Normative changes in ISO/IEC 27001:2022
A very significant change adds to the context of the organization in Clause 4.4 with the requirement to identify necessary processes and their interactions within the ISMS that are required for its implementation and maintenance. This explicit requirement brings ISO/IEC 27001:2022 in line with the best practice approach of other management systems according to HS (HLS). The information security management system must be based on established, traceable processes and their interactions. The Annex A information security controls are then designed and adapted around these processes.
The next relevant change in Clause 8.1 also emphasizes the importance of process orientation, which is common to all HS-based management systems. Organizations must realize processes as part of their operational planning and control to implement the measures to manage information security risks. What is new is that process criteria must now be defined. Process control must be implemented in accordance with these criteria.
Further, rather minor clarifications and specifications have been made in the following clauses:
- Clause 5.3 is supplemented by the explicit requirement that the responsibilities and authorities for roles related to information security are made known within the organization.
- Clause 7.4 regulates the need for internal and external communication regarding the ISMS. In addition to the still applicable provisions on what about, when, and with whom, the how of communication is a workable simplification from previous requirements.
- Clause 9.2 Internal Audit and 9.3 Management Review have been adapted to the Harmonized Structure. Clause 9.2 is now subdivided into 9.2.1 and 9.2.2, Clause 9.3 is divided into three subdivisions 9.3.1, 9.3.2 and 9.3.3.
- The order in which Clause 10.1 and Clause 10.2 are structured has been adapted to the Harmonized Structure. The aspect of prospective continuous improvement now precedes the retrospective handling of nonconformities and corrective actions in Clause10.2 in Clause 10.1 without any further changes in content. This adjustment emphasizes the importance of the continuous improvement process (CIP).
Another clarification relates to the selection of information security risk handling measures Clause 6.1.3 c). These are to be defined taking into account the results of the risk assessment and compared with the controls Appendix A. The approach remains unchanged. However, the explanatory note in the previous ISO 27001 referred to Annex A with the rather obsessive requirement that it contain a comprehensive list of control objectives and controls.
In the new ISO/IEC 27001:2022, this reference to Annex A can be understood as a list of possible information security controls that is more open and thus more flexibly applicable.
In a nutshell, Annex A of ISO/IEC 27001:2022 is still to be considered as a whole as part of the mandatory requirement in Clause 6.1.3 c), but the set of individual information security measures contained therein can be more flexibly selected, designed and extended by the user. The new version of ISO/IEC 27001 emphasizes here the opening of the management system framework for organization-specific sets of controls.
The new Annex A of ISO/IEC 27001:2022
The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.
Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.
The former 14 clauses of Annex A are now focused on the 4 following topics:
A.5 Organizational controls (with 37 controls).
A.6 Personal controls (with 8 controls)
A.7 Physical controls (with 14 controls )
A.8 Technical controls (with 34 controls)
Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:
A.5.7 Threat Intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Deletion of information
A.8.11 Data masking
A.8.12 Data leak prevention
A.8.16 Activity monitoring
A.8.23 Web filtering
A.8.28 Secure coding
While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.
The five attributes are:
Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.
Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.
Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.
Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.
Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.