The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 2....
ISO/IEC 27001:2022 Transition
I. Introduction
The use of information and information systems has become an integral part of most organizations as they offer various benefits. However, the increased reliance on information technology comes with the responsibility of ensuring effective governance and management of these resources.
Organizations need to implement effective security practices that facilitate business growth and enable the achievement of the desired results. These practices can help optimize costs by preventing data breaches or any information security incident. Additionally, these practices help organizations fulfill regulatory obligations, which are necessary to avoid costly penalties and damage in reputation. Good security practices also help organizations protect customer data, which in turn enables organizations to build trust and loyalty with their clients and increase their satisfaction. The management system model defined in ISO/IEC 27001 can be used to implement effective processes and controls. Adhering to the requirements of ISO/IEC 27001:2022 demonstrates organizations’ commitment to preserve the confidentiality, integrity, and availability of their information.
According to an IBM report comprising data from 17 countries and regions and 17 industries, the average cost of a data breach in 2022 reached an unprecedented level at $4.35 million¹. The most common type of attack remains ransomware, although during the first quarter of 2022 there was a decrease of ransomware attacks when compared with the year prior.² A ransomware attack can cause severe disruptions to the organization’s operations and seriously damage its reputation. Thus, safeguarding information is of utmost importance for organizations.
ISO/IEC 27001 is an international standard that provides the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). An ISMS is a set of policies, procedures, and controls that are established to systematically manage sensitive information. The main objective of an ISMS is to ensure information security by establishing adequate measures to address information security risks.
An ISMS based on the requirements of ISO/IEC 27001 demonstrates that the organization has established a comprehensive and systematic method for managing information security which supports its business objectives. Compliance with ISO/IEC 27001 can also help organizations meet the requirements of various other standards and regulations related to information security such as General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Cloud Security Alliance (CSA), HIPAA Security Rule, and NIST Cybersecurity Framework. In addition, compliance with ISO/IEC 27001 can help organizations that are within the scope of the new EU Directive 2022:2555 which requires implementing a framework to protect systems and data.
In order to keep pace with technological advancements and remain pertinent to current information security risks, ISO/IEC 27001 was revised and the latest edition of the standard was published in October 2022. ISO/IEC 27001:2022 is now aligned with the updated version of ISO/IEC 27002 published earlier in 2022. The most significant changes in ISO/IEC 27001:2022 are noticed in the information security controls of Annex A, whereas in clauses 4 to 10 the changes are less significant.
ISO/IEC 27001 Transition Info KitThis Info Kit provides you with valuable information that will help you understand the differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022 and the key steps to transition to the new version of the standard. The kit contains resources such as: ISO IEC 27001-2022 Transition - Whitepaper, Key steps to transition to ISO IEC 27001-2022, An overview of the new controls of Annex A, ISO IEC 27001-2022 FAQs and much more. |
II. An Overview of ISO/IEC 27001 and Its Importance in Information Security Management
ISO/IEC 27001 is a widely recognized international information security standard that can be used by any organization, regardless of its size or the complexity of its processes. The development of ISO/IEC 27001 began in the late 1990s, as a need for better processes, practices, and controls to manage information security became apparent. The first version of the standard was ISO/IEC 17799, a code of practice for information security management that was created based on BS 7799-2. These standards were later replaced by ISO/IEC 27001 which was initially published in October 2005 and revised in 2013. The latest and current version of ISO/IEC 27001 was published in 2022.
ISO/IEC 27001 provides a robust framework through its requirements outlined in clauses 4 to 10 and a comprehensive list of information security controls that enable effective information security management. The standard promotes a risk-based approach which requires organizations to identify, analyze, and evaluate information security risks and implement adequate controls to treat them. After the initial implementation is completed, the standard requires organizations to monitor and review the ISMS regularly, to ensure its ongoing effectiveness in protecting information assets.
