The recently released ISO 27001:2022 updates the controls to be performed to implement, maintain and continuously improve an information security management system (ISMS).

last October, ISO 27001:2022, the standard that specifies requirements for establishing, implementing, maintaining and continuously improving an information security management system (ISMS), was published.

As of October 2023, all audits must be conducted in accordance with the new standard. Compared with the previous version, ISO 27001:2022 proposes a new Annex A where it incorporates variations from the 2014-2015 revisions and includes some style exercises (personal opinion) on clauses 9.2 (internal audit) and 9.3 (management review).

The updated Annex A

The Annex A contains the list of controls applicable to any organization wishing to have a system for information security, provides precisely 93 controls divided into 4 new categories:

A.5 – Organizational Controls;
A.6 – Physical Controls;
A.7 -People;
A.8 -Technological Controls;

Each of the 93 controls is associated with 5 attributes

  • control type;
  • information security properties;
  • cybersecurity concepts;
  • operational capabilities;
  • security domains

and is labeled (ISO/IEC 27002:2022) based on type (preventive, detective, corrective), properties (confidentiality, integrity, availibility) and the guidelines for developing a cybersecurity framework (ISO IEC 27110) on which NIST is based (Identify, Protect, Detect, Respond, Recover).

New controls in ISO 27001

Definitely interesting are eleven new controls that make the standard more current as they cover topics such as:

  • Threat Intelligence;
  • Physical security monitoring;
  • Data masking;
  • Information security for cloud services;
  • Monitoring activities;
  • ICT readiness for business continuity;
  • Data leakage prevention;
  • Configuration management;
  • Web filtering;
  • Information deletion;
  • Secure coding.

Resume

Despite the effort to modernize and adapt to new challenges, the ISO 27001 related to information security suffers from chronic technological misalignment on many of the verticals that have become strategic in recent times.

Especially with regard to cloud services standards (ISO 27017 and 27018), which will not be revised until 2024.

In this context, ISO 27001:2022, represents a very good starting point for every CISO.