ISO 27001:2022 Annex A: The New Security Controls
Anwita
Sep 20, 2024The world of information security never stands still, nor does ISO/IEC 27001. On October 25, 2022, this crucial standard for Information Security Management Systems (ISMS) got a major overhaul.
ISO 27001, an international compliance standard that helps organizations manage their information security management systems (ISMS) undergoes a systematic review every five years.
The update to ISO/IEC 27001:2022 brings important changes that organizations need to be aware of to maintain their certification and strengthen their information security posture.
This article breaks down what’s new in ISO/IEC 27001:2022, how it differs from the 2013 version, and what it means for your organization’s security strategy. If you’re implementing an ISMS or maintaining one, you’ll want to know how these updates affect you.
TL;DR
ISO 27001:2022 revamps the standard to tackle modern global security challenges, including emerging cyber threats and evolving business needs.
ISO 27001:2022 features technical revisions and aligns with ISO 27002:2022, with updates in document length, structural changes, terms and definitions, planning, support, operation, performance evaluation, and improvement.
While organizations have a three-year window to fully adapt their Information Security Management Systems, they can begin implementing minor updates right away to stay ahead of the curve and enhance their security posture.
What has changed in the latest ISO 27001 revision?
One of the most notable alterations is the restructuring of the control framework. The previous 14 domains have been condensed into four main themes: Organizational, People, Physical, and Technological. This reorganization aims to provide a more logical and intuitive structure for implementing and managing security controls.
In terms of ISO 27001 2022 new controls, the standard has seen both additions and reductions. The total number of controls has been reduced from 114 to 93, streamlining the framework while maintaining comprehensive coverage. This reduction comes primarily from merging similar controls and removing outdated ones. However, the standard also introduces 11 new controls to address emerging threats and technologies.
These new controls cover areas such as threat intelligence, information security for cloud services, ICT readiness for business continuity, and data leakage prevention.
ISO/IEC 27002 impact to ISO/IEC 27001 2022
- Changes from ISO/IEC 27002:2022 have been integrated into ISO/IEC 27001:2022, especially in Annex A.
- The structure of ISO 27001 2022 new controls mirrors that of ISO 27002:2022, creating a more unified approach.
- This alignment ensures organizations following ISO 27001 are implementing the latest security practices as outlined in ISO 27002.
- ISO 27002’s guidelines for organizational information security standards and management practices are now more closely tied to ISO 27001’s requirements.
We’ll go into further detail in the next section.
What are the requirements of ISO 27001: 2022?
The ISO 27001:2022 international standard sets forth the requirements for establishing, implementing, maintaining, and continually improving your ISMS. These requirements are necessary for a company with a systematic framework to manage IT security risks and cyber-attacks.
With that being said, here are the requirements of ISO 27001 2022:
- 4.1 Deals with understanding your organization and its context to establish and manage ISMS
- 4.2 Comprehend the needs and expectations of interested parties
- 4.3 Set the scope of your ISMS using defined criteria – an absolute must
- 4.4 Put in place a real ISMS, and manage, not just ‘maintain’ it effectively
- 5.1 Emphasizes the need for organizational leadership to be actively involved and
- visible in supporting information security in the organization
- 5.2: Addresses the implementation, operation, and management of roles and
- responsibilities for an organization’s information security
- 5.3 A key area which focuses on separating conflicting duties and responsibilities,
- reducing the risk of errors, fraud, or bypassing of information security controls
- 6.1 An organization must establish a methodology for the systematic assessment of risk, which must be thoroughly documented for each risk
- 6.2 Discusses the need for a formal agreement to outline new employee
- responsibilities and the organization’s commitments regarding information
- security
- 7.1 Enables an organization to demonstrate its implementation of an effective
- physical boundary to avoid unauthorized physical access to its site and assets
- 7.2 Details the need for an organization to protect areas that contain secure
- information with adequate entry controls
- 7.3 Details what is required to establish and implement physical security controls
- that are applicable to offices, rooms, and facilities
- 7.4 Requires organizations to demonstrate what they are doing to monitor and
- control access to their site – and thus prevent unauthorized physical access
- 7.5 Requires organizations to implement suitable surveillance equipment as an
- essential means of detecting and responding to security events
- 8.1 An organization must plan, implement and control the processes needed to fulfil
- Information Security requirements
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 An organization must assess the performance and effectiveness of the ISMS
- 9.2 An organization must conduct internal audits to verify whether its ISMS and related controls are functioning effectively
- 9.3 Top management must review and evaluate the organization’s Information
- Security Management System at defined intervals
- 10.1 Looks at what an organization needs to do in the event of non-compliance with the standard
- 10.2 Based on nonconformity and corrective action, these requirements detail how an organization must effectively manage the situation when things are incorrect
How can Sprinto help?
