open it

The anticipated update to ISO/IEC 27001:2022 has officially been released following the update to ISO/IEC 27002:2022 earlier this year. This update has seen minor changes to the requirements of the standard with more extensive clarifying changes made to the controls outlined in Annex A. The standard also has a new "full name" - ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection. 

With many Digital Service Providers (DSPs) currently meeting ISO 27001 to fulfil their security requirement obligations, this update means that DSPs will need to comply with the updated standard over the next three years. 

What is ISO 27001?


ISO/IEC 27001:2022, or just ISO 27001 as it's commonly shortened to, specifies the policies, processes and controls to establish, maintain and improve an Information Security Management System (ISMS) within an organisation. Annex A of the ISO 27001 then outlines each of the controls that you should implement to meet ISO 27001.

What is ISO 27002 and how is it different?


ISO 27002 provides detailed information on implementing the security controls contained within Annex A of ISO 27001, allowing you to better understand each of the controls. There is then a further standard, ISO 27017, that contains controls based on 27002 that is specifically for cloud services. 

Summary of changes


The 2022 version is not radically different to the 2013 version, but it is a major refinement to the standard with nearly a decade of experience and input being incorporated. 

Here's an overview of what's changed:

State of the art

The 2022 update brings the standard up to date with modern risks and deployments e.g. cloud, privacy and threats. 

Alignment

ISO 27001 is now aligned with the NIST Cybersecurity Framework and its "five functions": identify, protect, detect, respond and recover. This makes ISO 27001 much easier to achieve for those organisations who have implemented NIST controls. 

Control rationalisation

ISO 27001 now has a much neater set of controls. Every control has been reviewed and updated, with many merged and new controls added to reflect current developments and practices. 

There are now 93 controls (previously 114):

  • 24 controls were merged
  • 11 controls are new
    • Threat intelligence
    • Information security for use of cloud services
    • ICT readiness for business continuity
    • Physical security monitoring
    • Configuration management
    • Information deletion
    • Data masking
    • Data leakage prevention
    • Monitoring activities
    • Web filtering
    • Secure coding

The 93 controls are now organised into four themes (previously 14 control domains):

  • Organisational - 37 controls
  • People - 8 controls
  • Physical - 14 controls
  • Technological - 34 controls

Terminology

The terminology has been thoroughly revised. ISO 27001 (and the rest of the 27000 series) is now properly positioned as the foremost international standard in security. Each control now has a 'Purpose' statement and a set of 'Attributes' to also relate the control with cybersecurity concepts and other security best practices. Previous references to "code of practice" have been removed.

Attributes

The newly added attributes are a means of categories controls. ISO 27002 defines a set of #hashtags that provide an additional taxonomy to make security documentation easier (especially risk assessment and Statement of Applicability) and to align with other security standards, especially NIST. 

Control Types
  #Preventative
  #Detective
  #Corrective

Information security properties
  #Confidentiality
  #Integrity
  #Availability

Cybersecurity Concepts
  #Identify
  #Protect
  #Detect
  #Respond
  #Recover

Security Domains
  #Governance_and_Ecosystem
  #Protection
  #Defence
  #Resilience
Operational Capabilities 
  #Governance
  #Asset_management
  #Information_protection
  #Human_resource_security
  #Physical_security
  #System_and_network_security
  #Application_security
  #Secure_configuration
  #Identity_and_access_management
  #Threat_and_vulnerability_management
  #Continuity
  #Supplier_relationships_security
  #Legal_and_compliance
  #Information_security_event_management
  #Information_security_assurance


What do you need to do now?


If you're currently certified under ISO 27001, you'll have about three years to transition and comply with the new requirements and controls. We may even see organisations making the move to the 2022 version sooner rather than later as the update provides greater clarity on each of the controls.

On the other hand, if you're currently working through getting certified or looking to do so soon, you'll likely be certified under the new version. This is why we recommend looking at the 2022 version for up to date information and guidance. 

We anticipate that more information will be available to DSPs from the organisations that require ISO 27001 as part of their security certifications.

Last Updated: 11 January 2024.

Become a Member

Get involved! Learn more about our membership options here.

Member Benefits

Member Directory

Browse through DSPANZ Members and learn more about them here.

Browse List