The New ISO 27001 2022 Version, Explained for the Cloud

In October 2022, the new ISO 27001:2022 was released. This version is bringing considerable changes to the old ISO 27001. Let's examine them and understand what they might mean to your company.  

The Changes 

1. The structure of the standard has changed. 

Instead of 14 clauses in Annex A that categorized the controls, ISO 27001:2022 groups all controls into four themes: 

• People (8 controls), 
• Organizational (37 controls), 
• Technological (34 controls),  
• Physical (14 controls). 

2. Some controls have been merged or renamed. 

ISO 27001:2022 contains 93 controls, instead of 114. Let’s look at examples of controls that have been modified: 

1. A.18.1.1 Identification of applicable legislation and contractual requirements, and 
2. A.18.1.5 Regulation of cryptographic controls. 

Have been merged into: 

1. A.5.31 Legal, statutory, regulatory and contractual requirements. 

A control that remained the same but has been moved to a different section is: 

A.18.1.2 Intellectual property rights.  

It has been modified to: 

A.5.32 Intellectual property rights. 

3. New controls have been added 

Below, you can see the list of the 11 new controls added to Annex A of the ISO 27001:2022 standard. 

1. Threat intelligence (A.5.7) 
2. Information security for the use of cloud services (A.5.23) 
3. ICT readiness for business continuity (A.5.30) 
4. Physical security monitoring (A.7.4) 
5. Configuration management (A.8.9) 
6. Information deletion (A.8.10) 
7. Data masking (A.8.11) 
8. Data leakage prevention (A.8.12) 
9. Monitoring activities (A.8.16) 
10. Web filtering (A.8.23) 
11. Secure coding (A.8.28) 

A notable control is 5.23, “Information security for the use of cloud services”, since now, cloud security has a dedicated control. This preventative control is designed to keep risk at a minimum and regulate the management and usage of cloud services such as AWS, Azure, and Google Cloud. This control covers confidentiality, integrity, and availability. 

4. Controls have attributes 

According to IT Governance, controls can now be categorized based on 5 different attributes, with the mentioned values: 

• Control type (preventive, detective, corrective) 
• Information security properties (confidentiality, integrity, availability) 
• Cybersecurity concepts (identify, protect, detect, respond, recover) 
• Operational capabilities (governance, asset management, etc.) 
• Security domains (governance and ecosystem, protection, defense, resilience) 

Using these attributes, your company can organize the controls based on their scope. 

What does this mean to a CISO? 

The ISO 27001 certification has a three-year validity, and the old version of the standard will be valid until it expires. Therefore, companies have a three-year period to recertify and become compliant with the new version of ISO 27001. This means that, at the latest, companies must recertify before the 31st of October 2025.  

The process of obtaining the ISO 27001 certification is time-consuming and difficult. However, you can make this task easier with Cyscale. 

Cyscale helps you become compliant with international standards by providing hundreds of controls that help you secure your cloud environment, ensure you have implemented the requirements for international standards, and also aid you when going through audits.