Sprinto helps you put your ISO 27001 program on autopilot. In this case, the new version helps you by identifying gaps in your ISMS, automating crucial compliance tasks, and making recommendations on establishing the right controls and policies.
To see how this worked, see how Sprinto gave Intellect the confidence to achieve its ISO 27001 goals.
Automate ISO 27001 compliance effortlessly
ISO 27001 2013 Vs ISO 27001 2022: Main differences
If you’re looking to align your ISMS with the new developments, you can breathe a little easier. While the ISO changes are noteworthy, they aren’t overwhelmingly significant.
ISO 27001:2022 maintains the same number of clauses as its 2013 predecessor, but with some textual refinements. These modifications serve to better align ISO 27001 with other ISO management standards, enhancing overall consistency.
The most substantial changes primarily focus on two areas: the planning and definition of process criteria, and the enhancement of monitoring standards.
For a more detailed view, you can refer to this document – 27001 2013document PDF.
Structural changes
The structure of the table of content has changed. Sections like planning, support, operation, and performance evaluation now has more sub clauses. It is clearer to read and easier to implement.
Terms and definition
Section 3 of ISO 27001:2013 have references only to ISO 27000. ISO 27001: 2022 refers to terminology databases from ISO and IEC in addition to ISO 27001. This broader scope with more terms and conditions enables practitioners to access a richer repository of definitions, which, in turn, enhances the clarity of the interpretation of standard requirements.
Context of organization
Section 4 of 2022 has an additional sub-clause to clause 4.2 (understanding the needs and expectations of the interested parties). This sub-clause requires organizations to determine which of the requirements stated in the other two sub-clauses will be addressed through their ISMS.
Additionally, the 2013 version of sub-clause 4.4 (information security management system), mentioned only the requirement. The revised document mentions the inclusion of required processes and its interaction.
Planning
Section 6 clause 6.2 (information security objectives and planning to achieve them) of 2013 had ten requirements. The 2022 version now includes two new requirements – be monitored and be available as documented information.
This section also has incorporated a new clause – 6.3 (planning of changes). This requires organizations to implement changes in a planned or systematic manner.
Support
Section 7 clause 7.4 (Communication) had five internal and external communications guidelines. ISO 27001: 2022 version has four guidelines where a fourth one (how to communicate), replaced the last two (on who and the process by which it will be affected).
Operation
Section 8 clause 8.1 (Operational planning and control) of 2022 has two new guidelines on how to meet the requirements and actions of clause 6. These include establishing criteria for processes and implementing control as per the criteria.
Performance evaluation
Section 9 clause 9.1 (Monitoring, measurement, analysis, and evaluation) of the new 2022 version now requires organizations to evaluate the performance of information security and the effectiveness of ISMS.
Additionally, two clauses in this section are divided into subclauses.
Clause 9.2 (Internal audit) is now subdivided into two sub-clauses; 9.2.1 – General and 9.2.2 – Internal audit programme. The text of the guidelines remain the same.
