ISO 27001 and 27002 Changes in 2022 - What is in, what is out and what has changed?

October 28, 2022

Welcome to ISO 27001: 2022!

InfoSecAssure has completed an in-depth review of the changes made to ISO 27001 in 2022.  We have attempted to bring seemingly boring updates to you with a little bit of flair. Grab a Chai, Wine, Coffee or Kombucha and enjoy the update.

Nine years after its last publication ISO 27001 has been updated. Like any good information security standard (of which there are many, but this is our favourite!) it must eventually be updated to reflect the will of the people and the technology of the current world.

Key Highlights - 12 changes have been made to the mandatory ISO 27001 requirements including the addition of one new requirement. In Annex A 27002 there are 7 new controls and 7 have been scrapped, a number of controls have been merged and some definitions have changed.

What is ISO 27001 you ask?

If you need a reminder or you don’t know, ISO 27001 is an international standard that sets out requirements for establishing and maintaining an Information Security Management System.

The standard is developed by the Internal Standards Organisation - Joint Technical Committee JTC1 - Subcommittee SC27. Thanks team SC27 for your contribution to the information security community.

What is an Information Security Management System?

  • An Information Security Management System as described by  ISO 27001 (which we will now refer to as an ISMS) is an eco-system of polices, processes, technical and legal controls.
  • An ISMS is delivered in the form of business policies, processes, communication plans, risk assessment approaches and risk assessments, and governance of security controls.
  • The ISO 27001 standard also sets out mandatory requirements for setting information security objectives, ensuring necessary support for the ISMS such as providing resources and training, protecting relating documents and requiring an overall evaluation of the ISMS is implemented. Evaluation includes monitoring, analysis, auditing, management review and continual improvement.
  • Most importantly managing what the standard describes as non-conformity is a key part of the prescribed ISMS (non-conformity is SC27 speak for when the company can’t implement the mandatory controls set out by their own ISMS).

ISO 27001 has Two Parts.

Part 1 - ISO 27001

The first part are the mandatory requirements for your information security management system.

Part 2 - ISO 27002 Annex A

The second part is lovingly referred to as 27002 or Annex A 27002 and while some think that this is the standard itself it’s actually just an Annexure of the main standard.

  • Annex A or 27002 ❤️ is described by the standard as a list of possible information security controls that are not exhaustive and mentions that some organizations may put in place additional controls that are not listed in Annex A.
  • However… although 27002 is described as a “possible list of controls” the standard still requires any business who wants to achieve certification from an accredited Auditor to justify why they exclude any of the controls listed in the “potential control list. For this reason, that is why in the past and we are sure in the future, businesses will continue to treat all controls in Annex A 27002 as a checklist of everything they think have to do to achieve their 27001 certification.  
Now let’s move on to the main event.

What’s In, What's Out and What Has Been Changed?

Part 1: The Mandatory Requirements

In the old version of  ISO 27001 there were 26 detailed requirements and in the new version there is 30. However, there are a couple of requirements in the old version which have been split out into two in the new version so upon inspection we have found there’s only one new requirement.

11 Changes and One New Requirement

The New Requirement - 6.3 - Planning of Changes

This requirement states that when the organization determines the need for changes to the system that they will plan the changes. Seems reasonable but also seems to be a very similar requirement to 7.1 - Resources; which states that the organization should determine and provide resources needed for the maintenance and continual improvement of the system. Surely this includes the planning of changes? Nevertheless, just in case you forget to plan changes to your ISMS you can add writing the ISMS change plan to your ISO 27001 To Do list plan. Mmmm?

The other 11 Changes

Apart from that one additional requirement in ISO 27001 there are only a few other changes in the mandatory section which include:

Don't just consider interested party requirement, plan how you will actually meet them

4.1.2 - While understanding the needs of interested parties companies are now required to determine which of their interested parties requirements will be addressed through their ISMS.

