ISO 27001:2022

Security Policy: This addresses management support, commitment, and direction in accomplishing the information security goal.

Organization of Information Security: This elaborates the requirement for a management framework that creates and manages the security infrastructure which also includes outsourcing.

Asset Management: This feature addresses the way that the assets are grouped, handled and stored.

Human Resources Security: This addresses an organisation’s ability to mitigate the risk that is inherent in human interactions, which includes staffing, training and security responsibilities.
Physical & Environmental Security: This feature is all about mitigating the risks that come with the organisation’s premises and the capacity of the physical infrastructure to protect the company’s assets.

Communication & Operations Management: This addresses an organisation’s ability to ensure correct and secure operations of its assets, including configuration, changes, administration etc.
Access Control: This talks about the organisation’s ability to control access to the assets based on business and security requirements.

Information systems acquisition, development and maintenance: This addresses the company’s ability to ensure that appropriate information system security controls are both incorporated and maintained.

Information Security Incident Management: This addresses the company’s ability to record, investigate and take corrective measures for security breaches.
Business Continuity Management: This addresses the company’s ability to counteract interruptions to normal operations due to disasters.

Compliance: This addresses the organisation’s ability to remain in compliance with the regulatory, statutory, contractual and security requirements.

This certification comes with several unique benefits. These benefits stand a business in good stead considering the amount of security it provides to their data and information systems:

• It helps keep all the information secure from end-to-end
• It gives the customers and stakeholders the confidence that your brand can manage the risk that comes with dealing with the quantum of information
• Helps create a secure channel of exchange of information
• This standard helps a business comply with all the other regulations in the sector
• It gives the business a competitive edge over market peers
• Increased customer retention due to the consistent delivery of services
• Helps mitigate risk exposure and builds the company culture
• Protects the company, assets and all stakeholders

The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.

Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.

The former 14 clauses of Annex A are now focused on the 4 following topics:

A.5 Organizational controls (with 37 controls).

A.6 Personal controls (with 8 controls)

A.7 Physical controls (with 14 controls)

A.8 Technical controls (with 34 controls)

Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:

A.5.7 Threat Intelligence

A.5.23 Information security for the use of cloud services

A.5.30 ICT readiness for business continuity

A.7.4 Physical security monitoring

A.8.9 Configuration management

A.8.10 Deletion of information

A.8.11 Data masking

A.8.12 Data leak prevention

A.8.16 Activity monitoring

A.8.23 Web filtering

A.8.28 Secure coding

While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.

The five attributes are:

Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.

Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.

Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.

Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.

Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.

This standard applies to all businesses in today’s day and age. Contrary to popular perception this is not a certification specific for IT industries but applies to all the businesses that deal with a large quantum of data.

This includes all industrial and service sectors. Considering the sheer amount of data that these sectors are dealing with, having an ISO 27001:2022 certification is crucial.

This standard can also be very helpful for all public sector units (PSU). Keeping in mind the amount of sensitive data that a PSU handles, this could be a pivotal certification to up the overall efficiency of the organisation. The same holds for government organisations, they too can benefit greatly from receiving this certification.

Similarly, this certification can also be highly applicable for the education sector, healthcare sector, IT sector, as well as any small, medium or large business organisation.