Clause 9.3 (Management review) is subdivided into 9.3.1 – General and 9.3.2 – Management review inputs. 9.3.2 includes an additional requirement on guidelines that the management should consider while reviewing; changes in needs and expectations of parties relevant to ISMS.
Guideline name
The first noticeable change is the name of the standard. Previously, it was Information technology—Security techniques—Information Security Management Systems— Requirements.
Now, it reads Information security, cybersecurity, and privacy protection—Information Security Management Systems—Requirements.
Also, the number of pages in the 2013 document was 23, while the current version has only 19 pages. The increase in the length suggests that the content is modified, removed, or consolidated to align with new standards and guidelines.
Improvement
Section 10 had only one clause; 10.1 (Nonconformity and corrective actions). This section now has two clauses; 10.1 (Continual improvement) and 10.2 (Nonconformity and corrective action). The text of the guideline remains unchanged.
In essence, ISO 27001: 2022 has shifted the focus from information security to a broader approach that includes cloud security, data protection, and physical security.
Updates in ISO/IEC 27001:2022
Several clauses underwent rewording or reordering in the latest version. Note that there are very few fresh requirements in clauses 4-10.
Here is a table that helps you point out the differences at a glance. Let’s expand on the controls category-wise:
Organizational controls – 37 |
A 5.1: Managing direction and support for information security |
A 5.2: Top management shall be involved in creating an Information Security Policy |
A 5.3: Segregation of duties to separate conflicting tasks |
A 5.4: Management should require all personnel to apply information security in accordance with the established information security policy |
A 5.5: Organization has to put in place official procedure for engaging the proper authorities. |
A 5.6: Companies are advised to create and maintain connections with people with marginalized interests. |
A 5.7: The purpose of this is to have companies be capable of compiling and examining information about present-day and possible threats. |
A 5.8: The focus of this proposal is to enable that the security risks linked to projects and deliverables are properly managed during the project management process |
A 5.9: Provides instructions to stakeholders to complete the inventory of information and assets, including owners, should be done |
A 5.10: Lay out a framework of companies in order to carry out the measure that such data and other resources are properly secured |
A 5.11: The organization’s assets such as books, laptops, cars, and other portable items must be retrieved back for the organization when the employee changes a job, the contract and agreement cease |
A 5.12: Protecting organizational systems that include the control of risks that can be identified by determining the level of protection for each information asset |
A 5.13: Safeguard the information assets from the possible dangers |
A 5.14: Enumerates the particular details of rules, procedures and agreements for the all the three situations of transfers |
A 5.15: Authorize the access and prevent illegal access to the information and related assets |
A 5.16: Provide a means of identifying people or systems in the event of any intrusion to the organisations information |
A 5.17: Necessitates an organisation-wide framework for setting the rules, procedures and measures for handling authorization information |
A 5.18: Accounting for the assignment, modification, and revocation of access rights based on the dictates of the busines |
A 5.19: Procedures and principles need to be developed and used to mitigate risk related to information security |
A 5.20 Incorporating information security into supplier agreements |
A 5.21 Maintain an ongoing level of information security in their supplier relationships |
A 5.22 Ban misuse of systems and reserve the right to monitor end the maintenance of an agreed level of information security and service delivery |
A 5.23 Describes the necessary procedures for acquiring, utilizing, managing, and terminating cloud services |
A 5.24 Deals with how organizations should address information security incidents by establishing streamlined processes. |
A 5.25 The identification, assessment, and prioritization of information security-related incidents – for example, by type, time of day, location, etc. |
A 5.26 Best practices for the management of information security incidents/events/vulnerabilities and improvement programs should consist of procedures to manage |
A 5.27: Organizations should establish rules to prepare and connect evidence to the authorities. This training should include rules for avoiding tampering with the evidence and educating staff to do the same, and the discipline elements for those who breach these rules may also be outlined in the contractual agreement. |
