Upgrading to ISO/IEC 27001:2022 from ISO/IEC 27001:2013

We Can Help You With Preparing your scoping statement Communication and training Strategy Prepare a current state ISO 27001  Program and project management Remediation of missing controls External Audit Ongoing support

What is ISO27001:2022?

ISO/IEC 27001 has been updated to address global cybersecurity challenges and improve digital trust. In today’s increasingly digital world, securing information assets is crucial – and the world’s best-known standard for information security management helps. The following summary summarizes some of the fundamental changes to the standard to help organizations identify the key areas they need to review to either re-certify against ISO 27001: 2013 or re-certify against ISO 27001: 2022.

What Has Changed

  1. New Annex numbering re-structure ( mapping to the new clauyses) 
  2. The requirement to define processes needed for implementing the ISMS and their interactions 
  3. The explicit requirement to communicate organisational roles relevant to information security within the organisation 
  4. New clause 6.3 – Planning of Changes 
  5. A concept of attributes has been introduced
  • A new requirement to ensure the organisation determines how to communicate as part of clause 7.4
  • New requirements to establish criteria for operational processes and implement control of the processes

The New Categories

The new categories of controls have been consolidated from 14 to 4.

  • People (8 controls) – if they concern individual people, 
  • Organisational (37 controls) – if they concern the organisation, 
  • Technological (34 controls) – if they concern technology, s
  • Physical (14 controls) – if they concern physical objects, 

What Are The changes to Annex A Controls in ISO/IEC 27001: 2022 

The total number of controls has been consolidated from 114 to 93

Some controls have been deleted,merged, and 11 new security controls have been added: 

A.5.7 Threat intelligence  

A.5.23 Information security for use of cloud services  

A.5.30 ICT readiness for business continuity  

A.7.4 Physical security monitoring  

A.8.9 Configuration management  

A.8.10 Information deletion  

A.8.11 Data masking  

A.8.12 Data leakage prevention  

A.8.16 Monitoring activities  

A.8.23 Web filtering  

A.8.28 Secure coding  

Therefore, you should update your management system ISMS to optimise and better align it with the context of your information security risks.

New attributes for controls

  • Control type ((preventative, detective, or corrective controls),
  • Information security properties  (confidentiality, integrity, availability)
  • Cybersecurity concepts (identify, detect, protect, respond, recover)
  • Operational capabilities  (governance, identity, and access management, legal, and compliance),
  • Security domains (defense, governance and ecosystem, protection and resilience)

Table of All ISO 27001:2022 Annex A Controls

Click here to see the full list  

.
Previous
Next

Achieving ISO 27001 certification can be a complex process, but there are several key steps that businesses can take to help ensure a successful outcome. Here are some of the most important steps to follow when pursuing ISO 27001 certification:

Conduct a gap analysis: The first step is to assess the organization's current security posture and identify any gaps between the existing controls and the requirements of ISO 27001. This will help to determine the scope of the certification project and highlight any areas that need improvement.

Develop an information security management system (ISMS): An ISMS is a framework of policies and procedures that governs how the organization manages and protects its sensitive information. This system should be designed to align with the ISO 27001 standard and must be implemented and maintained throughout the organisation.

Conduct a risk assessment: A risk assessment helps identify potential threats and vulnerabilities to the organization's sensitive information. This assessment will help to determine the appropriate risk treatment strategies and controls to implement to mitigate those risks.

Develop and implement security controls: Based on the results of the risk assessment, the organization should develop and implement appropriate security controls to protect its sensitive information. This includes physical, technical, and administrative controls.

Train and educate employees: Employees play a critical role in maintaining the security of the organization's sensitive information. It's essential to provide regular training and education to ensure that employees understand their responsibilities and are aware of the risks associated with handling sensitive data.

Conduct internal audits: Regular internal audits are an essential part of the ISO 27001 certification process. These audits help to ensure that the ISMS is being implemented effectively and that the security controls are working as intended.

Engage an accredited certification body: Finally, the organization should engage an accredited certification body to perform an independent assessment of the ISMS and verify that it meets the requirements of the ISO 27001 standard.

Benefits of ISO/IEC 27001:2022 certification

Ensures secured exchange of information across the enterprise
Ensures information security is everyone’s responsibility

Not having the certification is becoming a competitive disadvantage

Not having the certification is becoming a competitive disadvantage
Required by many third parties for integration
It is a justified investment

How can we help Superannuation and Responsible Entities?

Our Consultants are expert in superannuation and Responsible Entities, so they fully understand the regulation, the requirement of APA and other regulators as well as typical business processes

Our Expertise can help you every step of the way:

Understand what is involved
and define the scope.

Implementation
of controls.

Internal audit &
enhancement.

External
audit.

Certification