Download ISO 27001 Checklist
ISMS ISO/IEC 27001
Organizations that are required to have advanced processes around security ought to consider ISO 27001 certification. Of the ISO 27000 series, ISO 27001 is the central foundation relating to information security management systems (ISMS). An ISMS is the framework of policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes. ISO 27001 controls take an adequate and appropriate risk-based approach in providing ISMS implementation requirements, enabling organizations of any size to comfortably manage security assets.
ISO 27002 is a standard supplementary to ISO 27001 that focuses on information security controls organizations might choose to implement. Unlike ISO 27001, ISO 27002 is not a certification and addresses information security controls only.
Additional supplemental ISO 27001 ISMS standards include ISO 27701, a valuable privacy extension to ISO 27001 and ISO 27002. Similarly, extension ISO 27017 is centered around cloud services, and extension ISO 27018 involves PII processors.
Summary of Changes in ISO 27001:2022
ISO 27001:2022 was recently announced to update and replace ISO 27001:2013. The modernized 2022 replacement, intended to reflect almost a decade of growth, features only a few simple adjustments. Here’s an outline of the changes you’ll notice when reading through the ISO 27001:2022 requirements:
- No major changes to ISO 27001:2013 Mandatory Clauses 4 to 10.
- Controls (part of ISO 27002:2022) are now grouped into 4 main domains (Organizational, People, Physical, and Technological) instead of the previous 14.
- Hashtags can be utilized for easier reference and navigation.
- The security controls contained in Annex A have decreased from 114 to 93.
- New Organizational and Physical controls have been introduced. While no controls were deleted, many were merged, reducing the overall number of controls.
Control Additions to 27002:2022
The 11 control additions in ISO 27001:2022 pertain to the following items:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Activity monitoring
- Web filtering
- Secure coding
4 Steps to Meeting Revised Version
Follow these steps to update compliance processes in alignment with the new ISO 27001:2022 requirements and gain certification:
- Review the risk register and applied risk treatments to ensure alignment with the revised standard.
- Revise the Statement of Applicability (SoA) to align with the updated Annex A.
- Review and update documentation, including policies and procedures, to meet the new control requirements.
- Get audited against the new ISO 27001:2022 standard revision using a certified auditor, such as ControlCase.
Companies can voluntarily choose to certify against the ISO 27002:2022 revision as soon as they prefer. Any ISO 27001 audit that happens after October 2025 must be against the new version.
ISO Certification is valid for 3 years, with surveillance audits being required in years 2 and 3. Surveillance audits, unlike full system audits, are essentially mini audits assessing whether the certified client’s management system remains compliant with ISO 27001. ConrolCase will begin certifying companies for ISO 27001:2022 in mid-2023.
ControlCase Helps With Compliance Challenges
When it comes to maintaining full compliance and security, the traditional checklist approach is no longer sufficient. However, completing requirements beyond adherence to a checklist can easily strain already taxed company resources. Additionally, establishing and following a security compliance regimen takes time and can pull employees away from their core responsibilities.
ControlCase, an accredited and trusted auditor, establishes a partnership approach to help companies smoothly achieve compliance and certification. An increase in efficiency with a decrease in cost and burden is just a small aspect of what ControlCase clients enjoy about IT continuous compliance services.