White Label Consultancy | 20th October 2022

ISO/IEC 27001:2022 Updates

ISO/IEC 27001 is widely known as the de facto information security standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system.  

The first version of ISO/IEC 27001 was published in 2005, which evolved from the BS 7799 standard. In the final months of the second iteration published in 2013, the updated version was finally published on 25th October 2022.

2022 Updates

A new version is inevitable, given the progress and maturity of the cybersecurity industry. Furthermore, the way of working, even before the forced change due to the pandemic, has been steadily evolving towards remote / hybrid / work-from-anywhere and thus demands updated security guidelines and controls. 

The details of the revisions are in the List of Specific Changes (see below).

In summary, the new ISO/IEC 27001:2022, in combination with ISO/IEC 27002:2022, are now very much aligned with the recent cybersecurity trends and technologies to deal with corresponding threats and vulnerabilities. In addition, the new structure and categorization with matching attributes enable better interoperability and cross-referencing with other well-known standards and frameworks, such as the NIST Cybersecurity Framework. This benefits organizations that choose to adopt more than one standard and framework in their journey to secure their organization. As ISO states, cybersecurity compliance is much more than a tick-box exercise for your organization, and it is a roadmap towards excellence in information security.

What’s Next

The ISO/IEC 27001:2022 version will be translated or localized for each country in the following months. Do check with your local standards bodies for updates. 

Accreditation bodies around the globe will be ready to perform certification on the 2022 version beginning late Q1 – early Q2 2023.  

For organizations that are certified with the 2013 version and are looking at recertification or are considering getting certified for the first time with the 2022 version, White Label Consultancy can assist by simplifying the certification journey, evaluating and prioritizing relevant controls that are needed for certification as well as strengthening your organization’s security posture in the long term. 

ISO 27001 Assessment and Implementation Readiness

White Label Consultancy has a comprehensive program to assist your organization’s journey from initial assessment to implementation to certification readiness. We start with a clear scope definition and gap analysis to assess your company’s current readiness level. The discovery phase will facilitate a holistic risk assessment, followed by strategic prioritization to implement relevant controls to treat the identified risks, resulting in a clear readiness implementation plan for your organization to prepare for the certification audit.

Why choose White Label Consultancy?

  • Extensive cybersecurity strategic, tactical, operational, and implementation experience in various industries and technology sectors 
  • Certified ISO/IEC 27001 Lead Implementer 
  • WLC’s proven methodology, leveraging best practice processes, templates, and guidelines for each phase of the certification journey 
  • A balanced approach in certification compliance requirements versus relevant security controls tailored to your organization’s needs and priorities.

Access the ISO/IEC 27001:2022 standards here.

List of Specific Changes

The following details the revisions of the 2022 version.

The first is to the core document with a focus on the lifecycle processes of the Information Security Management System (ISMS), such as implementation, maintenance, change control, and operations:

  • Removal of the Executive Summary section
  • Updated Foreword section 
  • Updates to Clause 3
    • Additions on reference URLs
  • Updates to Clause 4.1
    • Revised Sub-clause reference to a newer version of ISO 31000 in the Note section 
  • New Sub-clause 4.2 c)  
  • Updates to Clause 4.4
    • Requirement to define your processes and their interactions needed to implement and maintain your ISMS 
  • Addition of a Note to Clause 5.1 
  • Updates to Clause 5.3
    • Explicit requirement to communicate organizational roles relevant to information security within in the organization 
  • Updates to Clause 6.2
    • New requirement to monitor information security objectives by addition of Sub-clauses d) and g) 
  • Addition of Clause 6.3 ‘Planning of changes’ 
  • Updates to Clause 7.4
    • New requirement to ensure the organization determines how to communicate, in addition to what, when, with and who by collapsing and rewording the previous Sub-clauses d) and e) 
  • Updates to Clause 8.1
    • New requirements to establish criteria for operational processes and implementing control of the processes 
    • Replaced ‘outsourced’ with ‘externally provided’ and expanded its scope to reflect the industry trends 
  • Updates to Clause 9.2:
    • Reorganized into Clause 9.2.1 ‘General’ and 9.2.2 ‘Internal audit programme’ 
  • Updates to Clause 9.3:
    • Reorganized into Clause 9.3.1 ‘General’, 9.3.2 ‘Management review inputs’, and 9.3.3 Management review results’ 
    • New Sub-clause 9.3.2 c) 
  • Swaps to Clause 10.1, which will be ‘Continual improvement’ and Clause 10.2, which will be ‘Nonconformity and corrective action’ 
  • Overall: Minor numbering (clauses) restructuring to align with the harmonized approach 
  • Overall: Rearranging of some English sentences and constructs to allow for easier and more accurate translation into other languages. This should result in localized non-English versions being published earlier than previous versions. 
  • Overall: ‘International Standard’ replaced with ‘document’ throughout

The second is realigning the Annex A to map directly to the ISO/IEC 27002:2022 published earlier this year.

  • Removal of reference to control objectives as they no longer exist either in Annex A or ISO/IEC 27002:2022 
  • The 14 Control Objectives are now revamped to 4 Control Categories namely Organizational, People, Physical and Technological Controls. 
  • The 114 Controls are now revamped and consolidated to 93 Controls with new topics such as:
    • Threat intelligence 
    • Information security for the use of cloud services 
    • ICT readiness for business continuity 
    • Physical security monitoring 
    • Configuration management 
    • Information deletion 
    • Data masking
    • Data leakage prevention 
    • Monitoring activities 
    • Web filtering 
    • Secure coding