Last Updated on February 23, 2024
ISO 27001:2022—Insights into What’s New
Global IT, cybersecurity, and privacy landscapes have changed massively since 2013. So, it’s no surprise that the ISO 27001 information security standard changed in some important ways from its 2013 version to the new ISO 27001:2022. This post looks at the highest impact changes in relation to the overall goals of the new version.
Most changes are in Annex A
The ISO 27001:2022 management system guidance and language (clauses 4 through 10) remain largely unchanged from the prior version, with just a few minor updates. The bulk of the change is in the Annex A controls, which are also covered in ISO 27002:2022.
Many additions and revisions in Annex A relate to the greatly expanded use of cloud services and the growing importance of privacy regulations since 2013. The new ISO 27001 does not match the level of rigor found in the “specialized” standards for cloud and privacy, such as ISO 27701, ISO 27018, and ISO 27017. However, ISO 27001’s title has changed from “Information Technology – Security Techniques” to “Information Security, Cybersecurity and Privacy Protection” in light of the wider control coverage.
A few of the newly added controls point directly toward protecting personally identifiable information (PII), such as 8.10 Information Deletion, 8.11 Data Masking, and also largely 8.12 Data Leakage Protection.
What about cloud security?
To address cloud services, ISO 27001:2022 adds control 5.23 Information Security for Use of Cloud Services. This preventive control describes at a high level what policies and procedures are needed to govern information security as it pertains to acquiring, using, managing, and exiting from commercial cloud services.
Over about two pages, the 5.23 guidance covers evaluating cloud service providers for security, ensuring you can move your data smoothly to a new provider, and more. One area that Annex A 5.23 doesn’t cover is security for cloud service providers themselves.
Compliance with this control would largely eliminate the need for compliance with ISO 27017 for orgs using cloud services. However, cloud service providers will still benefit from ISO 27017 compliance.
Other areas of emphasis
While ISO 27001:2013 looked at configuration management in the context of network security and software development security, ISO 27001:2022 includes 8.9 Configuration Management as a separate, auditable control. This will ensure that a company’s information security management system (ISMS) includes a policy that describes configuration management practices, processes, cross-checks, hardening standards, etc.
Another net new control is 5.7 Threat Intelligence, which covers activities like following special interest groups, gathering vulnerability data, getting notifications about zero-day threats, and so on. Many businesses may have been conducting threat intelligence in some form already, but now the guidance around documenting that in a policy is more explicit.
An additional area where best practices have been formalized is business continuity. 5.2.3 ICT Readiness for Business Continuity, similar to the ISO 27031:2011 standard last reviewed in 2020, covers ways to improve ICT readiness to help ensure IT disaster recovery/business continuity. Many firms with robust cybersecurity postures were probably looking at business continuity already as part of recovery planning. But this control makes the requirement explicit.
Use of attributes
A new addition to ISO 27001:2022 is attributes, aka #hashtags. These tags specify control types (#preventive, #corrective, #detective), key cybersecurity concepts (identify, detect, protect, respond, recover), operational areas (application security, asset management, identify and access management, etc.) and other information regarding controls.
Attributes offer additional visibility and insight into each control, so that organizations can take a fresh look at their ISMS with an eye toward improvements.
Annex A now provides some guidance on how to use attributes to improve your control coverage. Like, if you have only #detective controls in an area, you may need to add #preventive and/or #corrective capabilities to ensure your controls have adequate flexibility to mitigate risk.
What’s next?
For more guidance on this topic, listen to Episode 118 of The Virtual CISO Podcast with guest Andrew Frost from Pivot Point Security.