ISO/IEC 27001 follows the harmonized structure of International Organization for Standardization (ISO) and is aligned with other management system standards, such as ISO 9001, ISO 14001, and ISO 37001, allowing for easy integration with other management systems. The requirements specified in clauses 4 to 10 of the standard, expressed with the verb “shall”, must be met by any organization that aims to get certified against ISO/IEC 27001. As for the information security controls of Annex A, on the other hand, each organization planning to pursue an ISO/IEC 27001 certification must determine whether the controls are applicable and justify in the Statement of Applicability (SoA) the inclusion or exclusion of each control, as well as their implementation status.
A. Main Clauses of ISO/IEC 27001
Clause 4 Context of the organization of the standard provides the requirements regarding the organization’s context, the needs and expectations of interested parties, and the scope of the ISMS. These requirements are particularly important because organizations must identify all assets that need to be protected and also align their information security objectives with the interests of relevant interested parties.
Clause 5 Leadership specifies the requirements regarding top management's involvement and commitment in the implementation of the ISMS, establishing the information security policy, and defining the roles and responsibilities related to information security. The top management must understand the importance of the ISMS implementation, as the level of support from senior-level managers will have a direct impact on the outcome of the project.
Clause 6 Planning outlines the actions needed to address risks and opportunities, including the requirements for planning the risk assessment and risk treatment processes. Among others, this clause requires organizations to produce a Statement of Applicability, establish and document information security objectives at relevant functions, and plan changes properly.
Clause 7 Support specifies the requirements for the resources, competence, awareness, communication, and documented information necessary for the effective establishment, implementation, maintenance, and continual improvement of the ISMS.
Clause 8 Operation outlines requirements regarding the operational planning and control, risk assessment, and risk treatment. The requirements of this clause are built upon the requirements of clause 6. In a nutshell, what was planned when addressing the requirements of clause 6 must be put into action to address the requirements of clause 8.
Clause 9 Performance evaluation specifies requirements regarding the necessary processes to determine the effectiveness of the ISMS. Such processes include monitoring, measurement, analysis, evaluation, internal audit, and management review.
Clause 10 Improvement provides requirements regarding the continual improvement of the ISMS, the nonconformities, and the corrective actions that should be taken to treat the identified nonconformities.
Note: Information regarding the controls of Annex A is provided below (section V. Overview of Annex A of ISO/IEC 27001).
III. ISO/IEC 27001 and the Reason for Its Revision
The past decade has witnessed a remarkable transformation in technology which significantly affected organizations and their information security management. Some of the technological changes that caused this transformation include cloud computing, the Internet of Things (IoT), Artificial Intelligence (AI), and blockchain. While these technologies provide better solutions for storing and processing data, they have also introduced new security concerns. As technology evolved, so did cyber threats. As such, organizations need to update their existing security practices to reflect the technology developments and current security threats.
ISO standards are usually revised at least once in every five years to ensure they remain adequate and relevant. The ISO/IEC 27001 was mainly revised to adapt to the ever-evolving information security challenges, which is why the most important changes were made in the information security controls listed in Annex A. The changes in clauses 4 to 10 are minor and were made mainly to ensure alignment with the harmonized structure for management system standards established by ISO and with the latest version of ISO/IEC 27002 published in 2022.
IV. What Has Changed in ISO/IEC 27001:2022?
The title of the standard was changed to Information security, cybersecurity and privacy protection – Information security management systems – Requirements to align with the that latest edition of ISO/IEC 27002. The title of the revised standard now reflects its comprehensive scope, which includes both information security and cybersecurity. It is worth noting that while information security generally focuses on protecting information of all formats from unauthorized access, use, or modification, cybersecurity focuses on protecting digital assets from various threats, such as malware, hacking, and cyberattacks.
In clauses 4 to 10 the revisions were mainly technical, with the exception of a few requirements that were added. More significant changes were made in Annex A. The information security controls have been merged and updated based on the new categorization introduced by ISO/IEC 27002:2022, decreasing the number of controls from 114 to 93.
