New version of the ISO/IEC 27001:2022 standard: why this standard is useful for IT companies and how to implement it

For many years, ISO certificates have been a must-have for IT companies, as they can guarantee the reliability of a business in terms of international standards. During the war, when Western clients become more demanding of Ukrainian companies, such a guarantee is even more important.

One of the main IT standards, the Information Security Management System ISO/IEC 27001, was updated in 2022. In this article, we will discuss the new version, as well as how the standard and ISO/IEC 27001 certificate help businesses and how to implement it.

Why IT businesses need ISO certificates

ISO standards have been developed for many years by the International Organization for Standardization and can apply to various services and industries: from healthcare and energy consumption to cybersecurity. These standards are recognized worldwide. Based on them, certificates are developed that confirm compliance with these standards.

So, if a particular company or organization has ISO certification, for its international clients, contractors, partners, and investors, it’s analogous to a warranty card for the quality and reliability of its services. In short, the certificate is an indication that the business can be trusted, a document understood in any language of the world.

Each industry has its ISO certificates. For IT, the most important ones are standards ISO/IEC 27701, ISO 20000-1, ISO/IEC 27001. The latter, characterizing the state of information security management, received an update in 2022. We will discuss this in more detail.

What is the ISO/IEC 27001 standard? 

This standard emerged back in 1995 and has been developing, improving, and gaining popularity over time. According to the ISO Survey 2021, the number of issued certificates increased by 32% compared to 2020. Its latest version, ISO/IEC 27001:2022, was released recently on October 25, 2022.

Its full title is ISO/IEC 27001:2022. Information security, cybersecurity, and privacy protection — Information security management systems — Requirements. It essentially characterizes the state of information and cybersecurity in a company, as well as how it protects confidential data. The family of security standards includes additional ones, for example:

ISO 27000 – Overview and vocabulary. ISO 27002 – Information security management guidelines. ISO 27003 – Guidance on the implementation of an information security management system. ISO 27004 – Information security management. ISO 27005 – Risk management. However, the ISO/IEC 27001:2022 standard is fundamental for assessing the security state within a company. It is also the only one from the ISO 27001 family for which certification can be obtained.

For any bank, data center, IT, or online business, especially those dealing with large volumes of client data, such a certificate is an important indication that the company takes care of security and data protection.

What’s new in ISO/IEC 27001:2022?

ISO/IEC 27001:2022 generally describes the structure of the Information Security Management System (ISMS) for any company.

Risk management is key for the ISMS. New cyber threats arise almost daily, old ones evolve and become increasingly dangerous. Companies that want to protect their business processes and information need to be able to identify and manage such risks.

The updated standard addresses best practices for risk management. The list of information security control measures in Annex A of the new ISO/IEC 27001:2022 standard is fully derived from the revised ISO/IEC 27002:2022 guidelines. The security control measures catalog was published in February 2022, so changes to the list in the new standard had been anticipated for some time.

What are the main changes in this list?

Previously, Annex A included a total of 114 control measures (used to identify and eliminate security risks) within 35 control objectives, combined into 14 points. In the new ISO/IEC 27001:2022 standard, control objectives have been abolished, and the control measures have been revised, modernized, and supplemented. That is, the list of control measures in Annex A has become simpler and more up-to-date.

The previous 14 items of the Annex are now focused on four main themes: A.5 Organizational control measures (Process and Policies) (includes 37 measures); A.6 Personnel control measures (People) (includes 8 measures); A.7 Physical control measures (Physical) (includes 14 measures); A.8 Technical control measures (Technological) (includes 34 measures).

Overall, Annex A of the new version now has 93 control measures, to which 11 new ones were added, including:

• A.5.7 Threat intelligence (cyber/cloud/DP);
• A.5.23 Information security for cloud services (cloud);
• A.5.30 ICT readiness for business continuity;
• A.7.4 Physical security monitoring (physical);
• A.8.9 Configuration management;
• A.8.10 Information deletion (Data protection);
• A.8.11 Data masking (DP);
• A.8.12 Data leakage prevention (DP/Cyber);
• A.8.16 Monitoring activities;
• A.8.23 Web filtering (cyber);
• A.8.28 Secure coding (Cyber & Application security).

