What are the most important changes?

The changes affect Annex A of the ISO 27001. The most important changes are listed below:

‍‍

1. The layout of chapters has changed;‍

From 14 chapters of control measures to a clearer division into 4 chapters:

• Organizational
• Staff
• physical
• Technologically

This was done to more clearly link the control measures to the right responsibilities.

‍‍

2. Control measures have been merged;‍

Some of the controls in the ISO 27001:2017 standard have been merged, making Annex A more compact and general. Out of 114 control measures in total, 93 are now left. This is a step towards a more future-proof standard.

‍

3. 11 new control measures have been added;‍

The renewed measures respond to modern trends, such as the standardization of the use of “Cloud services”, “secure coding” and “data masking”.

‍

4. The introduction of attributes to control measures;‍

Attributes, or properties, have been added to control measures. This is a way of categorizing control measures. The added attributes are:

‍

• Type (preventive, detecting, or corrective);
• IB properties (availability, integrity, or confidentiality);
• Five Cybersecurity Functions (Identify, Detect, Protect, Respond, and Restore)
• Operational capacity (e.g., business continuity and data protection)
• Safety Domain (Defence, Resilience, Protection, Governance and Ecosystem)

‍

Associated standards

In addition to the influence that the change has on the ISO 27001 standard, this standard also affects other standards. This includes:

‍

• NO 7510: Information security for healthcare;
• BIO: Government Information Security Baseline;
• BIC: Baseline Information Security (Housing) Corporations;
• ISO 27701: Privacy information management;
• ISO 27017: Specific risks and measures for customers (“Cloud service customer”) and suppliers (“Cloud service provider”) of cloud services; and
• ISO 27018: Cloud providers that process personal data.

‍

How can these changes affect your organization?

If your organization is already certified according to ISO 27001, there will be no impact in the short term. There is a transition period of a few years for organizations that have already been certified. This means that the entire audit cycle can be completed with the current version of the standard. This transition period commences as soon as ISO 27001 is officially updated.

‍

For organizations without an ISO 27001 certificate, it is wise to join the implementation taking into account the new 27001 standard, this can save you a lot of work in the future.

Conclusion

In short, with a rapidly changing topic such as information security, it was high time to update the ISO standard. ISO 27001:2022 is more future-proof and therefore takes more account of the pace of innovation. This therefore requires more of your organization's own interpretation of the requirements of the standard. In addition, the expansion of the categorization mechanisms offers more opportunities to clarify which control measures lead to which output, in the field of information security.

‍

In terms of actions that need to be taken now, I can reassure you. After all, at the moment, nothing needs to be done yet. Once the 27001 standard has been amended, there will be a few more years in which your organization can make the necessary adjustments to your ISMS and only then will it become a hard requirement for an ISO 27001 certificate. Should you now have a ISO 27001 certificate want to achieve it, it is valuable to set up the ISMS in such a way that you can easily switch to the upcoming version. For example, from 14 chapters, you could already start working in the 4 chapter structure with the categorization attributes of ISO 27001:2022.

‍

ISO 27001:2022 is definitely a positive influence for the clarity of your ISMS. The Transition Scan ISO 27001:2022 helps your organization adapt the management system to meet the new standard.

‍