A. Changes in the Main Clauses of ISO/IEC 27001:2022
Clauses 4 to 10 of ISO/IEC 27001:2022 that provide the main requirements for an ISMS have changed slightly. A brief overview of those changes is provided below:
- Clause 4.2 Understanding the needs and expectations of interested parties added a requirement which states that organizations must determine the requirements of interested parties that need to be addressed through the ISMS.
- Clause 4.4 Information security management system, besides requiring organizations to establish, implement, maintain, and continually improve their ISMS, it requires to do the same for the processes related to the ISMS and their interactions.
- Clause 5.1 Leadership and commitment provides a clarification regarding the term “business” used in the standard, which is used to refer to “those activities that are core to the purposes of the organization’s existence.”
- Clause 5.3 Organizational roles, responsibilities and authorities has some minor changes and specifies that the roles and responsibilities regarding information security should be communicated within the organization.
- Clause 6.2 Information security objectives and planning to achieve them introduces two new requirements. Item d) of this clause requires to monitor information security objectives, whereas item g) requires to ensure they are available as documented information.
- Clause 6.3 Planning of changes is a new requirement of ISO/IEC 27001:2022. It requires organizations to carry out the changes to the ISMS in a planned manner.
- Clause 7.4 Communication has minor changes. Item (d) who shall communicate and item (e) the processes by which communication shall be effected have been merged to a new requirement: (d) how to communicate.
- Clause 8.1 Operational planning and control has been simplified and additional information has been provided on how to achieve the intended outcomes. This clause requires organizations to plan, carry out, and oversee processes that are essential to meet requirements by establishing criteria for the processes and implementing control of the processes in accordance with the criteria. The establishment of such criteria for ISMS processes allows organizations to evaluate the performance of the implemented processes and determine whether they conform to the established criteria.
- Clause 9.2 Internal audit has been divided into two subclauses: clause 9.2.1 General and clause 9.2.2 Internal audit programme to align with other management system standards; however, the requirements of this clause remain the same.
- Clause 9.3 Management review has been divided into three subclauses: clause 9.3.1 General, clause 9.3.2 Management review inputs, and clause 9.3.3 Management review results. This clause introduces a new requirement which states that the changes in needs and expectations of the interested parties that are relevant to the ISMS should be taken into account during management reviews. In addition, the new version of the standard refers to the outcomes of the management reviews as “results,” and requires organizations to assure that evidence of such results is available as documented information.
- Clause 10 Improvement has been rearranged but its content remains unchanged.
B. What Has Changed in Annex A of ISO/IEC 27001:2022?
Annex A of ISO/IEC 27001:2022 is a list of information security controls that aim to ensure the confidentiality, integrity, and availability of information and information assets. However, it should be noted that the information security controls listed in Annex A are not exhaustive and additional controls may be added as necessary by the organization. Annex A of ISO/IEC 27001:2022 has been updated and aligned with ISO/IEC 27002:2022.
The number of controls in ISO/IEC 27001:2022 has been reduced from 114 that were in the previous version to 93.
- 35 controls remained exactly as they were
- 23 controls were renamed
- 57 controls were merged into 24
- 11 new controls were introduced
The previous concept of the standard for grouping several controls within a control category with a common objective has been discarded, which is also reflected in the new control identifier (previous control A.5.1.1 has been changed to 5.1). While the previous version of the standard comprised of 114 controls categorized into 14 categories, the 93 controls of the new version have been restructured into four themes.
V. Overview of Annex A of ISO/IEC 27001:2022
The information security controls of Annex A of ISO/IEC 27001:2022 are categorized in four themes in alignment with ISO/IEC 27002:2022: organizational, people, physical, and technological.
Annex A controls and their categorization are directly derived from ISO/IEC 27002:2022; however, organizations can customize their own view of controls based on organization’s context and needs. This helps organizations that seek to ensure compliance with ISO/IEC 27001:2022 to accelerate the process of comparing the necessary controls determined in the risk treatment plan with Annex A controls, as required by clause 6.1.3 Information security risk treatment. ISO/IEC 27002:2022 provides five attributes for each control: control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.
