B R A I N B I T S

, , ,

ISO/IEC27001:2022 vs ISO/IEC27001:2017

The Transition to ISO/IEC 27001:2022

The global digital landscape is changing. New ways of working are becoming increasingly common, such as remote work, “bring your own device” (BYOD), and even “bring your own appliction” (BYOA). Moreover, companies’ core operations are increasingly based on cloud and digital technology, making them more and more dependent on it (IT pun intended ;).

The Information Security Management standard ISO/IEC 27001 and the Controls for Information Security standard ISO/IEC 27002 have been updated to reflect these developments.

These updates offer enhanced control measures, enabling your organization to address increasingly advanced security risks, ensure business continuity, and gain a competitive edge. By quickly understanding these changes and their impact on your organization, you can ensure that your information remains protected and that you continue to optimize your competitiveness.

Changes to the ISO 27001 Standard

There have been revisions to the text, including:

  • Replacing “international standard” with “document” throughout the text
  • Restructuring some English sentences to make translation easier

There are also changes to align with ISO’s harmonized approach:

  • Restructuring of the numbering
  • A requirement to define the processes necessary to operate the ISMS (Information Security Management System) and its interactions
  • A specific requirement to communicate within the organization about roles relevant to information security
  • A new point 6.3 – Planning of changes
  • A new requirement to ensure the organization determines how communication is managed as part of point 7.4
  • New requirements to establish criteria for operational processes and to monitor control over those processes

The most significant changes in this revision are found in Annex A and reflect the updates in ISO/IEC 27002:2022. These changes include:

  • The structure is now divided into four core areas (instead of 14 in the previous edition):
    • Organizational,
    • People,
    • Physical
    • Technological
  • The number of controls has decreased from 114 to 93
  • Some controls have been merged, some removed, new ones introduced, and others updated.
  • The concept of “attributes” has been introduced
  • The five attributes are as follows and align with common terminology in digital security:
    • Control Type,
    • Information Security Properties,
    • Cybersecurity Concepts,
    • Operational Capabilities
    • Security Domains.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.