2 min read
Insights Into The Revised ISO/IEC 27001:2022
Altenar, a sportsbook software provider, is excited to present an overview of the new standard (ISO/IEC 27001:2022) published on October 25, 2022 and how this standard is improved to address the ever-evolving security challenges being faced by organisations.
ISO 27001 describes the framework for an information security management system. Changing cyber threats and new vulnerabilities continue increasing the risks relating to confidentiality, integrity and availability. The new version of the standard enhances the focus on managing these risks.
One benefit of using the updated controls outlined in the new ISO/IEC 27001:2022 is that they are clearly defined and can be easily identified. This makes it simpler to choose which controls to implement, potentially reducing the overall effort required for compliance. Additionally, it can also help to improve the overall efficiency and effectiveness of your ISMS by allowing for better integration of security processes.
The initial compulsory requirements of the 2013 version, clauses 4 to 10 have had some minor changes and few additional requirements. The significant update however, is mainly in the Annex A control set which has been aligned with the latest ISO 27002 publication. The controls have been reduced from 114 to 93, 11 are new and 24 controls have been merged while 58 descriptions and guidance have been updated.
The 93 controls have been consolidated into four key areas:
1. A.5 Organisational controls
2. A.6 People controls
3. A.7 Physical controls
4. A.8 Technological controls
Organisations need to review and compare the new information security controls to their current controls. This review process will result in updates to risk management plans and changes to the Statement of Applicability (SoA) to account for the new or updated controls.
Information about the transition to the new published standard
Considering the ISO/IEC 27001:2022 is not a “fully revised edition” the IAF, International Accreditation Forum, Inc. does not demand immediate transition for those already certified or pursuing the 2013 revision (ISO 27001). Certified organisations will need to transition to the new revision within 36 months from the last day of the publication month of ISO/IEC 27001:2022, that is October 31, 2025.
IAF MD 26 outlines the following minimum objectives for certification bodies along with a minimum 0.5 auditor days to confirm the transition plan for certified organisations:
- Gap assessment of the organisation’s system against the 2022 revision of ISO 27001
- Review of the updated statement of applicability, inclusive of the new set of 93 controls
- Review of risk treatments plans, especially in areas where these plans were designed around Annex A controls being utilised to mitigate identified risks
- Assessment of the implementation and effectiveness of newly adopted controls
You can discover more about transitioning from the official IAF MD 26.