The ISO 27001 is one of the most recognized security standards for private sector organizations across the globe and is often required by enterprise clients. Compliance with ISO 27001 can help organizations unlock new business by proving to potential customers that their data will be protected and is often required for RFPs. However, ISO 27001 can be difficult to operationalize. In this post, we’ll briefly outline the structure of ISO and highlight new control areas required by the new ISO 27001:2022 standard.
What is ISO 27001?
ISO 270001 is probably the most recognized standard by ISO, the International Organization for Standardization. ISO is an international nongovernmental organization that helps promote international standards in technical and nontechnical fields. ISO 27001 itself is a nonregulatory compliance framework that allows companies to create what ISO calls a information security management system (ISMS). An ISMS is a way of building out a functional information security program through risk assessment and implementation of security controls across a wide range of program areas. The ISO 27001 was updated recently, and the current version of the standard is referred to as ISO 27001:2022 which will be required to be implemented by ISO compliant organizations by 2025.
How is ISO 27001 structured?
ISO 27001 can very broadly be broken into two key components:
- Clauses: The ISO 207001 has a list of standards called clauses that define the core processes for building out your ISMS from an organizational and leadership perspective. These 10 clauses are further divided into subsections called “requirements'' that break clauses down into more concrete steps.
- Controls: ISO 27001 has a section called Annex A that lists the physical, logical, and environmental security controls that organizations must put into place in order to be ISO 27001 compliant. Among additions in ISO 27001:2022 are new control groups (categories that ISO uses to segment controls into sections) and new additional controls. Data leakage prevention is among one of the new controls specifically added to ISO 27001 and is required to be in place by 2025.
What are the 10 ISO 27001 Clauses?
The 10 clauses of ISO 27001 include:
- Terms and definitions
- Process approach impact
- Plan-Do-Check-Act cycle
- Context of the organization
- Performance evaluation
These clauses have mostly remained unchanged, with only minor additions in terminology in some subsections of the clauses.
What are the ISO 27011:2022 Annex A controls?
ISO 27001:2022 has 93 controls grouped into 14 control categories. This is a substantial change from ISO 27001:2013’s 114 controls that were divided into 14 different control categories. Below are the control categories with new controls for ISO 27001:2022 listed as sub bullets under the appropriate category
Organizational (37 total controls)
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 5.7 Threat Intelligence
People (8 total controls)
Physical (14 total controls)
- 7.4 Physical security monitoring
Technological (34 total controls)
- 8.1 Data masking (Nightfall helps with this!)
- 8.9 Configuration management
- 8.10 Information deletion (Nightfall helps with this!)
- 8.12 Data leakage prevention (Nightfall helps with this!)
- 8.16 Monitoring activities (Nightfall helps with this!)
- 8.23 Web filtering
- 8.28 Secure coding (Nightfall helps with this!)
Are there any other changes to ISO 27001?
The bulk of changes that have been made to the ISO 27001 standard are in the restructuring of the Annex A, and the addition Annex B which highlights how the security controls section of the standard has been reformatted. It’s worth having a look at Annex B if you have an existing program in place for ISO 27001 compliance. You can also review our blog post on ISO 27001’s new data leakage prevention requirements as well.