changes, some ISMS clauses have a few notable updates. Since clauses 4-10 are mandatory for the ISO certification, these additions should be carefully considered:

• Clause 4.2 Understanding the needs and expectations of interested parties: Bullet c) was added, where it must be determined which of the needs are to be addressed through the ISMS.

• Clause 4.4 Information security management system: New wording indicates that process interactions with the ISMS should be determined.

• Clause 6.1 Actions to address risks and opportunities: 6.1.3 bullets c) and d) are reworded, pointing to the new set of Annex A controls.

• Clause 6.2 Information security objectives: New bullets d) and g) require monitoring and documenting the ISMS objectives.

• NEW Clause 6.3 Planning of changes: As its title indicates, changes to the ISMS must be planned. This includes, if applicable, the transition from ISO 27001:2013 to 2022.

• Clause 8.1 Operational planning and control: Closely linked to clause 6, this clause now states that criteria must be established for the ISMS actions (processes) that address risks, and controls must be aligned with the established criteria.

• Clause 9.1 Monitoring, measurement, analysis, and evaluation: With new wording, it is now clear that the organization must evaluate its ISMS performance, not just monitor it.

• Clause 9.3 Management review: Bullet c) was added, stating that the needs and expectations of stakeholders should be included in ISMS management reviews.

Annex a Controls: 11 New Controls, Despite a Smaller Number Overall

Perhaps the first notable change in Annex A controls is a shorter list. This simplification comes with a well-thought-out overhaul, where synergies were found in some former controls, which are now merged. At the same time, information security needs and challenges have been translated into new controls. 

Here is a summarized overview:

• 5.7 Threat intelligence: Organizations should collect and analyze relevant data from the current threat landscape and apply this information to prepare for and respond to security incidents. Organizations are encouraged to exchange such information and to have different data sources, such as news bulletins, peer conferences, vendor alerts, memberships in security groups, and information-sharing organizations.

• 5.23 Information security for use of cloud services: Using cloud services does not exonerate an organization from managing them strategically and securely. A policy should be defined and implemented, and cloud agreements should cover various information security aspects, like protection measures for data transfer, retention, and deletion; access controls; maintenance; SLAs for incident response; and other applicable elements.

•  5.30 ICT readiness for business continuity: Requirements stemming from business impact analysis (BIAs) should be translated into ICT (Information and Communications Technology) continuity strategies to plan for unlikely but disruptive scenarios affecting the organization’s information availability.

• 7.4 Physical security monitoring: Surveillance systems should be implemented to prevent unauthorized access to the premises wherever confidential information is being processed. Systems should be tamper-proof, and relevant regulations for personal data protection should be observed.

• 8.9 Configuration management: Misconfigurations are one of the top three avenues that threat actors use to gain unauthorized access. This control indicates that the company’s infrastructure hardware, software, and services need managed configuration processes. It involves leveraging secure configuration standard templates and monitoring assets for deviations (e.g., out-of-support versions).

•  8.10 Information deletion: The chances of unauthorized disclosure of sensitive information are minimized by not keeping the information longer than necessary. Deletion processes and techniques should be chosen based on the sensitivity level of the information and accounting for any requirements from relevant laws and regulations that govern the type of data (e.g., GDPR).

• 8.11 Data masking: Another control tightly related to the protection of personal data (e.g., PII) but applicable to sensitive data in general, this control indicates ways of protecting data through techniques such as data masking, pseudonymization, and anonymization.

• 8.12 Data leakage prevention: Aiming to reduce the risk of confidential data leakage, this control proposes a three-step approach: classifying information, monitoring channels through which information flows, and taking action to prevent unauthorized data disclosure.

• 8.16 Monitoring activities: Monitoring activities should be in place across the organization’s network to detect any anomalous behavior by its components. Monitoring is crucial for incident response, and following the control guidelines available in ISO 27002:2022 could massively improve a company’s ability to detect potential threats quickly.

•  8.23 Web filtering: This control aims to reduce the risk of exposure to malicious web content. Organizations should assess malicious domains and websites and block or limit access to these through anti-malware tools and browser configurations. Employee training should also be conducted on acceptable use of online resources.