A 5.28: Addresses the legal and disciplinary repercussions of gathering evidence related to an information security incident |
A 5.29: Information security should be included in the wider risk assessment /business continuity management plan of the organization |
A 5.30: A corrective measure that preserves risk by establishing ICT continuity plans that enhance the organization’s overall operational resilience. |
A 5.31: Describes how legislation, regulations, and contractual obligations form part of an organization’s information security priorities |
A 5.32: Outlines the necessary steps organizations must take to ensure compliance with intellectual property (IP) rights |
A 5.33: Protection of Records |
A 5.34: Privacy and Protection of PII |
A 5.35: Independent Review of Information Security |
A 5.36: Compliance With Policies, Rules, and Standards for Information Security |
A 5.37: Documented Operating Procedures |
Technological controls – 34 |
A 8.1: Responsibility for devices |
A 8.2: Information classification |
A 8.3: A procedure for alerts to flag any unauthorized usage of data, including unauthorized access, distribution, and attempted deletion, among other actions. |
A 8.4: Requires organizations to contemplate access to source code with a predefined set of stringent read and/or write privileges |
A 8.5: Preventive measure that keeps risk levels in check by implementing technology and establishing secure authentication measures |
A 8.6: A dual-purpose preventive and detective control that manages risk by implementing detective controls |
A 8.7: A triple-purpose preventive, detective, and corrective control that manages risk by implementing policies and procedures. |
A 8.8: Management of technical vulnerabilities |
A 8.9: A preventative control that manages risk by establishing policies governing how an organization documents and implements procedures |
A 8.10: Covers maintenance activities concerning the deletion and destruction of data and/or IT assets |
A 8.11: Deals with data masking |
A 8.12: Describes how data leakage is a common concern for organizations handling large volumes of data |
A 8.13: Describes how technical support staff maintaining an organization’s network should manage daily backup operations |
A 8.14: Guarantees the uninterrupted operation of information processing facilities |
A 8.15: A detective control that alters risk by adopting a logging approach that meets the aforementioned objectives |
A 8.16: A dual-purpose detective and corrective control that adjusts risk by enhancing monitoring activities to detect anomalous behavior |
A 8.17: Describes the implementation of controls to ensure accurate and reliable synchronization of information system clocks |
A 8.18: Sets guidelines for the use of any utility program capable of overriding critical business systems and applications |
A 8.19: Covers technical concepts related to the maintenance and management of operational computer systems |
A 8.20: Comprehensive set of protocols that govern network security in all its forms |
A 8.21: A preventive control that manages risk by establishing a set of rules governing the use of network services |
A 8.22: Describes the application of network segregation methods to prevent risks to the availability, integrity, and confidentiality of information assets |
A 8.23: Assists organizations in mitigating security risks, such as preventing malware infection from accessing external websites with malicious content. |
A 8.24: Enables organizations to safeguard the confidentiality, integrity, authenticity, and availability of information assets. |
A 8.25: Deals with secure development life cycle |
A 8.26: Prevents risks to the integrity, availability, and confidentiality of information assets stored on applications |
A 8.27: Describes how to safeguard information systems from security threats by implementing secure system engineering principles. |
A 8.28: Enables organizations to mitigate security risks and vulnerabilities stemming from inadequate software coding practices. |
A 8.29: Allows organizations to ensure that security requirements are fulfilled during the implementation of new applications, databases, software, or code. |
A 8.30: Creating and entering into licensing agreements to address code ownership and intellectual property rights |
A 8.31: The organization should define the processes and technical controls for secure separation among the various information processing systems and facilities |
A 8.32: To protect its information assets, the organization must ensure that information assets can be safeguarded when changes are being made to the information processing systems and facilities |
A 8.33: The organization should carefully choose and safeguard the most suitable organization-owned information for the testing phase |
A 8.34: To secure information assets during audit tests, organizations should ensure that the time in which information is awaiting destruction is minimized |
