The ISO 27001 standard for information security has been revised and was published on 25 October 2022, the previous version dating back to 2013. The updated ISO 27001 standard has been aligned with the previously published, revised version for the ISO 27002 standard. The revision of the standard was important, as the previous standard was almost a decade old and, especially in the world of information security, a lot has changed in that time. The new ISO 27001:2022 now also focuses on the cloud, uses # (hashtags) and changes have been made to High Level Structure (HLS) and to the management measures in Annex A has been laid out differently.
ISO 27001 Harmonized Structure
A new Harmonised Structure was published in 2021. This is a modified version of the so-called High Level Structure (HLS), which is used as the standard format for all ISO management system standards (such as ISO 9001, ISO 14001 and ISO 22301). This new Harmonised Structure has now also been adopted, in the new version of the ISO 27001 standard.
A number of smaller changes have been made in this Harmonised Structure of the standard:
- Requirement related to identifying stakeholder requirements has been further clarified (article 4.2).
- Requirements regarding the control of processes for the ISMS, changes within it and related risks have been clarified (articles 4.4, 6.3 and 8.1).
- Additional requirements for externally provided processes, products and services are also included.
ISO 27001 Annex A management measures: controls
The changes are mainly in the control measures from Annex A. The new ISO 27002 standard naturally consists of the HLS and the control measures from Annex A. These control measures from Annex A have been revised in ISO 27002. Basically, the entire structure of control measures has been overhauled; previously, the control measures were divided over 14 chapters, which has now been reduced to four chapters:
- Organisational controls (Organisation)
- People controls (Human)
- Physical controls
- Technological controls (Technology)
In addition, several management measures were merged; 11 new measures were also added. This results in the total number being reduced from 114 to 93.
All control measures are now linked to attributes. These indicate, for instance, whether a control measure relates to availability, integrity or confidentiality (information security properties) or whether it is a preventive, corrective or detective measure (control type). These attributes can be used for easier identification and selection of control measures, for instance.
Which ISO 27001 management measures are new?
It is important that these new measures have been added, as the previous standard was almost a decade old. When, for example, working in cloud was not yet part of the standard. The new control measures focus, among other things, on information security when using cloud services, threat intelligence, privacy, secure coding and configuration management. This means that with these control measures, the standard better reflects the current state of the art and associated risks. In addition, the new structure of the control measures and the link to attributes help to effectively manage the management system and information security risks.
What does the new version of ISO 27001 mean for my organisation?
If your organisation is currently certified for ISO 27001, your certificate will remain valid, only on recertification (after a period of three years) will it be according to the 2022 version of the standard. Only at the next audit, your organisation will be included in the new version. It is of course possible to switch to the latest version of the standard earlier, for which a so-called (additional) transition audit can be carried out by the certification body.
More information about ISO 27001 certification?
Contact us and we will be happy to discuss the options for obtaining this certification or transitioning to the new version of the standard for your organisation.
