Recognize The Changes In Iso 27001:2022 Standard

By Author: Smith
Total Articles: 111
Comment this article

As we all know that cybersecurity and data protection are now the primary concerns for businesses and customers, making it essential for companies to implement the highest information security standards. The International Standards Organization (ISO) remains committed to helping global businesses by developing standards based on input from subject matter experts worldwide.
The ISO/IEC 27001:2022 standard sets the foundation for an organization's Information Security Management System (ISMS). Originally published by both the ISO and the International Electrotechnical Commission (IEC), the most recent revision has become part of the ISO 27000 family of standards for information security management. ISO 27001, the information security management standard, was initially published in 2005. It was changed in 2013 and updated again in October 2022, with significant revisions to Annex A. If the firm is ISO 27001 certified or wants to achieve ISO 27001:2022 certification, these improvements will be reflected in the security controls as listed in Annex A.
Interestingly, ISO 27001 was last updated about a decade ago, so these ...
... changes and their implications for enterprises must be closely monitored. You may be wondering why ISO 27001 has been upgraded. Simply, the moment has come. Information security in 2022 looks a lot different than it did a decade ago. With increasingly creative technology, online enterprises, and cloud operations, the cyber landscape has grown tremendously and become much more complex.
ISO 27001 specifies security measures that, when put in place, establish a comprehensive information security management system. It also provides a framework for auditors to utilize in certifying that an organization meets widely accepted information security requirements. ISO 27001:2022 documents might assist in understanding the required controls.
The standard is divided into sections that explain the expectations for information security implementation. Clause 4.4, for example, mandates a company to create, implement, and continuously enhance an information security management system. Clause 6.1.2 requires businesses to investigate, assess, and evaluate information security threats. ISO 27001 includes Annex A, which lists specific control goals and controls, in addition to the provisions. There are dozens of matched objectives and controls, but let's have a look at a few of them to get a sense of what to expect.
• A.9.4.3 — Objective: Password management system. Control: Password management systems shall be interactive and shall ensure quality passwords.
• A.10.1.1 — Objective: Policy on the use of cryptographic controls. Control: A policy on the use of cryptographic controls for the protection of information shall be developed and implemented.
• A.12.1.2 — Objective: Change management. Control: Changes to the organization, business processes, information processing facilities, and systems that affect information security shall be controlled.
The Annex A controls have seen the most significant changes in the latest version of ISO 27001. There are 11 new controls in ISO 27002:2022, so we can expect the same in ISO 27001 Annex A. Considering the addition of controls, the total number has decreased from 114 to 93. This is due to the consolidation of many restrictions. In addition, the categories have been consolidated and merged. The controls in ISO 27001:2013 were grouped into 14 categories. There will be four domains in ISO 27001:2022.
• People control: distant work, privacy, non-disclosure, screening, etc.
• Organizational controls: organizational information policies, cloud service use, asset use, etc.
• Physical controls: security monitoring, storage media, maintenance, facilities security, etc.
• Technological controls: authentication, encryption, data leak prevention, etc.
Furthermore, to prepare for ISO 27001:2022, the business does not need to make rapid adjustments, however, it should become acquainted with the new and amended controls. If the information security management system is based on the ISO 27001 implementation guidance, preparations should be put in place to update controls as needed. If the organization employs a different set of standards, documentation mapping from the chosen controls to the controls in ISO 27001:2022 Annex A will be required.
Source: https://27001securitycertification.wordpress.com/2022/11/14/recognize-the-changes-in-iso-270012022-standard/