ISO released new version of ISO/IEC 27001

The 2022 version of the information security management systems (ISMS) standard enables companies to improve understanding of current risk picture and implement necessary security control.

Information security is a topic rising on most company agendas. Between increased adoption of Cloud and automation technologies, artificial intelligence, cybersecurity, privacy, malware and ransomware, companies are forced to tackle new scenarios. This means re-assess their current risk picture and manage new threats in an active and structured way.

“The previous version of the standard came out in 2013. Much in the world has changed since then. The new version is most welcome in that it provides necessary security controls and guidance to help companies build trust in how they are working to protect business critical assets,” says Nanda Kumar Shamanna, global ICT service responsible in Business Assurance, DNV.

Main changes in 2022 version

Changes are mainly related to the information security controls in Annex A, anticipated by the publication of ISO/IEC 27002:2022 in February. 11 new security controls have been added, 58 are updated and 24 merged to reflect the new scenarios companies face. The control language has been refreshed and the guidance in ISO/IEC 27002 is updated to help companies manage risks, make sure nothing is missed and duly follow up. In addition to the changes in the controls, ISO/IEC 27001 is also re-aligned with the latest updates of ISO’s High Level Structure (HLS). However, these changes are considered minor, as the 2013-edition was one of the first standards to adopt the HLS.

The main areas of the management system that are impacted are leadership, corporate security, IT Function and other support functions. For service providers, delivery is impacted as well.

“The new version enables more effective risk management due to the updated security controls. It provides a structured approach for companies to reassess their current risk picture and re-establish security controls,” says Nanda Kumar Shamanna.

The transition timeline is set to 3 years, which means that existing certificates need to be transitioned to the new version before November 2025.