Highlights of changes ISO 27001
Dec. 13 2022
November 2022 saw the publication of a new version of the ISO 27001:2022 standard. Companies certified according to the ISO 27001 standard will mainly notice these changes in the security checks of Appendix A. The ISO 27002 was already updated on February 15, 2022. This update forms the basis for changes to Appendix A of the ISO 27001 standard.
In Appendix A, ISO 27001 only provides requirements for security checks and does not explain how to implement them. ISO 27002 deals with the same guidelines, but additionally also indicates how to implement them. Appendix A can be regarded as an "index" to the ISO 27002:2022 standard.
The 2022 updates apply to the security checks in ISO 27002. Appendix A to ISO 27001 has also been updated to reflect these changes.
The ISO 27001 standard helps organisations protect the confidentiality, integrity and availability of their information. These three elements form the basis of good information security. ISO 27001 helps protect information in any form. Cybersecurity, which protects digital information, plays an important role in this.
But why was the standard updated?
All ISO standards go through a revision process at least once every five years, but not every revision entails major changes. However, in the case of ISO 27002, a recent revision brought some important updates.
This is not without reason. After all, almost a decade has passed since the last major revision. A lot has changed in that one decade. The nature of cyber threats has evolved and become more complex. New technologies have been introduced and more and more companies work virtually with cloud applications.
Information security in 2022 is simply not the same as it was in 2013. It requires more vigilance and diligence than ever before. The changes to Appendix A of ISO 27002 may therefore require some additional effort.
What has changed?
Although the clauses of the ISO 27001 standard have not been changed, the supporting standard ISO 27002 has been thoroughly revised. These changes are reflected in Appendix A of the ISO 27001 standard.
The security checks in Appendix A represent a major part of the technical work for implementing ISO 27001. Although only Appendix A has changed, the update therefore affects the entire management system.
The previous version of Appendix A (ISO 27001:2013) contained 114 checks in 14 chapters. The new version contains 93 checks in 4 chapters. Technically, the new version contains fewer checks, but much of this reduction is due to redundant checks being removed or merged.
In fact, ISO 27002:2022 adds 11 new checks to Appendix A, adding new layers of information security to the standard:
- Threat Intelligence (A.5.7 Threat Intelligence)
- Information security when using cloud services (A.5.23 Information security when using cloud services)
- ICT readiness for business continuity (A.5.30 ICT readiness for business continuity)
- Physical security monitoring (A.7.4 Physical security monitoring)
- Configuration Management (A.8.9 Configuration Management)
- Deleting Information (A.8.10 Deleting Information)
- Data Masking (A.8.11 Data Masking)
- Prevention of data leaks (A.8.12 Prevention of data leaks)
- Monitoring Activities (A.8.16 Monitoring Activities)
- Web filtering (A.8.23 Web filtering)
- Secure Coding (A.8.28 Secure Coding)
In addition, the updated version of the standard requires documented working procedures, while the previous version only required a policy. A policy provides an organisation with goals and indicators for your information security management system. Procedures, on the other hand, also include the operational steps you will take to achieve these goals. With these newly required procedures, the documentation part of the certification process also becomes more in-depth.
At this point, it may seem that the changes have only increased the completeness of Appendix A, but these major updates also provide clearer guidance.
The updated version also offers a new check-organisation chart. Security checks are now classified, based on five attributes:
- Standard check
- The concept of cyber security
- Characteristics of information security
- Operational Capabilities
- Security domains
These new attributes help companies prioritise the right checks based on their context. For example, if your primary concern is confidentiality, you can use these attributes to rank checks based on a single information security property.
To sum up, the 2022 updates add additional responsibilities to the ISO 27001 certification, but also provide clearer guidance and organisation.