Changes in the 2022 version of ISO /IEC 27001

How did the ISO/IEC 27001 Standard come about?

After this standard appeared in 1990 as a safety standard, the International Standards Organization published it as ISO 17799 in the early 2000s. And, five years later, it changed its name to ISO 27001.

This is how this regulation has gone through three revisions to reach the current one, which was published in February 2022 and whose transition period for companies is expected to end in October 2025.

Each organization that has this standard or wants to implement it, should be aware of the changes that the new version implied:

1. a) Renaming the standard from “Code of Practice for Information Security Controls” to “Code of Practice for Information Security, Cybersecurity and Privacy Controls”.
2. b) New nomenclature and structure by changing from 14 domains to only 4 major domains (organizational, physical, technological and people).
3. c) Reduction from 114 to 93 controls (11 new):

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT Readiness for Business Continuity
4. Physical Security Monitoring
5. Configuration management
6. Deleting Information
7. Data masking
8. Data Leak Prevention
9. Activity monitoring
10. Web Filtering
11. Secure Coding

1. d) The changes in the clauses are as follows:

• Clause 4. When identifying the internal context and environment of the organization, cyberspace should be considered. When identifying stakeholders, include groups that will be contributing to the control of privacy and cybersecurity.
• Clause 5. Include cybersecurity and privacy protection in the Information Security Policy.
• Clause 6. In risk management, consider personal and cyberspace assets. In addition to planning the changes that will be implemented.
• Clause 7. Consider resources to cover privacy and cybersecurity.
• Clause 8. No modification.
• Clause 9. Monitor new controls.
• Clause 10. Upgrading must consider technological changes in cyberspace.

The main reason for updating is to adapt to the new work reality of many companies around the world. And in this dynamic, remote work and the control of new cyberattacks occupy an important place.

Take into account the 4 actions for the 2022 version of the ISO/IEC 27001 Standard

In view of the changes, the main actions expected from companies are the following:

1. Update the risk treatment process considering the new controls.
2. Update the statement of applicability.
3. Modify existing policies and procedures.
4. Include safety metrics and indicators.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions on cybersecurity, cloud and ISO/IEC 27001 standard matters.

Contact a specialist:

seguridad@iteraprocess.com