Support your ISMS with actual operating processes

4.4 - While establishing, implementing, and maintaining their ISMS organisations also now need to include processes and their interactions. Good work! Makes sense, because you won’t believe how easy it is to implement a set of policies and standards without processes to support them.  So, for some businesses this will be a big change as the updated requirement will open the door for auditors to ask for copies of supporting processes and to test them. Uh oh!

Business is Business (or is it?)

5.1 l- Leadership and commitment - There’s an extra note saying the word "business" could be a broad interpretation. Ok.

Security is Your Job

5.3 - Top management still needs to ensure information security responsibilities/roles are assigned and communicated but they’ve now added a clarification that this should be “within the organization”.  We assume this is just in case you’re confused about who you were assigning your information security roles to. So, no you can’t ask your gardener to manage your security alerts!

ISO 27001 Annex A Control List No Longer Comprehensive (add more of your own)

6.1.3 - Under the existing information security risk treatment requirement that states businesses should compare controls identified to address their risks with Annex A the associated note has been changed to clarify that Annex A contains “a list of possible controls”, removing the words “a comprehensive list”. A note has been removed which previously said, “control objectives are implicitly included”.

Document and Monitor Your Objectives

6.2 - Information security objectives must now also be monitored and be available in a document.

How Now Brown Cow

7.4 - This requirement was simplified with the statement changing from “you must determine who you should communicate to and the processes you will use to communicate” to “how to communicate”, makes sense, thanks SC27!

Oh the Implications!

The note under 7.5.3 that relates to how documented information about your ISMS is controlled has changed from “access implies a decision” to “access can imply a decision”. Getting your implications correct is important.

Clause 6 - all of it.

In section 8.1 the organization still has to plan, implement and control the processes needed to meet the requirements and implement the actions but where in the last version they referred to just 6.1 and 6.2 now this requirement refers to all of Clause 6.

Outsourced = Externally Provided

Under 8.1 the term “Outsourced services” has been replaced with “externally provided services“.

Management Reviews to Consider Interested Parties

Under section 9.3 Management review inputs - the management review now needs to include the consideration of the needs and expectations of interested parties.

And that's a wrap for the 2022 changes in the mandatory section.

Like what your reading? Sign up here for our next update.

Part 2: Now let’s move on to  ISO 27001 Annex A (27002).

The biggest change in this part of the standard (which is actually referred to as the “document” instead of the “International Standard throughout the document) is that all of the controls have been regrouped into four categories:

  1. Organizational controls of which there are 37 [2 new].
  2. People controls of which there are 8 [0 new].
  3. Physical controls of which there are 14 [1 new].
  4. Technology controls which there are 34 [4 new].

So, expect to see lots of new diagrams in the coming years that look like something like this:

ISO 27002 new categories

The seven new controls which we welcome aboard are:

Get Smart

5.7 - Threat intelligence - This new "potential control" asks that you consider collecting and analyzing information about information security threats to produce threat intelligence.

Cloudy with a Chance of Security

5.23 -Information security for use of cloud services - Now this is an interesting addition because there is another standard, ISO 27017, which has a short list of information security controls related to cloud services which are noted as additions to 27002. I guess no one was reading 27017 so they’ve slipped one in here for good measure which makes sense given we are all using Cloud Services these days.

Watch People and Things

7.4 - Physical security monitoring - Great to see that physical security controls now have a monitoring aspect as previously although there was a list of physical security controls there was no mention of the actual monitoring controls so this is a great addition. Interestingly the document does not mention surveillance cameras or surveillance equipment, but I guess that’s covered by this physical security monitoring control as like many of the ISO 27001 controls they are broad enough to let businesses make their own decisions as to how to implement a control.

Document Your Settings - All?

8.9 - Configuration management - This is a big control requirement for some. It states that the organization must “establish, document, implement, monitor and review security configurations of hardware, software services and networks”. I hope you guys are good technical writing because there is a lot of documentation to be done now. However it doesn’t say “all” configurations so maybe it will be enough to take screenshots of all your settings. Auditors will rule the day on this one.

