ISO 27001:2022 Updates for Robust Information Security Management

Information security is a critical concern in today’s business environment, and ISO 27001 has been recognized as an international standard for information security management. Recently, a new version of this standard has been published. The new version of ISO 27001 was published on October 25, 2022. In this article, we will discover the most noteworthy updates and their relevance for organizations in protecting their sensitive information. 

The latest version of ISO 27001 introduces improvements to existing controls and addresses new areas of concern in information security. Some have been updated and expanded and in addition, 11 new security controls have been added that reflect the latest technology trends and emerging threats, this includes areas such as: 

• Threat intelligence. 
• Information security for the use of cloud services. 
• ICT preparedness for business continuity… 
• Physical security monitoring. 
• Configuration management. 
• Information exclusion. 
• Data masking. 
• Data leakage prevention. 
• Monitoring activities. 
• Web filtering. 
• Secure encryption. 

In the previous version the controls were grouped in 14 categories and now it goes from 114 controls in 14 groups to 93 controls in 4 groups. 

These are: 

• Organizational 
• Persons 
• Physical 
• Technological 

Within clause 5.3. of the standard, the importance of clearly conveying the roles related to information security at all levels of the organization is established. ISO 27001:2022 highlights the importance of understanding the organizational context in information security management. Organizations must now take a detailed look at their internal and external context, including factors such as business culture, supply chain, legal and regulatory requirements, as well as stakeholder expectations. This deeper understanding enables more effective implementation of information security policies and controls. 

In relation to clause 6.2. of ISO 27001, emphasis is placed on the need to explicitly monitor information security objectives. The latest version of the standard has strengthened this approach by requiring organizations to establish key performance indicators (KPIs) and conduct periodic assessments of the information security management system. This enables organizations to identify areas for improvement and take corrective and preventive action in a timely manner. 

All certificates issued under ISO 27001:2013 will be considered valid until October 25, 2025, which means they will remain valid for three years after the release of the new version. 

Companies with ISO 27001:2013 certification must complete the transition to ISO 27001:2022 by October 31, 2025.  

Organizations have the option to obtain or renew their certification under ISO 27001:2013 until April 25, 2024, which represents a period of eighteen months after the release of the new version. 

In summary, the changes to the core of the standard model are minor and can be accomplished quickly with minimal adjustments to documentation and processes. The changes to the controls in Annex A are moderate and can be addressed primarily by incorporating the new controls into existing documentation.