Information security management systems (ISO/IEC 27001:2013-Information technology-security Techniques –Information security management systems – Requirements) preserve the confidentiality integrity and availability of the Information by applying a risk management process and give confidence to interested parties that risks are adequately managed.
To help organizations to deal with the challenges of cybersecurity and privacy protection, ISO/IEC 27001 has been revised on dated 25 Oct 2022. Now the new standard is effective From 25 Oct 2022 with the revised title (ISO/IEC 27001:2022 Information Security, cybersecurity and privacy protection – Information security Management systems – Requirements)
Highlights and Changes
International Standard replaced with document throughout and Re-arranging of English phrases to allow for easier translation.
There are also changes to align with the ISO harmonized approach. Numbering re-structure, Explicit requirement to communicate organizational roles relevant to information security within the organization, new clause 6.3 – Planning of Changes
The structure has been consolidated into four key areas.
Organizational, People, Physical and Technological instead of 14 in the previous edition.
Aligned with the common terminology used within digital security, these five attributes are: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains.
New control:
- Threat Intelligence: To protect against cyber-attacks and control related to cyber security.
- Data leakage prevention: To protect against unauthorized transmission of data from an organization to any external source.
- Data masking: To protect the information from accidental and intentional threats by ensuring that sensitive information is NOT available beyond the production environment.
- Information security for use of cloud services: To protect cloud-based infrastructure, applications, and data.
- ICT readiness for business continuity: To protect the capability of the organization to continue the use of ICT in the delivery of products or services.
- Physical security monitoring: To prevent unauthorized physical access, damage and interference to the organization's information and other associated assets.
- Configuration management: To protect hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.
- Information deletion: To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
- Monitoring activities: To detect anomalous behavior and potential information security incidents.
- Web filtering: To protect systems from being compromised by malware and to prevent access to unauthorized web resources.
- Secure coding: To ensure the software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
Key differences between ISO 27001:2013 and ISO 27001:2022:
Information security controls and Structure
ISO 27001:2013
14 control categories
35 control objectives
114 controls
ISO 27001:2022
ISO 27001:2022 introduces new information security.
controls that reflect the changing
nature of information security threats
4 controls ‘themes’
0 control objectives
93 controls – 82 based on existing and 11 new.
Important Transition information
If you are already ISO 27001 2013 Certified or you are mid-certification, then Organizations will need to transition to the new version (ISO 27001:2022) by 31st Oct 2025 to maintain their certification.
If you are about to re-certify, then recertification for ISO/IEC 27001:2022 only, to begin no later than 30 April 2024.
All Initial certification for ISO/IEC 27001:2022, to begin no later than 30 April 2024
For the transition of your existing Information Management System Certification from the ISO 27001:2013 to ISO 27001:2022 version, you can reach us through our website’s Contact Us page.