The New ISO 27001 2022 Version, Explained for the Cloud

By Sabrina Lupșan
Wednesday, November 23, 2022
The New ISO 27001 2022 Version, Explained for the Cloud

In October 2022, the new ISO 27001:2022 was released. This version is bringing considerable changes to the old ISO 27001. Let's examine them and understand what they might mean to your company.  

The Changes 

1. The structure of the standard has changed. 

Instead of 14 clauses in Annex A that categorized the controls, ISO 27001:2022 groups all controls into four themes: 

  • People (8 controls), 
  • Organizational (37 controls), 
  • Technological (34 controls),  
  • Physical (14 controls). 

2. Some controls have been merged or renamed. 

ISO 27001:2022 contains 93 controls, instead of 114. Let’s look at examples of controls that have been modified: 

  1. A.18.1.1 Identification of applicable legislation and contractual requirements, and 
  2. A.18.1.5 Regulation of cryptographic controls. 

Have been merged into: 

  1. A.5.31 Legal, statutory, regulatory and contractual requirements. 

A control that remained the same but has been moved to a different section is: 

A.18.1.2 Intellectual property rights.  

It has been modified to: 

A.5.32 Intellectual property rights. 

3. New controls have been added 

Below, you can see the list of the 11 new controls added to Annex A of the ISO 27001:2022 standard. 

  1. Threat intelligence (A.5.7) 
  2. Information security for the use of cloud services (A.5.23) 
  3. ICT readiness for business continuity (A.5.30) 
  4. Physical security monitoring (A.7.4) 
  5. Configuration management (A.8.9) 
  6. Information deletion (A.8.10) 
  7. Data masking (A.8.11) 
  8. Data leakage prevention (A.8.12) 
  9. Monitoring activities (A.8.16) 
  10. Web filtering (A.8.23) 
  11. Secure coding (A.8.28) 

A notable control is 5.23, “Information security for the use of cloud services”, since now, cloud security has a dedicated control. This preventative control is designed to keep risk at a minimum and regulate the management and usage of cloud services such as AWS, Azure, and GCP. This control covers confidentiality, integrity, and availability. 

4. Controls have attributes 

According to IT Governance, controls can now be categorized based on 5 different attributes, with the mentioned values: 

  • Control type (preventive, detective, corrective) 
  • Information security properties (confidentiality, integrity, availability) 
  • Cybersecurity concepts (identify, protect, detect, respond, recover) 
  • Operational capabilities (governance, asset management, etc.) 
  • Security domains (governance and ecosystem, protection, defense, resilience) 

Using these attributes, your company can organize the controls based on their scope. 

What does this mean to a CISO? 

The ISO 27001 certification has a three-year validity, and the old version of the standard will be valid until it expires. Therefore, companies have a three-year period to recertify and become compliant with the new version of ISO 27001. This means that, at the latest, companies must recertify before the 31st of October 2025.  

The process of obtaining the ISO 27001 certification is time-consuming and difficult. However, you can make this task easier with Cyscale. 

Cyscale helps you become compliant with international standards by providing hundreds of controls that help you secure your cloud environment, ensure you have implemented the requirements for international standards, and also aid you when going through audits. 

Interesting? Share it

Stay connected

Receive new blog posts and product updates from Cyscale

Product Playground

View a fully-populated product demo. All features - no setup, no commitment.

Schedule a Demo

Sign up for a custom demo to see how we close security gaps and help you move to the cloud.

Request a Demo >
Cloud Security and Compliance: A Guide for Your Cloud Infrastructure
CSPM ComplianceMonday, December 5, 2022

Cloud Security and Compliance: A Guide for Your Cloud Infrastructure

Author image
By Sabrina Lupșan
Understanding serverless computing: how you can use it and how to secure it
CSPMThursday, November 17, 2022

Understanding serverless computing: how you can use it and how to secure it

Author image
By Sabrina Lupșan
A Word on Cloud Security
News CSPM CNAPPTuesday, October 25, 2022

A Word on Cloud Security

Author image
By Andrei Ștefănie
Cyscale Logo
Cyscale helps companies embrace their digital future by protecting apps and data in the cloud. With the innovative Security Knowledge Graph™ at its core, Cyscale helps you easily track security and compliance across your multi-cloud environment.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy


© 2022 Cyscale Limited

crunch base icon
angel icon