ISO 27001:2022 Is Here

By Scott Dawson
October 25, 2023

ISO 27001:2022

The latest version of ISO 27001 has arrived. Published on October 25, 2022, the new version (ISO 27001:2022) brings important updates to the standard. Initial ISO 27001 audits starting November 1, 2023, will be conducted to the 2022 standard. If you are already ISO 27001 certified, there will be a three-year transition period to update to the new revision ending on October 31, 2025. What has changed and what does it mean for your business?

What is ISO 27001?

Before we begin, here’s a quick refresher on the background of ISO 27001. If you’re already familiar with the existing standard, feel free to skip down to the next section and read about the updates.

ISO 27001 sometimes referred to as ISO27001, is an Information Security Management System (ISMS) standard. It sets internationally-accepted best practices for information security, to help you protect the confidentiality, integrity, and availability of your information. Cybersecurity plays a major role in the standard, but the requirements also deal with the protection of physical information assets.

In today’s digital world, information security matters more than ever. Customers want to know their information will stay secure. It only takes one security breach to destroy a company’s reputation. By helping you protect your information, ISO 27001 helps you protect your brand and your customers.

ISO 27001 badge

To do this, it employs a set of security controls found in Annex A of the standard. That’s where you’ll find the biggest updates to ISO 27001. Annex A contains a brief overview of the security controls, but you can find more detail in the additional ISO 27002 reference standard.

What Has Changed In ISO 27001?

The previous version of ISO 27001 was released in 2013. But the world has changed since then. Information security threats have grown more complex. Our methods for preventing them need to match.

Earlier in 2022, ISO 27002 (the source of ISO 27001’s security controls) received its 2022 revision. Now the ISO 27001 requirements have been updated to match.

The New Version Contains 93 Controls

ISO 27001:2013 contained 114 security controls. The new version contains 93 controls. Some of the previous controls have been removed. Others have been merged. Others are completely new, designed to help organizations like yours face the changing world of security threats.

The 11 Newly Added Security Controls:

• Threat intelligence
• Information security for the use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

ISO 27001 Consultant

Four Control Groups

ISO 27001:2022 organizes its controls into four control groups. A note of clarification before we dive deeper: These control groups receive their numbering from the ISO 27002 standard. As such, they are numbered 5-8. So don’t worry. You’re not missing groups 1-4, it’s just a quirk of the numbering system.

The Control Groups are Organized as Follows:

5. Organizational Controls

This group, the largest of the four, contains 37 controls. These controls deal with your organization and its processes. Among them, you will find controls such as the return of assets.

6. People Controls

This group contains 8 controls dealing with the people in your organization and the way they interact with your information. It includes controls such as information security awareness training.

7. Physical Controls

This group contains 14 controls to address the physical aspects of information security, such as facility access and printed information. It features controls such as the clear desk and clear screen policy.

8. Technological Controls

This group contains 34 controls, and it requires more technical expertise than the other groups. It deals with the cybersecurity aspect of information security, and it contains controls such as protection against malware.

Remember: Not every organization needs to meet every control. You choose the controls that apply to you. If you believe a control doesn’t apply to you, you’ll need to explain your reasoning in a statement of applicability.

Lastly, the updated standard provides attributes to help you organize and prioritize the controls.

These Five Attributes are:

• Control type
• Cybersecurity concept
• Information security properties
• Operational capabilities
• Security domains

Keep in mind: Because of all this renumbering and reorganization, you will likely need to update the labeling of your documents, even if the actual security controls you employ haven’t changed.

In addition to these changes, there are a few minor changes to some clauses to align the standard to Annex SL (the high-level structure for the ISO standards).

The ISO 27001:2022 Transition Timeline

As of October 25, 2022, companies can begin certifying to the updated standard. But if you’re still following ISO 27001:2013, or if you’re in the process of certifying to ISO 27001:2013, don’t panic! You have a bit more time.

You can still certify to ISO 27001:2013, until October 31, 2023. Happy Halloween! But pay attention, because some registrars might stop certifying organizations to the 2013 version before this date. If that’s the case, you may need to switch registrars or transition sooner.

The true hard deadline comes in three years, on October 31, 2025. At that point, everyone certified to ISO 27001:2013 must recertify to ISO 27001:2022. No new ISO 27001:2013 certifications will be offered at this point.

ISO 27001:2022 Transition Explained

Everyone certified to ISO 27001 will face some extra work over the next few years–even if that just means re-labeling your documents and controls. But depending on the scope of your ISMS, you might have up to 11 new controls to implement. Don’t assume this will be a quick and easy project.

It’s best to begin now. That way, you won’t be caught off guard by the upcoming changes, and you’ll have plenty of time to figure out the new technical controls.

Plus, these new controls will help your business. Cybersecurity threats are real, and they can bring down an organization overnight. The updated ISO 27001 standard can help protect your information from today’s threats.

How Core Can Help

At Core Business Solutions, we specialize in helping small businesses achieve ISO certification and information security. Our team of ISO and cybersecurity experts has real industry experience. We know what it’s like to run a small business and we know the threats and complications you face today.

Some of the new ISO 27001 controls may seem daunting. But they don’t have to be. At Core Business Solutions, we offer consulting, training, online tools, and technical solutions to make certification simple and effective.

Simply put: We take on the complicated parts of information security so you can focus on your business.

Contact us or give us a call at 866.354.0300 to learn more.

About Scott Dawson

Since 2010, Scott Dawson, President of Core Business Solutions, has been an active voting member of the U.S. Technical Advisory Group (TAG) to ISO Technical Committee 176 (TC 176). TAG 176 members meet to discuss and develop U.S. positions for Quality Management standards, including ISO 9001:2015, which will be revised in 2025.

Scott Dawson

Related Articles:

CMMC Final Rule Published

CMMC Final Rule Published

CMMC Final Rule Published: What Small Businesses Need to KnowOn October 15, 2024, the Department of Defense (DoD) officially published the final rule for the Cybersecurity Maturity Model...

How to Simplify CMMC Compliance

How to Simplify CMMC Compliance

How to Simplify CMMC Compliance for Small BusinessThe Department of Defense (DoD) is stepping up its cybersecurity game, and it’s putting pressure on all its suppliers to do the same. If you're a...

Overview and Status of CMMC

Overview and Status of CMMC

The General Overview and Current Status of CMMC 32 CFR Part 170 (The CMMC Program Rule) This rule has been finalized and published. It officially establishes the Cybersecurity Maturity Model...