Annex A is limited to a list of control measures. However, the ISO/IEC 27002:2022 implementation guide provides options for their classification. Each control measure is given five attributes that can be used for filtering or sorting, including:

• Control Measure Type. An attribute that represents control measures from the perspective of how they affect information security risks.
• Information Security Properties. An attribute for the control measure in terms of its purpose.
• Cybersecurity Concepts. An attribute that considers control measures in terms of how they relate to the cybersecurity structure described in ISO/IEC TS 27110.
• Operational Capability. An attribute of control measures in terms of their capability in the field of information security.
• Security Domains. An attribute that considers control measures in terms of the four domains of information security.

How the ISO/IEC 27001 certificate can benefit businesses:

Each year, cybercrime accelerates in terms of both the number and complexity of attacks, as well as the potential damage to victims. According to the World Economic Forum, in 2021, cyberattacks increased by 125% globally, and this trend continued into 2022. Thus, companies should strategically address the security of their business, protection against cyber threats, and personal data.

The new version of ISO/IEC 27001 was developed specifically considering these new and dynamic threats. It is the world’s most renowned security standard, and for decades, it has been helping companies protect their information resources.

ISO/IEC 27001 helps to:

• Protect information in all forms: paper, digital, or in the cloud.
• Enhance business resilience to cyberattacks.
• Guard against threats that are constantly evolving.
• Implement a centralized framework for protecting all company information.
• Reduce costs on ineffective security technologies.

How to obtain or update the ISO 27001 certificate: If a company intends to implement an information security management system according to the new version of the standard, it should:

• Familiarize itself with the new version of the standard. The official version can be purchased on the ISO official website.
• Undergo training on the updated ISO 27001 standard and train the team to help them understand the changes and implement them in their work.
• Develop the necessary policies and procedures for the standard (e.g., information security policies and objectives, asset register, company information risk assessment, personnel management policy, physical security provision policy, IT management operational procedures, and many others).
• Conduct an internal audit.

If a company wants to update the 2013 certificate, it should first:

• Conduct a gap analysis on the risk control measures it applies, based on data from ISO/IEC 27002:2022.
• Review the risk assessment: ensuring it aligns with the company’s objectives and with the latest cyber threat trends.
• Review evidence and reasoning for the inclusion or exclusion of necessary controls and accordingly update its SOA (Statement of Applicability). Implement relevant changes based on the risk management plan and new controls.
• Validate the changes through an internal audit and ensure they have been effectively implemented.
• At this stage, you can update your ISO/IEC 27001 certificate. To do this, you need to contact a representative of the certification body and schedule a transition audit to the new standard. Based on the audit results, you can obtain the updated ISO/IEC 27001:2022 certificate.

Implementing the ISO 27001 standard helps businesses monitor and manage all risks associated with cyber threats and data protection. And for the company’s clients, partners, and investors, a confirmed certificate signals that the company adheres to the highest global security standards.

Can one transition to the new standard version and undergo ISO/IEC 27001:2022 certification in Ukraine? 

Certainly, there are certification bodies in Ukraine as well, and there’s a substantial selection to choose from. It’s best to entrust this process to a company with a wide array of partners and a reputable market presence.

BALTUM Group of companies fits this description. Our main advantages include:

• BALTUM collaborates with several certification bodies and partners with international firms such as UNICERT (German DAkkS accreditation), Swiss Approval (Switzerland, American IAS accreditation), URS (UK accreditation by UKAS), and others.
• Our vast array of certification entities, with which we work directly in every local country, allows us to offer clients choices in both the certification body and the company’s preparation for certification.
• We facilitate certifications worldwide, regardless of the company’s location or registration. Often, an IT business may operate in Ukraine but also have representatives in other countries. BALTUM covers all offices across various global locations.
• A large team with diverse expertise in different standards (like ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 20000-1, ISO 9001) ensures all client needs, including specific ones, are met.
• We have our training center, which allows for the acquisition of a management or audit system qualification.
• BALTUM consultants will assist in determining the best standard for your company. So, don’t hesitate; invest in ISO – it’s a guarantee for your business’s future.

In this article, we’ve endeavored to provide a comprehensive overview of the updated ISO/IEC 27001:2022 standard. If you still have questions, our leading auditor, Kyrylo Proskurnya, will analyze your business and gladly explain all the details. Kyrylo possesses extensive experience in the domain of ISO 27001, ISO 27701, ISO 9001 certification, and has aided dozens of IT firms in successfully navigating this intricate process.

Furthermore, if you and your company plan on undergoing training for the new version of the standard, developing and updating ISO 27001 documentation, or undergoing certification, apply now. BALTUM professionals will offer a personalized proposal and will support you up to successful certification.