Information security is also constantly evolving, and to keep pace with the dynamic of cyber threats, standards such as ISO 27001 are regularly revised. The transition from ISO 27001:2013 to ISO 27001:2022 brings important changes, particularly to the controls organizations use to secure their information assets.
The revisions aim to address new threats, incorporate best practices and improve the overall effectiveness of the standard in protecting sensitive information. Let's take a look at some key changes to the controls:
Given the rapid pace of technological development, ISO 27001:2022 introduces controls that specifically address modern developments. New controls cover areas such as cloud security, mobile device management and new technologies such as blockchain.
In the 2022 version, there will be a greater focus on risk management across the ISMS.
ISO 27001:2022 is now more closely linked to other management system standards such as ISO 9001 (quality management) and ISO 14001 (environmental management).
This integration makes it easier for organizations to implement and maintain multiple management systems simultaneously.
In view of the interconnectedness of business processes, the new controls pay particular attention to supply chain security.
ISO 27001:2022 extends incident response controls and ensures that organizations are well prepared to detect, respond to and recover from security incidents.
Human factors continue to be a major source of vulnerabilities. The updated standard includes controls that further emphasize the importance of cybersecurity awareness and training for employees at all levels of the organization.
If your organization is currently certified to ISO 27001:2013, moving to the 2022 version will require a careful review and adaptation of your ISMS. It's important to conduct a gap analysis, update policies and procedures and ensure your team is familiar with the new 11 controls.
But don't worry - we'll help you with the transition!
A 5.7 has been formulated to help organizations understand their threat environment. This should enable them to identify appropriate measures to maintain information security in response to the threats identified.
A 5.23 introduces a control that describes processes for the acquisition, use, management and termination of cloud services that are tailored to an organization's specific information security requirements. This control enables organizations acting as "customers of cloud services" to formulate and oversee the information security policies relevant to cloud services. It serves as a preventative measure to mitigate risk by establishing information security policies and procedures for commercial cloud services.
A 5.30 recognizes the critical role of ICT platforms and services in maintaining business continuity during disruptions or significant events.
Control 5.30 outlines an organization's recovery time objective (RTO) and business impact analysis (BIA) and describes the interplay between ICT services, these metrics and supporting controls.
A 7.4 requires organizations to use appropriate monitoring tools. This is essential to detect and prevent the unauthorized entry of external and internal intruders into physically restricted areas.
A 8.9, whether in the form of a standalone configuration file or a collection of linked configurations, defines the management of hardware, software and networks. For example, a firewall's configuration file encapsulates basic attributes that the device uses to regulate inbound and outbound network traffic and includes blocklists, port forwarding, virtual LANs and VPN details.
A 8.10 describes how Organizations must be aware of their responsibility to securely delete data stored on internal servers, hard drives, arrays and USB drives when it is no longer needed. This obligation extends to data from employees, users, customers and the organization itself.
A 8.11 is a protection technique used to protect sensitive data, especially personal data, beyond an organization's standard security protocols, including access control.
The practice of data masking is often referenced in legal, statutory and regulatory guidelines that dictate the storage and access of employee, customer, user and vendor data.
A 8.12 explains how Data leaks are characterized by unauthorized access, transmission or extraction of information by internal and external employees, systems or malicious entities targeting a company's information systems.
Organizations dealing with large amounts of data in various classifications on networked IT systems, applications and file servers are often faced with the problem of data leaks.
A 8.16 is about effective network monitoring which is a critical component of successful IT support and information security operations.
Organizations should implement a comprehensive information security and incident response strategy that covers all aspects. This includes a proactive monitoring approach to prevent incidents before they occur and the coordination of reactive measures when required.
A 8.23 additionally supports organizations in mitigating security risks and prevents threats such as malware infections from gaining access to external websites with malicious content.
A 8.28 assists organizations in averting security risks and vulnerabilities resulting from inadequate software coding practices by establishing, implementing and evaluating secure software coding practices.
Information Security in Project Management expands on project management practices, emphasizing the integration of information security measures throughout the project lifecycle.
Technical Vulnerability Management includes two sub-clauses dealing with vulnerability management. These sub-clauses are divided into technical management and guidelines for the organization's approach to software installations.
Use of Cryptography enables organizations to maintain the confidentiality, integrity, authenticity and availability of information assets by properly applying cryptographic techniques and considering some special criteria.
Managing Information Security in the ICT Supply Chain serves as a preventative measure in the ICT supply chain. It ensures risk mitigation by establishing an "agreed level of security" between the parties involved.
Secfix is happy to support you with your ISO 27011 certification or transition!
Book a consultation with us!
Discover stories, tips, and resources to inspire your next big idea.
Free SaaS webinar now open for all our visitors
