What are the 11 new controls implemented by ISO/IEC 27001:2022 ?
Discover the ISO 27001 new controls, they are 11, and have been implemented in October 2022. Implement these 11 new controls before your next audit !
Detailed explanation about the latest changes about ISO-27001-2022 controls : 11 new controls, 4 categories instead of 14 and introduction of 5 attributs
ISO 27001 is an international standard for information security. It was published in 2015 to help organizations establish, implement, maintain and improve their information security management system (ISMS).
Information security has become a major issue for companies, especially with the exponential growth of cyber attacks, so more and more companies are implementing the standard in order to set up an effective information security management system.
Iso 27001 is a standard that frames ISMS, so more and more companies are becoming certified to manage their risks about this topic.
Today there are more than 58,000 certified companies, of which more than 16% are in the information technology sector. (These figures are from 2021 and therefore probably increased significantly since then).
In this article, we will see what the standard is and we will detail more precisely the subject of ISO 27001 controls.
According to the International Organization for Standardization :
“ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard”.
The certification establishes a set of standards to be used in your company to meet six essential objectives:
Improved information security :
Iso 27001 certification enables an organization to implement an information security management system (ISMS) that complies with international standards, ensuring that information is handled securely, and therefore reduce company’s vulnerability of cyber-attacks. According to Afnor, 89% of certified companies estimate that they have fewer security incidents.
Strengthening Stakeholder Confidence :
Stakeholders such as customers, business partners and investors are often reassured by ISO 27001 certification as it demonstrates the organization's commitment to information security.
Having the standard can also prove to be a business argument against a competitor who does not have it, or build up customer loyalty. In fact, 88% of the companies surveyed by Afnor recognize that certification has enabled them to retain some of their customers who would otherwise probably have left them.
Improved security culture :
Having certification in place promotes a culture of information security within the organization. Indeed, the employees will be sensitized during the implementation of the standard but also by the respect of new processes, the employees will be more sensitive to these subjects.
Find a complete SWOT analysis, conducted by the University of East London, to get an overview of the different opportunities, threats, weaknesses and strengths of implementing ISO 27001 in your company.
The standard is separated into two distinct parts.
Part 1 : 11 clauses to oversee the implementation of your ISMS
The first part consists of the 11 clauses below, which provide a framework for establishing the policies, procedures and practices necessary to protect the organization's sensitive information and ensure its confidentiality, integrity and availability.
Part 2 : Appendix A This appendix provides a list of information security controls that organizations can use as a basis for implementing their information security management system.
It is designed to help organizations identify the appropriate security controls to implement to achieve their ISMS objectives.
This list has been recently updated.
The standard was updated in October 2022, with the main change being in Appendix A.
Previously, in the version of iso 27001-2013, Annex A was composed of 114 controls distributed around 14 different categories, listed below.
Before 2022, the standard had been updated for the last time in 2013, in 9 years, the world of information has drastically evolved, the standard had to evolve its repository to match the current field reality.
The first major change is the iso 27001 controls list, previously 114, they are now 93 in the 2022 standard. Of the 114 controls, 35 remain unchanged, 23 have been renamed, 57 are grouped into 24 (for clarity), 11 new security controls have been created.
The 11 new controls created correspond to these different items: Threat Information, Information Security for Cloud Services, ICT Readiness for Business Continuity, Physical Security Monitoring, Configuration Management, Information Deletion, Data Masking, Data Leakage Prevention, Monitoring Activities, Web Filtering, Secure Encryption.
Secondly, these controls are now categorized into 4 different categories:
1 - Organizational controls (37 controls)
2 - People controls (8 controls)
3 - Physical controls (14 controls)
4 - Technological controls (34 controls)
Finally, the update implements five attribute categories for security controls :
The five attributes assign one or more values of each attribute to one of the security controls.
The effect of this change is to make it easier to group and sort, and thus help you find the relevant controls to implement based on your needs. For example, if you want to implement controls related to governance, you can simply filter on this topic and you will have a list of relevant controls at your disposal.
