.webp)
What are the main changes?
The changes affect Annex A of ISO 27001. The most important changes are listed below:
1. The arrangement of chapters has been changed;
From 14 chapters with management measures to a clearer division into 4 chapters:
- Organizational
- Staff
- Physical
- Technology
This was done to more clearly link management measures to appropriate responsibilities.
2. Controls have been merged;
Some of the controls from the ISO 27001:2017 standard have been merged, making Annex A more compact and general. From 114 controls in total, 93 now remain. This is a step toward a more future-proof standard
3. 11 new management measures have been added;
The updated measures respond to modern trends, such as the normalization of the use of "Cloud services," "secure coding" and "data masking.
4. The introduction of attributes to management measures;
Attributes, or properties, have been added to management measures. This is a way to categorize management measures. The attributes added are:
- Type (preventive, detective or corrective);
- IS properties (availability, integrity or confidentiality);
- Five functions of Cybersecurity (identify, detect, protect, respond and recover)
- Operational capability (e.g., business continuity and data protection)
- Security domain (Defense, Resilience, Protection, Governance and Ecosystem).
Associated standards
In addition to impacting the ISO 27001 standard, the change affects other standards. Consider:
- NEN 7510: Information security for healthcare;
- BIO: Government Information Security Baseline;
- BIC: Baseline Information Security (Housing) Corporations;
- ISO 27701: Privacy information management;
- ISO 27017: Specific risks and measures for customers ("Cloud service customer") and suppliers ("Cloud service provider") of cloud services; and
- ISO 27018: Cloud providers processing personal data.
How might these changes affect your organization?
If your organization is already certified to ISO 27001, there will be no short-term impact. There is a transition period of a few years for already certified organizations. This means that the full audit cycle can be completed using the current version of the standard. This transition period starts when ISO 27001 is officially updated.
For organizations without ISO 27001 certification, it is wise to take into account the new 27001 standard when implementing, this can save you a lot of work in the future.
Conclusion
In short, with a rapidly changing subject like information security, it was high time for an update to the ISO standard. ISO 27001:2022 is more future-proof and thus takes more account of the pace of innovation. This therefore requires more of your organization's own interpretation of the standard's requirements. In addition, by expanding the categorization mechanisms, there are more opportunities to clarify which management measures lead to which output, in the field of information security.
In terms of actions to be done now, I can reassure you. Nothing needs to be done right now. As soon as the 27001 standard is amended, a few more years will follow in which your organization can make the necessary adjustments to your ISMS, and only then will it become a hard requirement for ISO 27001 certification. Should you wish to obtain an ISO 27001 certificate now, it is valuable to set up the ISMS so that you can easily move to the upcoming version. For example, from 14 chapters, you could already start working more in the 4-chapter structure with the categorization attributes of ISO 27001:2022.
For the clarity of your ISMS, ISO 27001:2022 is definitely a positive influence. The Transition Scan ISO 27001:2022 helps your organization adapt the management system to comply with the new standard.
.png)
