Transitioning to the Updated ISO 27001:2022 Framework

June 22, 2022
ISO 27001 is the leading international standard focused on information security that was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System.

What is the ISO 27001 Framework all about?

Each day we see organizations push the boundaries of technology. With no sign of this slowing down, standards and policies must shape these evolving industries to ensure organizations remain secure as they move to the future. An organization can gain confidence as they scale by aligning with the ISO 27001 framework, which allows them to prevent or reduce real-world information security incidents by implementing a risk-based approach to their security program.

The International Organization for Standardization (ISO) created the Information Security Management standard in 2005 to ensure organizations can effectively handle data security and guide them to establish and maintain an effective ISMS. ISO 27001 has become increasingly popular in recent years due to the rise of data breaches and the severe impact caused by the incidents within an organization.

The focus of this framework is to protect the availability, integrity, and confidentiality of sensitive information that may exist within an organization. As the international standard that provides requirements for an information security management system (ISMS), ISO 27001 is seen as a vital piece of any security program.

Why Would an Organization Adopt the ISO 27001 Framework?

Every organization wouldn’t answer this question the same. As mentioned earlier, ISO 27001 is to prevent or reduce real-world information security incidents. While this framework certainly would mitigate risk across an entire organization, still in 2022, it is common to find ulterior motives pushing an organization to align with this framework. 

Customer or Prospect Pressure: How organizations evaluate the cost of doing business nowadays is much different than in years past. Today it is critical to consider the inherent risk associated with an organization. One way to “prove you’re less risky” is by showing current customers or prospects that you have aligned with the ISO 27001 framework. It becomes a way to communicate that your organization understands the importance of protecting sensitive information and that you have a robust process to ensure you continue to do so throughout the engagement. 

New Markets: As an organization scales, it’s expected they will begin identifying new markets their product or service can penetrate. Depending on the geographic location, it may be required that the organization is aligned to a framework such as ISO 27001 to ensure they have the proper systems in place to remain secure. 

Competitive Advantage: Many factors come into play when evaluating a new partner. In 2022, a great way to distinguish your organization is to align with ISO 27001, which will show your prospects that you have excellent security assurances. 

Value of Security: ISO 27001 was designed in response to the increase in breaches organizations were experiencing. While we completely understand the motivations of the three factors above, the real reason to align with this framework should be to reduce risk and exposure.


What Changed with the Recent Update?

ISO 27001 has only been updated in 2013 since its original release in 2005. Due to the fast-growing technology space, risks and threats also rapidly evolve; therefore, it was time for the International Standards of Organization to update the framework once more to address cybersecurity risks and better align to current high-risk sources such as third-party risk management and cloud security. 

The new framework still follows the continuous improvement principle, which is best shown by the fact that the 4-10 section was relatively untouched. This section has the common clauses such as the scope, interested parties, context, information security policy, risk management, resources, training and awareness, communication, document control, monitoring and measurement, internal audit, management review, and corrective actions. Each of these ensures the effective operation of the Plan, Do, Check, Act (PDCA) cycle.

Only the security controls listed in Annex A have changed, which means that the number of controls decreased from 114 to 93 and was placed into four sections instead of the previous 14. While none of the controls were deleted, many got merged, and 11 new controls were added, which are: 

  • Threat intelligence
  • Information security for the use of cloud services 
  • ICT readiness for business continuity 
  • Physical security monitoring 
  • Configuration management
  • Information Deletion
  • Data Masking
  • Data leakage prevention
  • Monitoring Activities 
  • Web Filtering 
  • Secure Coding 

These specific controls were added to the framework to reflect today’s world and organizations’ threats and vulnerabilities. To better understand the applicability of these controls, the framework structure incorporates these controls into the following sections:

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)
  • Annex A – Using attributes
  • Annex B – Correspondence with ISO/IEC 27002:2013

Each control has elements that will help justify and better understand the use of controls in your environment. This provides a standardized way to sort and filter controls against different views to address the needs of other groups.

Attributes options for each control are as follows:

  • Control types: Preventive, Detective, and Corrective
  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience
Compyl workflow automation

How can an Organization Transition to the Updated ISO 2022 Version?

The transition period for these changes is not published yet, but it will probably be two years starting from the date of the official update. Since the changes to the new framework are relatively moderate, only documentation level changes should be made rather than technology level. Documents such as the Statement of Applicability (SOA), your risk assessments, and policies should be updated to reflect the control changes, in case needed, in your control environment.

While there are a few ways to do this, the best way to handle this type of migration would be to have a mapping sequence that manages the entire transition process. This type of functionality is part of Compyl and allows an organization to grow confidently while adapting quickly to industry requirements, expansion, and other needs. Compyl is an extension of your organization’s information security team as a continuous improvement solution, providing the expertise and guidance when needed.

For more information on ISO 27001, the recent update to the framework, or other information security questions, reach out to one of our experts today.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies