.webp)
What are the main changes?
De wijzigingen hebben effect op de Annex A van de ISO 27001. Hieronder worden de belangrijkste wijzigingen opgesomd:
1. The arrangement of chapters has been changed;
From 14 chapters with management measures to a clearer division into 4 chapters:
- Organizational
- Staff
- Physical
- Technology
This was done to more clearly link management measures to appropriate responsibilities.
2. Controls have been merged;
Some of the controls from the ISO 27001:2017 standard have been merged, making Annex A more compact and general. From 114 controls in total, 93 now remain. This is a step toward a more future-proof standard
3. 11 new management measures have been added;
The updated measures respond to modern trends, such as the normalization of the use of "Cloud services," "secure coding" and "data masking.
4. De invoering van attributen aan beheersmaatregelen;Er zijn attributen, of eigenschappen, aan beheersmaatregelen toegevoegd. Dit is een manier om de beheersmaatregelen te categoriseren. De toegevoegde attributen zijn:
- Type (preventive, detective or corrective);
- IS properties (availability, integrity or confidentiality);
- Five functions of Cybersecurity (identify, detect, protect, respond and recover)
- Operational capability (e.g., business continuity and data protection)
- Security domain (Defense, Resilience, Protection, Governance and Ecosystem).
Associated standards
In addition to impacting the ISO 27001 standard, the change affects other standards. Consider:
- NEN 7510: Informatiebeveiliging voor de zorg;
- BIO: Baseline Informatiebeveiliging Overheid;
- BIC: Baseline Information Security (Housing) Corporations;
- ISO 27701: Privacy informatiemanagement;
- ISO 27017: Specifieke risico’s en maatregelen voor klanten (‘Cloud service customer’) en leveranciers (‘Cloud serviceprovider’) van clouddiensten; en
- ISO 27018: Cloud aanbieders die persoonsgegevens verwerken.
How might these changes affect your organization?
If your organization is already certified to ISO 27001, there will be no short-term impact. There is a transition period of a few years for already certified organizations. This means that the full audit cycle can be completed using the current version of the standard. This transition period starts when ISO 27001 is officially updated.
For organizations without ISO 27001 certification, it is wise to take into account the new 27001 standard when implementing, this can save you a lot of work in the future.
Conclusion
In short, with a rapidly changing subject like information security, it was high time for an update to the ISO standard. ISO 27001:2022 is more future-proof and thus takes more account of the pace of innovation. This therefore requires more of your organization's own interpretation of the standard's requirements. In addition, by expanding the categorization mechanisms, there are more opportunities to clarify which management measures lead to which output, in the field of information security.
In terms of actions to be done now, I can reassure you. Nothing needs to be done right now. As soon as the 27001 standard is amended, a few more years will follow in which your organization can make the necessary adjustments to your ISMS, and only then will it become a hard requirement for ISO 27001 certification. Should you wish to obtain an ISO 27001 certificate now, it is valuable to set up the ISMS so that you can easily move to the upcoming version. For example, from 14 chapters, you could already start working more in the 4-chapter structure with the categorization attributes of ISO 27001:2022.
For the clarity of your ISMS, ISO 27001:2022 is definitely a positive influence. The Transition Scan ISO 27001:2022 helps your organization adapt the management system to comply with the new standard.
