News on ISO 27001 version 2022: Information security management systems - Requirements

13/10/2023

ISO 27002 version 2022 was published on March 15, 2022.

ISO 27001 version 2022 was published in October 2022.

The ISO 27001 version 2022 standard replaces the 2013 version.

Choosing to set up an information security management system makes it possible to:

• guarantee the confidentiality, integrity, availability and traceability of information
• reduce information security risks
• seize opportunities for continual improvement

Requirements of the ISO 27001 standard version 2022

Quiz of the requirements ISO 27001 version 2022

The online course T 24v22 ISO 27001 readiness version 2022 and its free demo without registration

The online course T 44v22 Internal audit ISO 27001 version 2022 and its free demo without registration

The training pack T 74v22 ISO 27001 pack readiness and internal audit version 2022

TRANSITION REQUIREMENTS FOR ISO/IEC 27001:2022 published by IAF MD 26:2022

1. THE clauses ARE 10 ACCORDING TO THE HIGH-LEVEL STRUCTURE (AND THEIR PLACE IN THE PDCA CYCLE):

1. Scope
2. Normative references
3. Terms and definitions
4. Context (P)
5. Leadership (P, D, C, A)
6. Planning (P)
7. Support (P, D)
8. Operation (D)
9. Performance (C)
10. Improvement (A)

Annex A (normative): Information security controls reference

2. DIFFERENCES WITH THE 2013 VERSION

• the security controls in annex A derive from the ISO 27002 version 2022 standard:
  • 93 controls instead of 114
  • 4 types de controls (instead of 14):
    • organizational
    • people
    • physical
    • technological
  • 11 new controls:
    • threat intelligence (A.5.7)
    • information security for use of cloud services (A.5.23)
    • ICT readiness for business continuity (A.5.30)
    • physical security monitoring (A.7.4)
    • configuration management (A.8.9)
    • information deletion (A.8.10)
    • data masking (A.8.11)
    • data leakage prevention (A.8.12)
    • monitoring activities (A.8.16)
    • web filtering (A.8.23)
    • secure coding (A.8.28)
  • 23 controls slightly changed
  • 57 controls merged into 24
• the relevant requirements of the interested parties are to be dealt with by the ISMS (§ 4.2)
• new sub-clause for change planning - planning of changes (§ 6.3)
• added how to communicate instead of who should communicate (§ 7.4)
• added to establish criteria for processes of clause 6 (§ 8.1)
• addition of controlling externally provided processes, products and services (§ 8.1)
• the results of the monitoring, measurement, analysis and evaluation methods must be comparable and reproducible (§ 9.1)
• changes in the needs and expectations of interested parties must be taken into consideration in the management review (§ 9.3)

3. The required documented information (PROCeDURES, POLITIcies and records)

• procedures (documented information to maintain, available): 
  • information treatment (A.5.10)
  • information classification (A.5.12)
  • labeling (A.5.13)
  • information transfer (A.5.14)
  • identity management (A.5.16)
  • authentication (A.5.17, A.8.5)
  • access rights (A.5.18, A.8.33)
  • suplier relationships (A.5.19, A.5.20)
  • ICT supply chain (A.5.21)
  • incidents (A.5.24, A.5.26, A.5.23, A.5.27, A.6.4)
  • evicence collection (A.5.28)
  • business continuity (A.5.30, A.5.29)
  • intellectual property (A.5.32)
  • records (A.5.33)
  • protection of personal identifiable information (A.5.34)
  • procedures (A.5.37)
  • screening (A.6.1)
  • awarenness and training (A.6.3)
  • event reporting (A.6.8)
  • storage media (A.7.10)
  • user end point devices (A.8.1)
  • access restriction (A.8.3)
  • access to code source (A.8.4)
  • malware (A.8.7)
  • management of technical vulnerabilities (A.8.8)
  • backup (A.8.13)
  • redundancy of facilities (A.8.14)
  • monitoring activities (A.8.16)
  • privileged utility programs (A.8.18)
  • installation of software (A.8.19)
  • network security (A.8.20, A.8.21, A.8.22, A.8.24)
  • use of cryptography (A.8.24)
  • coding (A.8.28)
  • change management (A.8.32, A.8.9)
• policies: 
  • • information security (§ 5.2, A.5.1)
    • acceptable use of information (A.5.10)
    • information classification (A.5.12)
    • information transfer (A.5.14)
    • access control (A.5.15, A.5.18, A.8.2)
    • access rights (A.5.18)
    • supplier relationships (A.5.19)
    • use of cloud services (A.5.23)
    • intellectual property (A.5.32)
    • protection of records (A.5.33)
    • protection of personal identifiable information (A.5.34)
    • compliance with rugulations and standards ( A.5.36)
    • employment contract (A.6.2)
    • awareness and training (A.6.3)
    • remote working (A.6.7)
    • clear desktop andclear screen (A.7.7)
    • storage media (A.7.10)
    • user end point devices (A.8.1)
    • technical vulnerabilities (A.8.8)
    • information backup (A.8.13)
    • logging (A.8.15)
    • use of cryptography (A.8.24)

