ISO 27001:2022?

Are You Ready For The Transition To ISO 27001:2022?

Organisations that are currently certified to ISO 27001:2013 have a three-year transition period starting from the official release date in October 2022. PrimoConnect is available to assist you in making this transition as seamless and stress-free as possible, ensuring that you can maximise the benefits of your Information Security Management System (ISMS).




What is ISO 27002:2022 and why is it important?

ISO 27002 serves as a supplementary document that offers more in-depth information, clarification and guidance regarding Annex A in ISO 27001:2022. It's worth noting that ISO 27002 isn't a certification or quality label; it's simply a guide to assist your organisation in implementing Information Security best practices.

Numerous clients have inquired about how they can prepare for, and transition to, the latest version of ISO 27001. We understand that many businesses will be adopting a phased implementation approach, so we've developed a series of articles that explain how specific controls operate and provide guidance on how they should be implemented.

 

What are the changes appearing on the new ISO 27001:2022?

The latest version of ISO 27001:2022 has reduced the number of controls from 114 to 93, which have been classified into four categories: People (8 controls), Organisational (37 controls), Technological (34 controls) and Physical (14 controls). To streamline the framework, several of the former 114 controls have been consolidated, and 11 new controls have been added.

 

What does this mean for your organisation?

Broadly speaking, you should anticipate a more efficient method when putting your Information Security policies and procedures into practice.

 

What are the new controls in ISO 27001:2022 annex A?

  • Information security for the use of cloud services

  • Data masking

  • Information and communication technology readiness for business continuity

  • Physical security monitoring

  • Data leakage prevention

  • Configuration management

  • Information deletion

  • Threat intelligence

  • Monitoring activities

  • Secure coding

  • Web filtering

To assist with filtering, sorting and presenting controls in different views for distinct audiences, each control is associated with attributes. These attributes are listed in a table immediately preceding the statement of each control.

Attributes are:

  • Control type

    • Preventive

    • Detective

    • Corrective

  • Information security properties

    • Confidentiality

    • Integrity

    • Availability

  • Cybersecurity concepts

    • Identify

    • Protect

    • Detect

    • Respond

    • Recover

  • Operational capabilities

    • Governance

    • Physical security and so forth… (complete list available on PrimoConnect IMS Toolbox – a link to be provided that explains about PrimoConnect IMS Toolbox)

  • Security domains

    • Governance and ecosystem

    • Protection

    • Defence

    • Resilience

Our consultants’ thoughts about the update

“While reflecting on the new changes in PrimoConnect’s IMS Toolbox, as an information security enthusiast and ISO 27001 implementor, I truly enjoyed the process. Reasonably, the new 2022 update of ISO 27002 brings more clarity, depth, and comprehension to an organisation’s Information Security Management System. The latest updates provide sufficient information regarding a control at a glance. It removes the pain of understanding the need, purpose, and usage of a particular control. In a nutshell, it answers 5W+H (What, when, where, why, who, and how) for every control.”

Ask A Question

If you would like to know more about ISO and other compliance standards, certification and the value of a good management system you can add to your business we would love to hear from you: Sussex: 01273 526 433 | London: 0800 464 0131 | info@primoconnect.co.uk



27002:2022 Organisational Controls

  • 5.1 Policies for Information Security

  • 5.10 Acceptable use of Information and Other Associated Assets

  • 5.11 Return of Assets

  • 5.12 Classification of information

  • 5.13 Labelling of Information

  • 5.14 Information Transfer

  • 5.15 Access Control

  • 5.16 Identity Management

  • 5.17 Authentication Information

  • 5.18 Access Rights

  • 5.19 Information Security in Supplier Relationships

  • 5.2 Information Security Roles and Responsibilities

  • 5.20 Addressing Information Security Within Supplier Agreements

  • 5.21 Managing Information Security in the ICT Supply Chain

  • 5.22 Monitoring, Review and Change Management of Supplier Services

  • 5.23 Information Security For The Use of Cloud Services

  • 5.24 Information Security Incident Management Planning and Preparation

  • 5.25 Assessment and Decision on Information Security Events

  • 5.26 Response to IS Incidents

  • 5.27 Learning from Information Security Incidents

  • 5.28 Collection of Evidence

  • 5.29 Information Security During Disruption

  • 5.3 Segregation of Duties

  • 5.30 ICT Readiness for Business Continuity

  • 5.31 Legal, Statutory, Regulatory and Contractual Requirements

  • 5.32 Intellectual Property Rights

  • 5.33 Protection of Records

  • 5.34 Privacy and Protection of PII

  • 5.35 Independent Review of Information Security

  • 5.36 Compliance with Policies, Rules and Standards for Information Security

  • 5.37 Documented Operating Procedures

  • 5.4 Management Responsibilities

  • 5.5 Contact with Authorities

  • 5.6 Contact with Special Interest Groups

  • 5.7 Threat Intelligence

  • 5.8 Information Security in Project Management

  • 5.9 Inventory of Information and Other Associated Assets

27002:2022 People Controls

  • 6.1 Screening

  • 6.2 Terms and Conditions of Employment

  • 6.3 Information Security Awareness, Education and Training

  • 6.4 Disciplinary Process

  • 6.5 Responsibilities after Termination or change of Employment

  • 6.6 Confidentiality or Non-Disclosure Agreements

  • 6.7 Remote Working

  • 6.8 Information Security Event Reporting

27002:2022 Physical Controls

  • 7.1 Physical Security Perimeters

  • 7.10 Storage Media

  • 7.11 Supporting Utilities

  • 7.12 Cabling Security

  • 7.13 Equipment Maintenance

  • 7.14 Secure Disposal or Re-Use of Equipment

  • 7.2 Physical Entry

  • 7.3 Securing Offices, Rooms, and Facilities

  • 7.4 Physical Security Monitoring

  • 7.5 Protecting Against Physical and Environmental Threats

  • 7.6 Working in Secure Areas

  • 7.7 Clear Desk and Clear Screen

  • 7.8 Equipment Siting and Protection

  • 7.9 Security of Assets Off-Premises

27002:2022 Technological Controls

  • 8.1 User Endpoint Devices

  • 8.10 Information Deletion

  • 8.11 Data Masking

  • 8.12 Data Leakage Prevention

  • 8.13 Information Backup

  • 8.14 Redundancy of Information Processing Facilities

  • 8.15 Logging

  • 8.16 Monitoring Activities

  • 8.17-Clock-Synchronisation

  • 8.18 Use of Privileged Utility Programs

  • 8.19 Installation of Software on Operational Systems

  • 8.2 Privileged Access Rights

  • 8.20 Networks Security

  • 8.21 Security of Network Services

  • 8.22 Segregation of Networks

  • 8.23 Web Filtering

  • 8.24 Use of Cryptography

  • 8.25 Secure Development Life Cycle

  • 8.26 Application Security Requirements

  • 8.27 Secure System Architecture and Engineering Principles

  • 8.28 Secure Coding

  • 8.29 Security Testing in Development and Acceptance

  • 8.3 Information Access Restriction

  • 8.30 Outsourced Development

  • 8.31 Separation of Development, Test and Production Environments

  • 8.32 Change Management

  • 8.33 Test Information

  • 8.34 Protection of Information Systems During Audit Testing

  • 8.4 Access to Source Code

  • 8.5 Secure Authentication

  • 8.6 Capacity Management

  • 8.7 Protection Against Malware

  • 8.8 Management of Technical Vulnerabilities

  • 8.9 Configuration Management