• 8.28 Secure coding: Since software development is so prevalent nowadays, principles for secure coding should be implemented and followed by any party that modifies, tests, or develops software code. Secure coding practices should be implemented before, during, and after the code is operational.

Another significant change is the grouping of the Annex A controls into four categories, which represents another simplification (there were formerly 14 domains). These categories are:

• A.5 Organizational: 37 controls that revolve primarily around organization-wide processes such as asset management, business continuity, access control, incident response management, data protection, and management of supplier services.

• A.6 People: 8 controls that address information security related to people processes, such as background checks, training, remote working, and incident reporting.

•  A.7 Physical: 14 controls designed to protect tangible assets that process information, such as offices and facilities (e.g., data centers), storage media, hardware, and cabling.

•  A.8 Technological: 34 controls specific to technology that are meant to provide security of networks, software, and tools utilized in an organization’s infrastructure. These include controls for vulnerability management, backup and availability, software development, data leakage protection, and others.

Finally, the Annex A controls now have five “attributes.” Associating controls with these attributes can be helpful for organizations in their ISMS planning, gap analyses, treatment plans, or other documentation requiring different views of controls. These attributes are:

• Control type: Preventive, detective, and/or corrective

• Information security properties: Confidentiality, integrity, and availability

• Cybersecurity concepts: Identify, protect, detect, respond, and recover

• Operational capabilities: Governance, identity and access management, asset management, human resource security, information protection, etc.

• Security domains: Protection, defense and resilience, etc.

Frequently Asked Questions

Whether you are just starting with your ISMS or have a long history with it, one common bit of advice is always to start early. Prioritizing ISO 27001 compliance pays dividends for the security postures of both startups and enterprises.

What Do You Need To Do if Your Company Is New to ISO 27001?

If you are just starting on the ISO 27001 certification journey, you do not need to waste time understanding the differences between the 2022 and previous versions. To prepare for your ISO 27001 implementation—and, hopefully, certification—here are some recommended high-level steps:

• Obtain top-down support for engaging in this effort and explain the need and benefits to all relevant stakeholders. People may not be willing to allocate time unless they can understand the potential cost and consequences of noncompliance.

• Get familiar with ISO 27001 for building your ISMS and with ISO 27002 for control implementation guidance.

• Follow the ISO 27001 clauses one by one. They are mandatory and will provide you with the logical sequence for implementing a successful ISMS, from determining scope all the way to continuous improvement.

• Implement the relevant Annex A controls. There is a common misconception that all controls are mandatory. This is not the case, but controls must be implemented if they are relevant to your organization.

• Automate and automate some more. Manual processes are often alerts for auditors, and for good reason. Always try to identify ways of streamlining critical processes and minimizing human intervention.

Compliance automation is possible as well. With integrated monitoring and risk modules, tailored dashboards, alerts, and reports, Drata can simplify compliance management considerably and prepare you for a successful ISO 27001 certification audit.

What if You Have an ISO 27001:2013 Certification?

If a previous certification has already been attained and maintained, there is most likely a certain level of familiarity with the standard in the company and a decent level of compliance. To prepare for the transition, it is a good idea to perform an internal gap analysis against the 2022 version:

• Identify and implement any changes required to your ISMS based on clause rewording.

• Identify any Annex A control gaps (either updated or new) applicable to your organization, and create actions to close these gaps.

• Keep evidence of the risk treatment plans with new controls, an updated statement of applicability (SoA), and updated policies and procedures, if applicable.

• Observe the transition timeline below (note that this only applies to organizations with an ISO 27001:2013 certification).

Implementing ISO 27001:2022 controls entails rectifying many security nonconformities and allows your company to focus on maintaining and improving security instead of putting out fires.

However, this can be a daunting process. Like implementing other standards and regulations, ISO 27001 needs valuable resources: people and time. In today’s fast-paced environment, this should not take away hundreds of valuable hours from your employees. 

Drata makes compliance easier for organizations of every size by mapping standards to policies and controls, running risk assessments, automating control testing and training, and generating audit evidence.