Normative changes in ISO/IEC 27001:2022
A very significant change adds to the context of the organization in Clause 4.4 with the requirement to identify necessary processes and their interactions within the ISMS that are required for its implementation and maintenance. This explicit requirement brings ISO/IEC 27001:2022 in line with the best practice approach of other management systems according to HS (HLS). The information security management system must be based on established, traceable processes and their interactions. The Annex A information security controls are then designed and adapted around these processes.
The next relevant change in Clause 8.1 also emphasizes the importance of process orientation, which is common to all HS-based management systems. Organizations must realize processes as part of their operational planning and control to implement the measures to manage information security risks. What is new is that process criteria must now be defined. Process control must be implemented in accordance with these criteria.
Further, rather minor clarifications and specifications have been made in the following clauses:
- Clause 5.3 is supplemented by the explicit requirement that the responsibilities and authorities for roles related to information security are made known within the organization.
- Clause 7.4 regulates the need for internal and external communication regarding the ISMS. In addition to the still applicable provisions on what about, when, and with whom, the how of communication is a workable simplification from previous requirements.
- Clause 9.2 Internal Audit and 9.3 Management Review have been adapted to the Harmonized Structure. Clause 9.2 is now subdivided into 9.2.1 and 9.2.2, Clause 9.3 is divided into three subdivisions 9.3.1, 9.3.2 and 9.3.3.
- The order in which Clause 10.1 and Clause 10.2 are structured has been adapted to the Harmonized Structure. The aspect of prospective continuous improvement now precedes the retrospective handling of nonconformities and corrective actions in Clause10.2 in Clause 10.1 without any further changes in content. This adjustment emphasizes the importance of the continuous improvement process (CIP).
The key and unambiguous requirements in ISO/IEC 27001 that reference the set of controls in Annex A are, according to Clause 6.1.3 c), the comparison process between the organization-specific information security controls with those in Annex A and, according to Clause 6.1.3 d), the preparation of a Statement of Applicability (SoA). These core requirements remain unchanged!
The explanations in the informative (non-normative) notes to Clause 6.1.3 c) with the reference to Annex A as a list of possible information security controls indicate the possibility of selecting additional measures from further sources supplementary to Annex A.
The new Annex A of ISO/IEC 27001:2022
The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.
Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.
The former 14 clauses of Annex A are now focused on the 4 following topics:
A.5 Organizational controls (with 37 controls).
A.6 Personal controls (with 8 controls)
A.7 Physical controls (with 14 controls )
A.8 Technical controls (with 34 controls)
Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:
A.5.7 Threat Intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Deletion of information
A.8.11 Data masking
A.8.12 Data leak prevention
A.8.16 Activity monitoring
A.8.23 Web filtering
A.8.28 Secure coding
While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.
The five attributes are:
Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.
Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.
Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.
Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.
Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.