Physical controls -14 |
A 7.1: Ensure that employees, contractors and visitors understand their responsibilities |
A 7.2: Ensure that secure areas are secured with appropriate entry controls and access points in a manner that deters and detects |
A 7.3: Develop and implement physical security measures to protect office buildings, rooms and other facilities within the confines of the perimeter established by the above secure areas requirements |
A 7.4 The organization shall use suitable surveillance equipment to monitor secure areas where sensitive, unclassified information is processed or where sensitive, unclassified equipment is located |
A 7.5 Effective controls shall be established and maintained to control of access to secure areas to those employees, contractors, and visitors who have a valid need for such access by means of identification plus a further need-to-know and verification procedures as appropriate |
A 7.6 Smash and grab situations, where personnel take information or equipment from desks and office locations are too often a source of breaches. Protect all information in a secure area from unauthorized removal |
A 7.7: Take action to prevent unauthorized access to sensitive information residing on, or transmitted by, automated information systems located in employee workstations |
A 7.8: Take action, as necessary, to eliminate or reduce adverse physical threats or hazards to the information systems, such as fire, flood, earthquakes, intrusion, and others to protect facilities where sensitive, unclassified information is produced, processed, used, stored or transmitted |
A 7.9: If sensitive, unclassified, information is retained in computers located in homes or residences located off-site, the organization shall ensure that organization owned devices are properly protected |
A 7.10: Ensure that storage media is marked and controlled and that sensitive, unclassified information is destroyed, erased, or declassified as appropriate before the media is reused or released for disposal |
A 7.11: The organization shall protect supporting utility services from failures or interruptions, such as power failures, energy fluctuations and spikes, communications failures, similar major external service interruptions, and any other service interruption impact high |
A 7.12: Clear data shall not be transmitted over the wire. Encrypt data that is not sent over encrypted tunnels. information assets both in storage and transit |
A 7.13: Appropriate action shall be taken to ensure that any technical measures to maintain the information asset are taken and that these technical measures will not damage or reduce the effectiveness of the maintenance or service contract |
A 7.14: The organization shall identify and document sensitive data and take appropriate security measures to assure that all information in a secure area is appropriately secured |
People Controls – 8 |
A 6: Planning |
A 6.2: Deals with the terms and conditions of employment |
A 6.3: Deals with how the company needs to have an information security program |
A 6.4: You need to create a Disciplinary Process |
A 6.5: This section deals with what the responsibilities of the company are after termination or change of employment |
A 6.6: You shall maintain the confidentiality of the information that “is accessed by people working on behalf of the organization |
A 6.7: Deals with remote working |
A 6.8: It tells you how to set up a system for reporting information security incidents within the framework |
What are the 11 new controls introduced in ISO 27001:2022?
The 11 new controls introduced in ISO 27001:2022 is to address the continuously evolving nature of information security. These include
5.7 | Threat Intelligence |
5.23 | Information Security for Cloud Services |
5.30 | ICT Readiness for Business Continuity |
7.5 | Physical Security Monitoring |
8.9 | Configuration Management |
8.10 | Information Deletion |
8.11 | Data Masking |
8.12 | Data Leakage Prevention |
8.16 | Monitoring Activities |
8.23 | Web Filtering |
8.28 | Secure coding |
During the transition period to the new version, your team might need to spend more time addressing the first control. The requirement for ‘threat intelligence’ sets this apart from earlier iterations and other cybersecurity frameworks, as it demands a precise identification of threats.
Also, if you’re curious about ISO 27001 controls, here’s the complete list of controls you can refer to:
Download Your ISO 27001 Controls List
How would ISO 27001 2022 affect my current ISO certification?
This is how ISO 27001 2022 would affect your current ISO certification
- Transition period: The deadline for organizations certified to ISO 27001:2013 to switch to the 2022 version is October 31, 2025.
- Validity of certification as of right now: Current ISO 27001:During the transition time, 2013 credentials are still valid.
