DEV Community

VCIDevTeam
VCIDevTeam

Posted on

The changes of ISO/IEC 27001:2022

The global digital landscape is changing. New business practices and Industry 4.0 have become ubiquitous, and core business practices are increasingly cloud-based and digitally dependent.
In response, the ISO/IEC 27001 Information Security Management standard and the ISO/IEC 27002 controls for Information Security standards are being updated to reflect this development.

1. The change in the Title

After updating, in the ISO/IEC 27001:2022 version, the new title of the standard is "Information security, cybersecurity and privacy protection – Information security management systems – Requirements".

2. The change in the Clauses

The clause structure of ISO/IEC 27001:2022 remains the same as in the 2013 version, but some changes have been made to align it with other ISO management standards:
• Clause 4.2: Understanding the needs and expectations of interested parties
A new subclause has been added to require the analysis of which interested party requests will be addressed by the ISMS.
Image description
• Clause 5.3: Organizational roles, responsibilities and authorities
A minor language update has been made to clarify the scope of communication regarding information security-related roles within the organization.
Image description
• Clause 6.2: Information security objectives and planning to achieve them
This clause now requires that objectives be regularly monitored and formally recorded.
Image description
• Clause 6.3: Planning of changes
This new clause establishes a standard for planning changes to the ISMS. It states that if changes are necessary to the ISMS, they must be carried out in a planned.
Image description
• Clause 7.4: Communication
Sub-clauses a-c remain the same. But the sub-clauses d (who shall communicate) and e (the processes by which communication shall be affected) have been simplified and combined into a new clause renamed d (how to communicate).
Image description
• Clause 8.1: Operational planning and control
Additional instructions have been added for operational planning and control. ISMS now needs to establish criteria for the actions identified in Clause 6 and control such actions against the criteria.
Image description
• Clause 9.2: Internal audit
This clause has been reorganized, but not significantly. Basically, it just separates sub-clauses a and b to create Clause 9.2.1, and the remaining sub-clauses to create Clause 9.2.2.
Image description
• Clause 9.3: Management review
A new sub-clause has been added to clarify that the organization's management review will include consideration of any changes to the needs and expectations of interested parties.
Image description
• Clause 10: Improvement
This provision has been restructured to list Continuous improvement (10.1) first, followed by Nonconformities and corrective action (10.2).

3. The change in the Annex A

The title of this Annex has been changed from "Reference control objectives and controls" to "Information security controls reference", and the standard now uses the term "Purpose" instead of "Objective".
• Changing the structure of Controls
In the new ISO/IEC 27001:2022, this has been reduced from 14 groups to only 4 themes.
o Organizational controls: 37 controls.
o People controls: 8 controls.
o Physical controls: 14 controls.
o Technological controls: 34 controls.
• The creation of Attributes
New to this version is the introduction of attributes, denoted by the hashtag symbol (#). These properties can be used to group similar controls. Each organization can create its attributes to meet its needs since these attributes are optional.
o Control Type: Preventive, Detective, Corrective.
o InfoSec Properties: Confidentiality, Integrity, Availability.
o Cybersecurity Concepts: Identify, Protect, Detect, Respond, Recover.
o Operational Capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, Information security assurance.
o Security Domains: Governance and Ecosystem, Protection, Defence, Resilience.
• New controls
Having 11 new controls added to Annex A, the number of newly added controls in each group of controls is detailed below: 5.7, 5.23, 5.30, 7.4, 8.9, 8.10, 8.11, 8.12, 8.16, 8.23, 8.28.
• Merged controls
The latest version, ISO 27001:2022, has merged multiple controls with similar content. Specifically, 56 controls from ISO 27001:2013 have been merged into 24 new controls. As a result, control A.18.2.3 in ISO 27001:2013 now applies to two controls in ISO 27001:2022: 5.36 and 8.8.
• Updated controls
There are 58 control measures that have been updated to be more appropriate and linked together, of which: 24 controls have been renamed and the remaining 34 controls remain the same name, only changed. their numbers and their order.

CONCLUSION

ISO/IEC 27001: 2022 has been revised and updated to better suit the current information security situation, specifically:

There are a number of editorial changes, including:
o “International Standard” is replaced throughout by “document”.
o Rearrange some English phrases to facilitate the standard translation process.
Terms 4 to 10 have some minor changes.
The major changes in the revision are contained in Annex A, reflecting the changes expressed in ISO/IEC 27002:2022. These changes are:
o Structure has been consolidated into 4 main areas: Organization, People, Physics and Technology instead of the 14 groups in the previous edition.
o Controls listed have been reduced from 114 to 93: No controls have been removed. Some controls have been consolidated, some have been removed, new controls have been introduced, and others have been updated.
o New concept of attributes introduced: In line with common terminology used in digital security, these 5 attributes are: Control Type, InfoSec Properties, Cybersecurity Concepts, Operational Capabilities, and Security Domains.
Correspondence of controls in ISO/IEC 27001:2022 with ISO/IEC 27002:2013
Image description
Image description
Image description
By,
VNPT Cyber Immunity - VCI

Top comments (0)