• records (documented information to retain, available): 
  • • external and internal issues (§ 4.1)
    • list of interested parties (§ 4.2)
    • scope (§ 4.3)
    • job descriptions (§ 5.3, A.5.2)
    • risk treatment plan (§ 6.1.1)
    • criteria for risk acceptance (§ 6.1.2)
    • criteria for risk assessment (§ 6.1.2)
    • statement of applicability (§ 6.1.3)
    • plan to achieve objectives (§ 6.2)
    • change management plan (§§ 6.3, 8.1)
    • provided resources (§ 7.1)
    • competence development plan (§ 7.2)
    • awareness enhancement plan (§ 7.3)
    • communication improvement plan (§ 7.4)
    • list of documented information (§ 7.5.3, A.5.37)
    • documented information of external origin (§ 7.5.3)
    • codification of documents (§ 7.5.3)
    • process monitoring (§ 8.1)
    • results of risk assessment (§ 8.2)
    • results of risk treatment (§ 8.3)
    • results monitoring and measurement (§ 9.1)
    • audit program (§ 9.2)
    • audit report (§ 9.2)
    • management review (§ 9.3)
    • ISMS improvement plan (§ 10.1)
    • nature of nonconformities (§ 10.2)
    • results of corrective actions (§ 10.2)
    • commitment to security rules (A.5.4)
    • notification of authorities (A.5.5)
    • asset inventory (A5.9)
    • rules for using assets (A.5.10, A.5.11)
    • classification plan (A.5.12)
    • information transfer (A.5.14)
    • registration and unsubscription (A.5.16)
    • user engagement (A.5.17, A.6.6)
    • password (A.5.17, A.8.5)
    • access distribution (A.5.18)
    • access rights review (A.5.18)
    • information security with suppliers (A.5.19)
    • supplier contract (A.5.20)
    • supplier performance (A.5.22)
    • supplier service changes (A.5.22)
    • incident management plan (A.5.24)
    • incident register (A.5.24, A.5.26)
    • information security event (A.5.25)
    • list of evidence (A.5.28)
    • business continuity plan (A.5.29)
    • list of requirements (A.5.31)
    • list of licenses (A.5.32)
    • protection of records (A.5.33)
    • results of security reviews (A.5.35)
    • corrective action report (A.5.36)
    • terms and conditions of employment (A.6.1)
    • training program (A.6.3)
    • certificate of attendance (A.6.3)
    • disciplinary rules (A.6.4)
    • breach of contract rules (A.6.5)
    • confidentiality agreement (A.6.6)
    • security for remote working (A.6.7)
    • security perimeters (A.7.1)
    • visitor access (A.7.2)
    • protection of equipment (A.7.5, A.7.8, A.7.7)
    • removal of assets (A.7.9, A.7.10)
    • waste inventory (A.7.10, A.7.14)
    • protection of storage media during transport (A.7.10)
    • emergency contacts (A.7.11)
    • cabling security (A.7.12)
    • equipment maintenance (A.7.13)
    • mobile device security (A.8.1)
    • wireless connection (A.8.1)
  • • privileged accesses (A.8.2, A.8.18)
    • capacity management plan (A.8.6)
    • protection against malware  (A.8.7)
    • technical vulnerability register (A.8.8)
    • configuration register (A.8.9)
    • information deletion (A.8.10)
    • backup plan (A.8.13)
    • event logs (A.8.15)
    • monitoring (A.8.16)
    • synchronization (A.8.17)
    • privileged authorizations (A.8.18)
    • network protection (A.8.20)
    • web filtering (A.8.23)
    • cryptographic keys (A.8.24)
    • applications (A.8.26)
    • engineering principles (A.8.27)
    • secure coding (A.8.28)
    • test plan (A.8.29)
    • environments (A.8.31)
    • change request (A.8.32, A.8.3)

4. required PROCESSeS 

• • manage assets (A.5.9, A.5.11)
  • manage identities (A.5.16)
  • manage authentication (A.5.17, A.8.5)
  • distribute access (A.5.18, A.7.2, A.8.2, A.8.7)
  • assess risks (A.5.19, A.5.21)
  • treat risks (A.5.19, A.5.21)
  • control outsourced processes (A.5.19, A.8.30)
  • manage supplier security (A.5.19, A.5.20, A.5.22)
  • meet security requirements (A.5.20, A.5.23, A.5.26)
  • manage ICT supply chain (A.5.21, A.8.23)
  • manage cloud services (A.5.23)
  • manage incidents (A.5.24, A.5.25, A.5.7)
  • manage business continuity (A.5.30, A.5.29)
  • maintain regulatory watch (A.5.31)
  • review information security (A.5.35)
  • manage the employment contract (A.6.1, A.6.2, A.6.5)
  • apply discipline (A.6.4, A.6.6, A.6.7)
  • manage technical vulnerabilities (A.8.8)
  • manage configuration (A.8.9, A.8.32)
  • delete information (A.8.10, A.8.13)
  • inspect (A.8.16)
  • manage networks (A.8.20)
  • use cryptography (A.8.24, A.7.14)
  • develop (A.8.25)
  • test (A.8.29)
  • manage changes (A.8.32, A.6.8)
  • audit (A.8.34)

5.ON THE CONTENT

• • the terms documented procedure and record are now quite confusing and replaced by:
    • available as documented information
    • documented information must be available
    • retain documented information
    • be kept up to date in the form of documented information
• no process mapping requirement
• • controls A.5.35 and A.8.34 are redundant with the requirements of sub-clause 9.2
  • no requirement on staff satisfaction, perception, valuation and recognition
  • no preventive action