All of the controls listed in Appendix A are not mandatory to implement in your company. Appendix A is like a list, which allows you to select the controls you need according to your company. The controls you decide to implement will depend on the risk assessment and risk treatment plans you have made in the previous phases of implementing the standard.
In an organization, the responsibility for implementing ISO 27001 controls typically falls on the information security management team. This team is responsible for implementing and maintaining an information security management system (ISMS) that conforms to the requirements of ISO 27001.
However, as we saw earlier, Appendix A is composed of four different categories of controls and 34 of the 94 controls are related to information technology. Thus, in order to optimally implement the controls in Appendix A, it is necessary to have other people involved in the implementation of controls who have a field and global vision of the company on the other three different subjects.
In addition, at least one member of a company's management must be involved in the implementation of this project. This member must be responsible for providing the resources, support and commitment necessary to ensure the success of the ISMS and the effective implementation of ISO 27001 security controls.
The set of controls to be put in place to meet ISO 27001 standards can represent a significant amount of work. Imagine therefore, the workload that would be to exercise these controls at given periods, can not forget a date of a control, make the control by hand, note the result of the control in a document and then analyze all the results 🤯 This is just too time consuming for the teams that would spend most of their time doing these tasks.
With Trout Software, leverage compliance automation, for a compliance without sweat 🎣
Compliance automation refers to the use of technology to streamline and simplify compliance-related processes. The tool created by Trout Software: Security hub, allows the automation of security controls within an organization. Thus, the implementation of the control, the repetition of the control, the result of the control and the synthesis of all the controls is automated and centralized in Security Hub.
Our tool allows you to automate the playbook created, thanks to our scheduler.
As you can see below, it allows you to choose the notebook you have just created, and then to create parameters according to the desired frequency of the controls.
You can set its parameters according to the frequency of checks, the date and time of the first check you want to perform and finally indicate how often you want the check to be performed.
Once you have set the parameters, you can click on "Schedule".
As you can see on our examples, for each check a red or green bar will appear depending on whether the check returns an error or not.
This allows you to exercise controls in a regular way, to have a global view on the control through time and thus to set up an ISO 27001 approach, based on continuous improvement.
ISO 27001 provides a framework for establishing, implementing, maintaining and continually improving an ISMS, while ISO 27002 provides guidelines for implementing the controls specified in ISO 27001. The ISO27002 standard completes the ISO 27001 standard, but is not certifying.
ISO 27001 provides a framework for managing information security risks, while SOC 2 provides assurance that an organization has controls in place to protect the data it stores, processes, or transmits on behalf of its customers.
The cost of being certified to ISO 27001 can vary depending on a number of factors, such as the size and complexity of your organization, the scope of your ISMS, and the certification body you choose to work with.
Regular review and updating of the ISMS and its controls is necessary to ensure their effectiveness and relevance in addressing the organization's security risks. The frequency of these reviews depends on various factors such as organization size, complexity, scope of the ISMS, and risk profile. It is generally recommended to conduct a formal review of the ISMS and its controls at least once a year, and also when there are significant changes to the organization, its systems or processes, or the threat landscape. This will help ensure that the ISMS remains current and aligned with the organization's business objectives and security needs.
According to ISO : “New or recertification audits after October 2023, must be under the 2022 version.”
ISO 27001 was last updated in October 2022, representing the latest version.
The duration of ISO 27001 certification can vary depending on several factors, including the size and complexity of the organization, its existing information security practices, and the level of readiness for certification.
On average, the certification process typically takes between 6 to 12 months, but it can take longer in certain cases.
Discover the ISO 27001 new controls, they are 11, and have been implemented in October 2022. Implement these 11 new controls before your next audit !
All you need to know about OT Compliance : ISA/IEC 62443, NIST SP 800-82, CIS Controls…
Explore the comprehensive guide to CIS Controls V8. Get detailed analyses of the latest updates and all 18 controls for robust cybersecurity.
Receive an email when our team releases new content.