A. Organizational Controls
Annex A of ISO/IEC 27001:2022 provides 37 controls that address organizational issues and aim to prevent and address information security risks related to unauthorized use of assets, unauthorized access to information, supplier relationships, and cloud computing. Some controls that address organizational issues include separating roles and responsibilities, managing information, and adhering to relevant laws and regulations.
B. People Controls
Annex A of ISO/IEC 27001:2022 provides 8 controls that aim to assist organizations in managing information security risks related to individuals. They address risks related to the hiring process, information security roles and responsibilities of the personnel and external parties, and information security violations.
C. Physical Controls
Annex A of ISO/IEC 27001:2022 provides 14 physical controls that mainly help organizations in physically safeguarding information assets and information processing facilities. These controls seek to ensure information security by requiring organizations to determine physical security perimeters and protect secure areas, infrastructure, equipment, data, and off-site assets.
D. Technological Controls
Annex A of ISO/IEC 27001 provides 34 technological controls that aim to help organizations secure their information and information systems in line with business requirements. These controls, among others, include the establishment of processes for authorized access, appropriate use and maintenance of information assets, systems resiliency and recoverability, and protection against malicious attacks and infrastructure overload.
E. New Controls
There are 11 new controls introduced in the new version of ISO/IEC 27001.
To help you better understand the new controls, below has been provided an explanation of the requirements of these controls as defined by ISO/IEC 27001 and their purpose based on the guidelines of ISO/IEC 27002.
Organizational controls |
Annex A 5.7 Threat intelligence requires organizations to gather and examine information about potential threats. This is required to help the organization effectively understand and address information security threats. |
Annex A 5.23 Information security for use of cloud services requires organizations to establish security measures related to the acquisition, use, and management of cloud services. The purpose of this control is to ensure information security when using cloud services. | |
Annex A 5.30 ICT Readiness for business continuity requires organizations to plan, establish, and review ICT readiness. This control aims to ensure that important information and other associated assets are accessible during disruptions. | |
Physical controls
|
Annex A 7.4 Physical security monitoring requires organizations to monitor premises, such as offices, warehouses, and other physical sites for unauthorized access. The purpose of this control is to detect and prevent unauthorized physical access. |
Technological controls | Annex A 8.9 Configuration management requires organizations to establish security configurations of hardware, software, networks, and services to ensure they function properly with the required security settings. |
Annex A 8.10 Information deletion requires organizations to delete information when it is no longer necessary or when it has surpassed the documented retention period. This control aims to prevent exposure of sensitive information and to ensure compliance with relevant laws and other regulations. | |
Annex A 8.11 Data masking requires organizations to use data masking. The purpose of this control is to limit the exposure of sensitive data, such as PII, and comply with legal, statutory, regulatory, and contractual requirements. | |
Annex A 8.12 Data leakage prevention requires organizations to establish measures in systems or any device that processes, stores, or transmits data to prevent data leakage. | |
Annex A 8.16 Monitoring activities requires organizations to monitor systems, applications, and networks for unusual activity. This control aims to detect potential information security incidents. | |
Annex A 8.23 Web filtering requires organizations to manage access to websites to minimize the likelihood of infecting systems with malware. The purpose of this control is to protect systems from malware and prevent access to unauthorized websites. | |
Annex A 8.28 Secure coding requires organizations to establish secure coding principles in software development. It aims to help organizations reduce the number of vulnerabilities in the software by ensuring that the software is developed securely. |
F. Merged Controls
A total of 57 control of ISO/IEC 27001:2013 have been merged into 24 controls in ISO/IEC 27001:2022.
From the total of 24 controls, 12 of them are organizational controls, 1 is a people control, 2 are physical controls, and 9 are technological controls.
