Altenar, a sportsbook software provider, is excited to share an overview of the new ISO/IEC 27001:2022 standard — published on October 25, 2022 — and how it improves the ability to address the ever-evolving security challenges facing organizations today.
ISO 27001 defines the framework for an information security management system (ISMS). As cyber threats and vulnerabilities continue to evolve, so do the risks to confidentiality, integrity, and availability. The new version of the standard enhances the focus on managing these risks more effectively.
One of the key benefits of using the updated controls outlined in ISO/IEC 27001:2022 is that they are clearly defined and easily identifiable. This simplification helps streamline control selection, potentially reducing the effort required to achieve compliance. It can also enhance the overall efficiency and effectiveness of your ISMS by allowing for better integration of security processes.
The core mandatory requirements outlined in clauses 4 to 10 of the 2013 version have undergone minor changes and include a few new additions. However, the most significant update lies in the Annex A control set, which has now been aligned with the latest ISO 27002 publication. The number of controls has been reduced from 114 to 93. Of these, 11 are entirely new, 24 have been merged, and 58 have updated descriptions and guidance.
The 93 controls have been consolidated into four primary categories:
1. A.5 Organizational controls
2. A.6 People controls
3. A.7 Physical controls
4. A.8 Technological controls
Organizations are encouraged to review and compare the new information security controls against their existing ones. This evaluation will guide updates to risk management plans and adjustments to the Statement of Applicability (SoA) to reflect any new or revised controls.
Information About the Transition to the New Published Standard
Since ISO/IEC 27001:2022 is not considered a “fully revised edition,” the International Accreditation Forum (IAF) does not require immediate transition for organizations already certified under or currently pursuing ISO/IEC 27001:2013. Certified organizations will need to complete the transition to the 2022 revision within 36 months of its publication — by October 31, 2025.
IAF MD 26 outlines the following minimum objectives for certification bodies, along with a requirement of at least 0.5 auditor days to validate the transition plan for certified organizations:
- Conducting a gap assessment of the organization’s ISMS against the 2022 revision of ISO 27001
- Reviewing the updated Statement of Applicability, including the new set of 93 controls
- Reviewing risk treatment plans — particularly where existing plans are based on Annex A controls used to mitigate identified risks
- Assessing the implementation and effectiveness of newly adopted controls
You can learn more about the transition process by referring to the official IAF MD 26 document.
