SCHEDULE A CALL
Show all

New ISO/IEC 27001 Standard is Now Live

New Update, 27001:2022, Replaces 2013 as Organizations Renew Certifications

In October 2022, the long-awaited update of the international standard for Information Security Management Systems, ISO/IEC 27001:2022, was released by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO and IEC are based in Geneva, Switzerland, and are responsible for the original 27001 standard, published in 2005, and its update in 2013. They update the standard periodically to reflect advances in security technologies and new cyberthreats.

The new ISO-IEC 27001 standard was released in 2022Earlier this year, ISO/IEC 27002:2022 was released, updating an important supplement to the 27001 standard that provides a reference set of information security controls and implementation guidance. These new documents have substantially updated—and will ultimately replace—the previous 27001:2013 standard and its 27002:2013 supplement.

To assist organizations who are considering adopting the standard or preparing to renew, this article highlights the primary changes from 2013 to 2022. 24By7Security maintains current versions of these resources as a foundation for our popular ISO/IEC 27001 Readiness Services.

ISO/IEC 27001 Certification

Adoption is Voluntary. ISO/IEC 27001 is a leading, globally accepted standard for securing and protecting sensitive data, with more than 33,000 organizations certified to the standard as of 2019. Like several other cybersecurity frameworks, such as NIST CSF and HITRUST, use of this standard is voluntary. Compliance is not required by law or regulation.

However, many security and privacy regulations require processes, procedures, policies, and controls that are found in these voluntary frameworks. Adopting one of the frameworks, and obtaining certification, can make it much easier to prove compliance with the regulations that apply to your business.

Organizations who adopt the ISO/IEC 27001 standard normally choose to have their adoption certified. Certification must be renewed every three years.

Certifications in Progress. Currently, some organizations are in the process of renewing their certifications to the previous standard, 27001:2013. This is because they began the renewal process well before the new 2022 update was available.

Rather than changing horses in midstream, which in the Old West was a complicated and dangerous action, the ISO/IEC recommend completing your renewal to the 2013 standard. Then, plan to update to 27001:2022 in three years, as part of your next renewal. For this purpose, 27001:2013 continues to be a viable and widely adopted framework for information security management systems.

New Adopters. Organizations who are considering implementing the standard for the first time should adopt the new ISO/IEC 27001 standard released in 2022.

Benefits of 27001 Adoption and Certification

As with most information security and cybersecurity programs, certifying your information security management system against the ISO/IEC 27001 standard provides several benefits.

  • The new ISOIEC 27001 standard offers several information security benefitsProves to stakeholders that your organization takes its security seriously. This is important for shareholders and other investors as well as for suppliers and contractors, executives and employees.
  • Demonstrates to customers, clients, and patients that you have taken globally accepted steps to keep their personal information secure and confidential and to protect their privacy. This helps reduce a customer’s need to audit your security program periodically.
  • Makes your organization, its intellectual property, and other sensitive data more secure against cybercrime and security threats and vulnerabilities.
  • Helps you avoid regulatory scrutiny, complaints about security and privacy, investigations, penalties, and fines associated with poor information security and potential data breaches.

In addition, by requiring regular risk assessments, the 27001 standard reminds you to update your information security management system and other security programs periodically—to guard against new and emerging cyberthreats and take advantage of new technologies.

Primary Changes from 2013 to 2022

The new ISOIEC 27001 standard consolidates controls into 4 main categories

The new 2022 version consolidates many security controls into fewer categories, eliminates some controls, and adds new controls. It streamlines the standard, which should make it easier to understand and implement.

Category Changes. Below is a summary of category changes from 27001:2013 to 2022, including changes to the number of itemized controls per category. These are presented in the order in which they appear in the new ISO/IEC 27001 standard.

  • The Asset Management category, with its 10 controls, and the Access Controls category, with 14 controls, have been eliminated. They have been replaced by the Organizational Controls category, with 37 itemized controls.
  • Cryptography, with its two controls, is now People Controls, with eight.
  • The category Physical and Environmental Security, with 15 controls, has been replaced by the Physical Controls category, with 14 controls.
  • Operational Security, with 14 controls, is now the Technological Controls category, with 34 controls.

Category Removals. In addition, these six categories have been removed from the new standard: Communications Security; System Acquisition, Development and Maintenance; Supplier Relationships; Information Security Incident Management; Information Security Aspects of Business Continuity Management; and Compliance. However, many of the controls in these categories have been moved into the new 2022 categories, particularly Organizational Controls and Technological Controls.

New Controls. Three of the new or newly named categories reflect brand new controls, as follows:

  • Organizational Controls features three new controls: Threat intelligence; Information security for the use of cloud services; and ICT readiness for business continuity. ICT refers to Information and Communications Technology.
  • The Physical Controls category now includes a Physical security monitoring control.
  • Finally, the Technological Controls category adds seven all-new controls, including: Configuration management; Information deletion; Data masking; Data leakage prevention; Monitoring activities; Web filtering; and Secure coding.

Clearly, the new ISO/IEC 27001 serves to reduce the number of information security controls, rename and reduce the categories of controls, and in general streamline the framework for implementing an up-to-date information security management system.

To be effective, cybersecurity must be a dynamic process that is able to adapt to evolving threats and vulnerabilities, advances in security technologies, and changes to an organization’s landscape. And while it may not be convenient to have to reassess and update our information security management systems periodically, it is essential to protecting our information assets, and the assets of those who trust us.

Summary

Information security management systems are fundamental elements of cybersecurity programs operated by government agencies, non-profits, and private and public businesses. The international standard for creating, implementing, maintaining, and continuously improving an information security management system is known as ISO/IEC 27001. After eight years, the standard has been updated and was released on October 25, 2022. Its important supplement, ISO/IEC 27002, has also been updated and was released on February 15, 2022.

The ISO 27001 standard has been adopted by more than 33,000 organizations, many of whom use it as a framework for compliance with HIPAA, the GDPR, and other regulatory requirements. The NIST Cybersecurity Framework is an example of a similar tool for these purposes. Organizations who adopt the standard may choose to be certified by credentialed third parties as a means of demonstrating their security focus to various stakeholders.

For those looking to adopt the new ISO/IEC 27001 standard, 24By7Security can help you prepare. Resources are also offered on the ISO/IEC website.

Learn More About ISO 27001

Sanjay Deo
Sanjay Deo

Sanjay Deo is the President and Founder of 24by7Security Inc. Sanjay holds a Master's degree in Computer Science from Texas A&M University, and is a Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy Practitioner (HCISPP), Certified Information Systems Auditor (CISA) and PCI Qualified Security Assessor (QSA). Sanjay is also a co-chair on the CISO council and Technology Sector Chief at FBI InfraGard South Florida Chapter. In 2022 Sanjay was honored with a Lifetime Achievement Award from the President of the United States. Subscribe to the 24by7Security blog to learn more from Sanjay.

Related posts

November, 29 2022
November, 22 2022
November, 15 2022

Comments are closed.

Securing South Florida Startups
Healthcare Sector Warned of New Ransomware Attacks in Joint Alert from FBI, CISA & HHS
Subscribe to our Blog!