Summary

ISO/IEC 27001 is the globally applied standard for the certification of an information security management system. This aims to protect information based on an analysis of business risks with regard to confidentiality, integrity and availability.

Version ISO/IEC 27001:2022 was published at the end of October 2022 and no major changes were made. As no more than two amendments ( AMD - Amendment) should be made to a standard, a version 2022 is now being published.

The changes can primarily be found in Annex A - Objectives and measures, which result from the newly published ISO/IEC 27002:2022.

ISO/IEC 27001 is structured in the same way as ISO 9001:2015, but does not include the business processes, but rather the measures to ensure information security. Although an ISO 9001:2015-compliant management system is not a prerequisite, it is the ideal basis. If this is missing, the processes in which the measures are embedded still need to be described.

Development

History

The predecessor of ISO/IEC 27001:2013 is ISO/IEC 27001:2005, which was adopted almost unchanged from the British Standard BS 7799-2. As early as 1993, the Department of Trade and Industry (DTI) in the UK published a collection of best practices in information security - the Code of Practice - which became the British Standard BS 7799-1 in 1995. It quickly gained popularity in the English-speaking world and the desire for the possibility of certification grew. To meet this demand, BS 7799-2 was created as a catalogue of requirements according to which an organisation could be certified. Although both standards were highly recognised internationally, they remained the preserve of insiders until BS 7799-1 became ISO 17799 in 2000 and BS 7799-2 became ISO/IEC 27001 five years later. The plan was to create an entire family of standards for information security. Initially, ISO 17799 was renamed ISO/IEC 27002 in 2007.

Further standards have already been published or will follow:

• ISO/IEC 27002 IT security procedure
• ISO/IEC 27003 Implementation guidelines
• ISO/IEC 27004 Information Security Management Metrics and Measurements (currently under development)
• ISO/IEC 27005 ISMS risk management
• ISO/IEC 27006 Requirements for certification bodies
• ISO/IEC 27011 Guidelines for telecommunications organisations
• ISO/IEC 27017 procedures for cloud services
• ISO/IEC 27018 Privacy protection in public clouds
• ISO/IEC 27701 Data privacy
• ISO/IEC 27799 Guidelines for health informatics

and many other guidelines for industry-specific application and specific topics of an information security management system (ISMS), a list of which can be found on the ISO website.

New version of ISO/IEC 27001:2022

The new version was published at the end of October 2022.

What has changed?

Annex A was primarily replaced; it corresponds to ISO/IEC 27002:2022.

Only two editorial changes in 6.1.3 c) and 6.1.3 d) for clarification.

Transition rules:

The transition period is 3 years and ends on 31 October 2025.

When can the certification be changed to the new standard?

• on the occasion of the next recertification (from 30.04.2024 only according to version 2022) (at least 0.5 days additional time is required, must be completed by 31.10.2025)
• on the occasion of a surveillance audit
  (at least 1.0 day additional time is required)
• between two audits (at least 1.0 day additional time is required)

New version ISO/IEC 27002:2022 (corresponds to Annex A in ISO/IEC 27001)

The new version was published in February 2022.

What has changed?

The structure has been fundamentally changed:

previously 14 chapters - now 4 chapters:

• Organizational controls (37)
• People controls (8)
• Physical controls (14)
• Technological controls (34)

The number of measures (controls) is shown in brackets. There are now 93 measures, compared to 11 more (114) previously. However, this does not mean that the number of topics has decreased. Thematically, 11 new measures have been added and 3 have been removed (11.2.5 Removal of assets, 8.2.3 Handling of assets, 16.1.3 Reporting information security weaknesses).

Various controls have been consolidated into 19 newly formulated controls, 61 remain unchanged. 

The new controls are:

1. Threat intelligence: 
   The organisation must actively seek to understand attackers and their methods against the background of your IT landscape.
2. Information security for use of cloud services: 
   Cloud initiatives need to be considered holistically, from the introduction and operation through to the exit strategy.
3. ICT Readiness for Business Continuity: 
   The requirements for the IT landscape must be derived from the requirements for business contnuity.
4. Physical security monitoring: 
   There is a greater focus on preventing unauthorised physical access and using alarm and monitoring systems to prevent or quickly detect this.
5. Configuration management: 
   The secure configuration of IT systems and hardening are becoming increasingly important.
6. Information deletion: 
   Secure erasure and, in particular, compliance with external requirements, such as erasure concepts in connection with data protection, must be implemented.
7. Data masking: 
   Various masking techniques such as anonymisation and pseudonymisation are used to increase data protection.
8. Data leakage prevention: 
   Data Leakage Prevention (DLP) is receiving new attention and is intended to help prevent unauthorised data leakage.
9. Monitoring activities: 
   Network and application behaviour should be monitored in order to detect anomalies.
10. Web filtering: 
    Access to external websites that may contain malicious code must be prevented using web filtering methods.
11. Secure coding: 
    Secure programming, the use of tools, monitoring of libraries and repositories used, commenting and tracking changes and avoiding unsafe programming methods.

All controls now include attributes:

• Control type:
  Preventive, Detective, and Corrective
• Information security properties:
  Confidentiality, Integrity, and Availability
• Cybersecurity concepts:
  Identify, Protect, Detect, Respond, and Recover
• Operational capabilities:
  Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
• Security domains:
  Governance and ecosystem, Protection, Defense, and Resilience

Procedure and FAQ