Delete Stuff You Don't Need

8.10 - Information deletion - Specifically called out in this standard this control requires organizations to delete information stored anywhere when it is no longer required. We assume that regulatory /compliance requirements for retaining information in some instances well prevent this control from being implemented but it has good intent and I am sure some companies who have been breached of late wished they had deleted a bit more of the information they were hanging onto. Don’t delete this document though :-)

The Mask

8.11 - Data masking - The classic data masking control.  They could’ve used the word obfuscation or a number of other words the community uses to say “redact, delete or hide data but they chose Mask. In particular they called out that data masking “must be used in accordance with a topic specific policy and access control and other related topic specific policies and business requirements taking into account applicable legislation”. Does this mean we’ll have to have a “Data masking standard”? Probably not as I think most of us can cover it off in an information classification standard which sets out all the handling requirements for different types of information just add “data masking requirements” and list out what type of information and when this control should be applied. "Ssssmokin" (reference to quote in the movie The Mask FYI)

Trapped in the Web Filter

8.23 - Web filtering - A new but familiar control it states that any access to external websites should be managed to reduce exposure to malicious content”. Think block listing or allow listing plus any other type of proxy management or filtering of the world wide web infinite data. Could include blocking JavaScript etc

So that’s the new in 27002, but what has been scrapped?

While we were able to match the control or primary intent of the control for 86 out of the 93 controls from the New Annex A to the Old Annex A there were 6 controls in the Old Annex A that were left hanging in the wind.

These include:

Something We All Need

9.4.3 - Password management system - there is no more specific password management system requirement in the new Annex A however that doesn't mean you don't need one!

Not taking my Laptop to Toilet Anymore

11.2.8 - Unattended user equipment - Removed from new version but most likely intent is covered by the new 7.3 physical security for offices rooms and facilities and 7.7 clear desk/ clear screen and 7.8 equipment sitting and protection.

Spam

13.2.3 - Electronic messaging - Thankfully removed because while we were all trying to secure our emails... what is email really? And what is life? Just another digital piece of data that gets sent using a certain technical protocol. There are many more channels we use to communicate with each other nowadays so it makes sense to focus the controls more broadly such as "protecting yourself from malware". But don’t turn off your spam filter yet! This is one of the additional controls that you could cleverly add to you “ISMS choose your own adventure control set”.

A Move to Thoughtful Secure Development

14.2.4 - Restrictions on changes software packages - Phew!’ this one was probably the most difficult control that any innovative business had to try and implement.  Have you ever tried to get a software house to restrict people changing software packages! What did this mean anyway, was it the settings they were referring to, cracking the code or just the general gist of the software? See you later software package change restrictions and Welcome Home Secure Development Lifecycle to your rightful place!

Why were the InfoSec teams doing System Acceptance Testing anyway? (and did they ever actually do it?)

14.2.9 - System acceptance testing - Which does sound very similar to 8.29 but it’s not because 8.29 in the new standard is "Security testing processes" not "system acceptance testing". So, like any good information security person we can now leave system acceptance testing to the technology and business teams (Unless you are a start-up or small business in which case you are probably doing all of it!)

The Law of Secrets

18.1.5 - Regulation of cryptographic controls - Cryptography is now covered by 8.24 but it no longer refers to ensuring your cryptographic controls meet legislative or regulatory requirements.

Technical Test vs Technical Compliance

18.2.3 - Technical compliance review - this one is now sort of covered by the new 5.36 but the 5.36 audit requirement in the new standard does not cover or point out that the audit or review of controls must be of a technical nature. So, ladies and gentlemen there’s nothing in the standard now that says you have to do a pen test, OK, But You Should!  and maybe the Security Testing control in the. new standard is intended to cover this old control.

Our next update will be a rundown of the differences between the control requirements in the new Annex vs Old Annex A plus we will be looking at what new evidence auditors may ask you for in future certifications auditor or surveillance reviews.

Sign up for the next update!

Subscribe here to get Part 2 and 3 of our ISO 27001: 2022 Change Analysis.

Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.