- Options for audits: Transition audits can be carried out as a stand-alone special audit or as part of routine surveillance or recertification audits.
- Fresh accreditations: New certifications shall be to ISO 27001:2022 as of November 1, 2023.
- Necessary updates:
- Update Statement of Applicability (SoA)
- Revise risk treatment plans if necessary
- Align controls with new Annex A structure
- Controls should match the new Annex. A framework
- Planning: Organizations should start planning their transition early to ensure compliance with the new standard before the deadline.
- Expiration: After October 31, 2025, ISO 27001:2013 certificates will no longer be valid.
Do organizations need to relook at the ISO 27001 implementation process?
While the changes in ISO 27001:2022 do not significantly different from the 2013 version, you can incorporate minor changes. You don’t have to work on them right away as you have up to three years to update your ISMS.
However, we don’t recommend keeping your to-dos locked away for three years as certification bodies may not offer certification for the older version by then.
You can use the controls from Annex A to review your controls but do compare it with 2013 controls in your statement of applicability (SoA).
To sum it up, here’s an ISO/IEC 27001 2022 checklist to get started:
Review and update your:
- Risk treatment plan to align it with the new controls.
- SoA
- ISMS review process
- ISMS communication plan
- IS objectives
Get ISO 27001 ready within weeks rather than months. See demo.
Get ISO 27001 ready within weeks rather than months
ISO 27001: 2022 implementation made easy
Implementing compliance is hectic. Updates, while necessary to revamp systems that are no longer applicable, can add to your headache.
Whether you wish to update your ISMS or implement a new one, Sprinto simplifies the end-to-end process. A combination of the Sprinto tool and a team of experts review your system to help you add new controls, monitor the existing ones for non-compliance, and report issues to the relevant team.
With Sprinto, you don’t have to worry about any requirements to matter how small or specific they are. Automation at every step of the process takes care of even the most complex tasks. Talk to our experts about your business needs now.
FAQs
What are the versions of ISO 27001?
The latest version is ISO/IEC 27001:2022, which was published in October 2022. But there were versions before that. The first came out in 2005 and was dubbed ISO/IEC 27001:2005. Then, there was a second version in 2013. The latest release we have now is the third revision of that same standard, which came out in 2022.
What is new in ISO 27001 2022?
The key changes in ISO 27001:2022 include:
- Updated control structure: Controls are now organized into 4 categories instead of 14, with 93 controls total (down from 114).
- New controls: 11 new controls added, addressing areas like threat intelligence, cloud services, and data leakage prevention.
- Increased focus on risk management and emerging technologies.
- Transition period: Organizations have until October 31, 2025, to transition from the 2013 version.
- Certification changes: New certifications from November 1, 2023, should use the 2022 version.
What are the 4 domains of ISO 27001 2022?
The 4 main domains (or categories) of controls introduced in ISO 27001:2022 are:
- Organizational control
- People controls
- Physical controls
- Technological controls
What is the BSI 27001 2022 standard?
BSI 27001 2022 refers to the British Standards Institution’s adoption of ISO/IEC 27001:2022. It is applicable to organizations of all sizes and sectors that handle information.
Key changes from 2013 version:
- Realigned with ISO/IEC 27002:2022
- Updated Annex A
- Addresses modern security concerns
ISO 27001 vs ISO 27002?
ISO 27001 and ISO 27002 serve different but complementary roles in information security management. ISO 27001 is a certifiable management system standard that specifies requirements for establishing and maintaining an information security management system (ISMS). It provides a framework for security controls and focuses on the overall system.
In contrast, ISO 27002 is a code of practice that offers detailed guidance on implementing security controls. It’s not certifiable on its own but often complements ISO 27001. While ISO 27001 outlines what to do, ISO 27002 explains how to do it. Organizations typically implement ISO 27001 for certification purposes and use ISO 27002 as a practical guide for control implementation within their ISMS framework.
Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.