Merged controls of ISO/IEC 27001:2013 | Controls of ISO/IEC 27001:2022 that were created by merging the controls of ISO/IEC 27001:2013 | |
Organizational controls | Annex A.5.1.1 Policies for information security | Annex A 5.1 Policies for information security |
Annex A.5.1.2 Review of the policies for information security | ||
Annex A.6.1.5 Information security in project management | Annex A 5.8 Information security in project management | |
Annex A.14.1.1 Information security requirements analysis and specification | ||
Annex A.8.1.1 Inventory of assets | Annex A 5.9 Inventory of information and other associated assets | |
Annex A 8.1.2 Ownership of assets | ||
Annex A.8.1.3 Acceptable use of assets | Annex A 5.10 Acceptable use of information and other associated assets | |
Annex A.8.2.3 Handling of assets | ||
Annex A.13.2.1 Information transfer policies and procedures | Annex A 5.14 Information transfer | |
Annex A.13.2.2 Agreements on information transfer | ||
Annex A.13.2.3 Electronic messaging | ||
Annex A.9.1.1 Access control policy | Annex A 5.15 Access control | |
Annex A.9.1.2 Access to networks and network services | ||
Annex A.9.2.4 Management of secret authentication information of users | Annex A 5.17 Authentication information | |
Annex A.9.3.1 Use of secret authentication information | ||
Annex A.9.4.3 Password management system | ||
Annex A.9.2.2 User access provisioning | Annex A 5.18 Access rights | |
Annex A.9.2.5 Review of user access rights | ||
Annex A.9.2.6 Removal or adjustment of access rights | ||
Annex A.15.2.1 Monitoring and review of supplier services | Annex A 5.22 Monitoring, review and change management of supplier services | |
Annex A.15.2.2 Managing changes to supplier services | ||
Annex A.17.1.1 Planning information security continuity | Annex A 5.29 Information security during disruption | |
Annex A.17.1.2 Implementing information security continuity | ||
Annex A.17.1.3 Verify, review and evaluate information security continuity | ||
Annex A.18.1.1 Identification of applicable legislation and contractual requirements | Annex A 5.31 Legal, statutory, regulatory and contractual requirements | |
Annex A.18.1.5 Regulation of cryptographic controls | ||
Annex A.18.2.2 Compliance with security policies and standards | Annex A 5.36 Compliance with policies, rules and standards for information security | |
Annex A.18.2.3 Technical compliance review | ||
People controls
|
Annex A.16.1.2 Reporting information security events | Annex A 6.8 Information security event reporting |
Annex A.16.1.3 Reporting information security weaknesses | ||
Physical controls | Annex A.11.1.2 Physical entry controls | Annex A 7.2 Physical entry |
Annex A.11.1.6 Delivery and loading areas | ||
Annex A.8.3.1 Management of removable media | Annex A 7.10 Storage media | |
Annex A.8.3.2 Disposal of media | ||
Annex A.8.3.3 Physical media transfer | ||
Annex A.11.2.5 Removal of assets | ||
Technological controls | Annex A.6.2.1 Mobile device policy | Annex A 8.1 User end point devices |
Annex A.11.2.8 Unattended user equipment | ||
Annex A.12.6.1 Management of technical vulnerabilities | Annex A 8.8 Management of technical vulnerabilities | |
Annex A.18.2.3 Technical compliance review | ||
Annex A.12.4.1 Event logging | Annex A 8.15 Logging | |
Annex A.12.4.2 Protection of log information | ||
Annex A.12.4.3 Administrator and operator logs | ||
Annex A.12.5.1 Installation of software on operational systems | Annex A 8.19 Installation of software on operational systems | |
Annex A.12.6.2 Restrictions on software installation | ||
Annex A.10.1.1 Policy on the use of cryptographic controls | Annex A 8.24 Use of cryptography | |
Annex A.10.1.2 Key management | ||
Annex A.14.1.2 Securing application services on public networks | Annex A 8.26 Application security requirements | |
Annex A.14.1.3 Protecting application services transactions | ||
Annex A.14.2.8 System security testing | Annex A 8.29 Security testing in development and acceptance | |
Annex A.14.2.9 System acceptance testing | ||
Annex A.12.1.4 Separation of development, testing and operational environments | Annex A.8.31 Separation of development, test and production environments | |
Annex A.14.2.6 Secure development environment | ||
Annex A.12.1.2 Change management | Annex A 8.31 Change management | |
Annex A.14.2.2 System change control procedures | ||
Annex A.14.2.3 Technical review of applications after operating platform changes | ||
Annex A.14.2.4 Restrictions on changes to software packages |
