Learn about the changes in the 2022 version of the ISO/IEC 27001 Standard

How did ISO/IEC 27001 come about?

After this standard appears in 1990 as a security standard, it is published as ISO 17799 by the International Standards Organization in the early 2000s. And, five years later, it changes its name to ISO 27001.

This is how this standard has gone through three revisions until reaching the current one, which was published in February 2022 and whose transition period for companies is expected to end in October of 2025.

Each organization that has this standard or wants to implement it, must be aware of the changes that the new version implied:

a) New rule name from “Code of Practice for Information Security Controls” to “Code of Practice for Information Security, Cybersecurity and Privacy Protection Controls”.

b) New nomenclature and structure to the change from 14 domains to only 4 large domains (organizational, physical, technological and people).

c) Reduced from 114 to 93 controls (11 new):

    1. Threat Intelligence
    2. Information security for the use of cloud services
    3. ICT readiness for business continuity
    4. Physical security monitoring
    5. Configuration management
    6. Information removal
    7. Data masking
    8. Data leak prevention
    9. Activity monitoring
    10. Web Filtering
    11. Secure coding

d) The changes in the clauses are as follows:

  • Clause 4. When Identifying the internal context and environment of the organization, cyberspace should be considered. When Identifying interest groups, include groups that will be contributing to the control of privacy and cybersecurity.
  • Clause 5. Include cybersecurity and privacy protection in the Information Security Policy.
  • Clause 6. In risk management, consider personal and cyberspace assets. In addition to planning the changes to be implemented.
  • Clause 7. Consider resources to cover privacy and cybersecurity.
  • Clause 8. Unchanged.
  • Clause 9. Monitor new controls.
  • Clause 10. The improvement must consider technological changes in cyberspace.

The main reason for updating is to adapt to the new working reality of many companies around the world. And in this dynamic, remote work and the control of new cyberattacks occupy an important place.

Take into account the 4 actions for the 2022 version of ISO/IEC 27001

Given the changes, the main actions expected from companies are the following:

  1. Update the risk treatment process considering the new controls.
  2. Update the applicability statement.
  3. Modify existing policies and procedures.
  4. Include security metrics and indicators.

Do you have questions or would you like more information?

At Itera we can provide consulting services and solutions on cybersecurity, cloud and standard issues ISO/IEC 27001.

Contact a specialist: