ISO/IEC 27001:2022 brings relevant updates in ISMS framework and structure
ISO/IEC 27001:2022 is introduced with radical changes to the ISMS framework and structure. With these new changes coming into effect, the earlier standards, i.e, ISO/IEC 27001:2013, IISO/IEC 27001:2013/Cor 1:2014 and ISO/IEC 27001:2013/Cor 2:2015 stands withdrawn. This is set to have a significant impact on future ISO certifications or recertifications. ISO/IEC 27001:2022 primarily brings forth reference set of controls for Information Security, Cybersecurity and Privacy Protection along with implementation guidance. Organizations are required to use the standards to:
- Secure information in all forms, including paper-based, cloud-based and digital data
- Increase resilience to cyber-attacks
- Provide a centrally managed framework that secures all information in one place
- Ensure organization-wide protection, including against technology-based risks and other threats
- Respond to evolving security threats.
- Reduce costs and spending on ineffective defence technology.
- Protect the integrity, confidentiality and availability of data.
The requirements specified in Clauses 4 to 10 are changed slightly and they need to be complied mandatorily to claims conformity to the revised ISO standards. The security controls listed in Annex A is updated. As per ISO 27002:2022 published in February 2022, the controls were presented into four themes like Organizational controls, People controls, Physical controls, and Technological controls. In the currently withdrawn standards, it was grouped into 14 domains. Controls are consolidated into only 93 from earlier 114. Most of the controls are updated, few are merged, and 11 new controls are added. Secure coding, Threat Intelligence, and Information Security for use of cloud services are brought in as new controls. The standard has introduced five attributes like Control types, Information Security Properties, Cybersecurity concepts, Operational capabilities, and Security domains along with their respective values for each control.
10xDS helps companies in Gap Analysis to map out and understand the differences between the current controls in place and the best practices, prioritize the most relevant controls for each company and industry type, devise plans to implement controls and support the IT/Security team in implementation of controls and integration of the organizations’ security capabilities and ISMS.