VI. Transitioning to ISO/IEC 27001:2022
The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 is expected to be completed in three years, starting from the publication date of ISO/IEC 27001:2022 (October 25, 2022). Organizations that are certified against ISO/IEC 27001:2013 can initiate the update of their ISMS based on ISO/IEC 27001:2022 at any time and the main workload is to implement the new controls of Annex A. Organizations can do so by taking the following steps:
- Conduct a gap analysis to understand their existing system and determine the changes required to fulfill the requirements of the new edition of the standard
- Assess the information security risks and determine the information security controls that should be implemented
- Review and update the risk treatment plan and the Statement of Applicability
- Review other ISMS documentation and the mapping with other frameworks or set of controls, and update them as necessary
- Plan and conduct role-based training regarding the new standard requirements, if necessary
- Implement controls to meet new requirements
- Conduct an internal audit to assess the ISMS compliance, as required by clause 9.2 of ISO/IEC 27001:2022
- Contract a certification body to conduct an ISO/IEC 27001:2022 certification audit and obtain certification
If organizations already have an effective ISMS based on ISO/IEC 27001:2013, technology updates may not be necessary, but the ISMS documentation and associated processes should be reviewed and updated. However, the extent of the changes that are needed in an organization should be determined based on the results of the gap analysis and risk assessment.
Organizations should compare their existing controls with the new set of controls of Annex A, and update the risk treatment plan and the Statement of Applicability accordingly. In addition, other policies and procedures should be reviewed so they can reflect the changes of the new standard, such as the information security policy and procedures for management review, monitoring, measurement, analysis, and evaluation.
The certification upgrades will be made during surveillance audits, recertification audits, or separate audits. It should be noted that, at this time, certification bodies are in the process of being accredited to provide ISO/IEC 27001:2022 certification audits. According to the International Accreditation Forum, accreditation bodies must begin assessing certification bodies six months after the standard is published at the latest. Certification bodies, on the other hand, must complete their transition no later than 12 months after the publication of the standard.
VII. Conclusion
ISO/IEC 27001:2022 provides a systematic approach to ensure information security. Organizations that implement an ISMS based on ISO/IEC 27001:2022 not only demonstrate their commitment to protect their data, but also enable better business outcomes.
The new version of ISO/IEC 27001 has been published in 2022 and is aligned with the latest edition of ISO/IEC 27002. This update was made in order to improve the standard and ensure that it reflects current and emerging information security risks and challenges. As the previous version of the standard dated back to 2013, since then, there have been significant changes in the information security landscape, including the evolution of technologies, an increase in cyberattacks, and the emergence of new privacy regulation.
The most significant changes in the new version are noticed in the information security controls of Annex A, where the number of controls has been reduced to 93. These 93 controls are organized into four themes: organizational controls, people controls, physical controls, and technological controls. Other changes to ISO/IEC 27001 are less significant and mainly technical. For the most part, changes are minor and can be applied with updates of the existing documentation and processes.
Authors:
Era Mustafa
Hana Govori
Contributors:
Adebayo Akinlabi
Ali AlEnezi
B M Zahid ul Haque
Steve Crutchley
Bevan Lane
Egzon Bunjaku
Eppo Luppes
Eric Van Loon
Fjolla Muhadri
Garry Barnes
Lena Connolly
Michel Fosse
Ramesh Venkataraman
Ruchika Sachdeva
Simphiwe Mayisela
¹ IBM. “Cost of a Data Breach Report 2022.” Accessed February 9, 2023. https://www.ibm.com/resources/cost-data-breach-report-2022
² Stone, Mark. “4 Most Common Cyberattack Patterns from 2022.” Security Intellegence. December 20, 2022. https://securityintelligence.com/articles/most-common-cyberattack-patterns-2022/