Introduction

Image Courtesy: Google

Blog By:  Trupti Thakur

The most awaited ISO/IEC 27001:2022 was published on October 25, 2022. Some of the important updates of ISO/IEC 27001:2022 include – major changes to Annex A and minor updates to the clauses.

1. Main Changes in Standard

 

Details	ISO 27001:2013	ISO 27001:2022
Clauses	11	11
Controls	114	93
Number of Domains in Annexure A	14	4

 

1. Control Group Domains

 

Control Group	Count
A.5 Organizational controls	37 controls
A.6 People controls	8 controls
A.7 Physical controls	14 controls
A.8 Technological controls	34 controls

 

1. Control Group Changes

 

Control Group	Count
Merged Controls	57 controls
New Controls	11 controls
Deleted Controls	03 controls
Controls with no changes	35 controls

 

1. Transition Timelines

 

Transition Details	Timelines
Companies can be certified against 2013 revision	Until 31st October 2023
Companies can be certified against new 2022 revision	From 25th October 2022
Companies certified against the 2013 revision must transition to 2022 revision	By 31st October 2025

Controls

a)               Merged Controls (57)

Merged Controls Previous Controls 5.1 Policies for information security 5.1.1 & 5.1.2 5.8 Information security in project management 6.1.5 & 14.1.1 5.9 Inventory of information and other associated assets 8.1.1 & 8.1.2 5.10 Acceptable use of information and other associated assets 8.1.3 & 8.2.3 5.14 Information transfer 13.2.1 & 13.2.2 & 13.2.3 5.15 Access Control 9.1.1 & 9.1.2 5.16 Identity management 9.2.1 & 9.4.3 5.17 Authentication information 9.2.4 & 9.3.1 & 9.4.3 5.18 Access rights 9.2.2 & 9.2.5 & 9.2.6 5.22 Monitoring, review and change management of supplier services 15.2.1 & 15.2.2 5.29 Information security during disruption 17.1.1 & 17.1.2 & 17.1.3 5.31 Legal, statutory, regulatory and contractual requirements 18.1.1 & 18.1.5 5.36 Compliance with policies, rules and standards for information security 18.2.2 & 18.2.3 6.8 Information security event reporting 16.1.2 & 16.1.3 7.2 Physical entry 11.1.2 & 11.1.6 7.10 Storage media 8.3.1 & 8.3.2 & 8.3.3, & 11.2.5 8.1 User end point device 6.2.1 & 11.2.8 8.8 Management of technical vulnerabilities 12.6.1 & 18.2.3 8.15 Logging 12.4.1 & 12.4.2 & 12.4.3 8.19 Installation of software on operational systems 12.5.1 & 12.6.2 8.24 Use of cryptography 10.1.1 & 10.1.2 & 18.1.5 8.26 Application security requirement 14.1.2 & 14.1.3 8.29 Security testing in development and acceptance 14.2.8 & 14.2.9 8.31 Separation of development, test and production environments 12.1.4 & 14.2.6 8.32 Change management 12.1.2 & 14.2.2 & 14.2.3 & 14.2.4

 

b)              Deleted Controls (3)

Follow Ministry of Security on

 

Deleted Controls
8.2.3 Handling of Assets	11.2.5 Removal of Assets	16.1.3 Reporting of Information Security Weakness

 

c)                New Controls (11)

 

Control	Summary of Control
5.7 Threat Intelligence	·         Establishing objectives ·         Identifying, vetting and selecting internal and external information sources ·         Processing information collected ·         Analyzing information ·         Communicating and sharing
5.23 Information Security for use of cloud services	·         Should establish and communicate topic-specific policy ·         Information security requirements ·         Selection criteria & scope ·         Roles & responsibilities ·         Information security capabilities & controls by cloud service providers ·         Manage multiple cloud services ·         Incident management ·         Monitoring, reviewing and evaluating the ongoing use ·         Exit strategy ·         Risk assessment associated with cloud service ·         Agreement requirements
5.30 ICT Readiness for business continuity	·         Organizational structure ·         ICT continuity plans, including response & recovery procedures ·         Performance & capacity specifications ·         RTO & RPO
7.4 Physical Security Monitoring	·         Guards, intruder alarms, video monitoring etc., ·         Access restrictions to monitoring systems ·         Tamper proof. ·         Testing ·         Local laws and consider regulations including data protection and PII protection legislation
8.9 Configuration Management	·         Define and implement processes and tools to enforce the defined configurations ·         Roles & Responsibilities ·         Standard templates ·         CMDB or configuration templates ·         Monitoring & review of configurations ·         Manual or automated corrective actions
8.10 Information Deletion	·         Deletion method ·         Record results as evidence of deletion

 

	·         Third party agreements should consider information deletion clause during termination ·         Also applicable for cloud service providers
8.11 Data Masking	·         Data masking, pseudonymization or anonymization. ·         Access on need-to-know basis ·         Data Obfuscation ·         Obfuscation of obfuscation ·         Legal or regulatory requirements (e.g.: PCI)
8.12 Data Leakage Prevention	·         Data identification & classification ·         Monitor channels ·         Acting to prevent information from leaking
8.16 Monitoring Services	·         Monitoring Scope ·         Monitoring Sources ·         Baselines ·         Monitoring System Configuration ·         Monitoring Tools
8.22 Web Filtering	·         Block IP or domains concerned ·         Acceptable usage policy ·         Training on appropriate use of online resources
8.28 Secure Coding	·         Establish and apply minimum secure baselines ·         Approved principles for secure coding ·         Secure coding practices ·         Prohibit insecure design techniques ·         Static application security testing ·         Protect source code from unauthorized access ·         Updates should be securely packaged and deployed ·         Security of external tools and libraries

 

– Trupti Thakur