top of page

What can we learn from the update of ISO27001 in 2022 on cyber security (2024)


ISO27001 update

Background


In October 2022, the International Organization for Standardization (ISO) and the

International Electrotechnical Commission (IEC) published the 3rd edition of the

ISO/IEC 27001 Information security, cybersecurity and privacy protection -Information security management systems - Requirements standard. It replaces the edition from 2013.

ISO/IEC 27001 is the most common and known standard for organizational information security management systems (ISMS), and a certification of conformity to it became a basic demand for organizational cyber security. Since

April 30th 2024, ISO/IEC 27001 certification process is based only on the new

edition.

As ISO/IEC 27001 is the leading standard for certification, designed by well

informed global institutions and accepted by the leading organizations around

the world, it can be seen as the reference to how cyber security should look like

(‘The best practice’).


The purpose of this paper is to analyze ISO/IEC 27001: 2022 in order to identify

general observations to the handling of organizational cyber security and how it

changed in the last decade (from 2013 to 2022).


ISO27001 Update - bottom lines

The 8 takeaways observed can support the structuring of the cyber

security strategy and policy approaches, the prioritization of efforts and the focus

on advanced cyber security processes. Among the main observations:

  • The better relativity in cyber security between continuity and change is that

strategy and policy reflect continuity, be process based, and articulate

general approach; and procedures and manuals reflect adaptation to

constant change through the actual technical implementation.

  • The cyber security framework - i.e. organizational strategy and policy -

should be framed around the organization, including governance and

operational structures; the technological assets and defense capabilities; the

people which are both targets and assets; and the physical security - a

crucial line of defense.

  • The core assets to be secured should be framed according to their business

role and not according to their technological functionality.

  • Adoption of advanced controls like threat intelligence, cloud security,

secured coding, supply chain monitoring, web filtering and data security is

not only the right thing to do but now part ISO/IEC 27001: 2022 certification.

New control processes and the merging of outdated efforts into them -

based on advanced control technologies, for example, on GenAI capabilities -

can also be a source of saving in resources and people.


How to structure a cyber security framework


Observation 1: Continuity vs. Change

The structure of the framework has hardly changed. Only one significant change

is observed:

The supplement of a sub chapter dealing with planning of changes,

which emphasizes the need to plan the change. On the other way around, the

structure of table A.1 which details the information security controls, and is the

practical back bone of implementing the framework has gone through

significant update (described below).


Take away 1: When thinking about updating the organizational cyber security

approach, concentrate on the controls and processes, and be vigilant in

changing your basic strategy. This may be a good equilibrium between

continuity and change.


Observation 2: Policy vs. Procedures and Manuals ISO/IEC 27001:

2013 contained demands for many policy papers (access control,

mobile device, cryptography, clear desk, back up, secured development, supply

chain...). The new ISO/IEC 27001: 2022 refers to “Information security policy and

topic-specific policies” (control 5.1). A policy paper is the general attitude

towards cyber security issues, and specific approaches (or policies) are

manifested in procedures.


Take away 2: In order to enhance clarity of cyber security general approach,

organizations should strive to work according to one strategy (‘The what’) and

policy (‘The how’) paper, approved by the management. This paper elaborates

the major principles in the substantial issues, and leaves further elaborations to

procedures and manuals.


Observation 3: Detailing vs. Generalization

The number of controls was reduced from 114 in 2013 to 93 in 93. The differences

will be elaborated below, but one of the reasons is the generalization of specific

issues into more comprehensive processes (Access controls as a good example).

We observed a similar trend in the updating of the NIST cyber security

framework (see our analysis of the comparison between v1.1 and v2.0): The

emphasis is more on the process of improvement and less on the technicality of

mapping.


Take away 3: As transformation of IT and OT technology is rapid, Cyber security

frameworks should move from detailed technical instructions to a more process

based and general approach, and leave flexibility to the actual implementation.


Observation 4: Complex vs. Simple

The 2013 edition had 14 categories (including 2 to 15 controls each) with a

significant number of subcategories. The 2022 edition has 4 basic categories

(including 37, 34, 14 and 8 controls - see annex).


Take away 4: As cyber security is a very complex and dispersed field of

expertise, the frameworks should be simple as possible in structure and guidance and complex in the actual knowhow.


The updated cyber security approach


Observation 5: The core emphasis

The control’s categories of the 2022 edition are organization, people, physical

domain and the technological domain. This is a change from the 2013 concept

which emphasized control objectives, controls, processes and procedures for

information security.


Take away 5: The core of cyber security framework - i.e. organizational strategy

and policy - should be the organization, including governance and operational

structures; the technological assets and defense capabilities; the people which

are both main targets and assets; and physical security which is a crucial line of

defense of the computing assets.


Observation 6: The core assets

The 2022 edition moved from a terminology of ‘networks’ to ‘information and

associated assets’ and from ‘equipment’ to ‘information related devices’.


Take away 6: The core assets to be secured should be framed according to their

business functionality (for example as the information assets) and not

according to their technological functionality (network, equipment). This

approach brings cyber security closer to the main business echelon of the

organization.


Observation 7: What's outdated

We have observed 33 controls from the 2013 edition that were omitted or

concentrated into more comprehensive policies. Among them:

  1. Endpoint devices and remote access security replace controls like mobile device policy, teleworking and physical media transfer.

  2. Assets inventory control merges controls like asset ownership and handling.

  3. Overall handling of access right merges controls like registration of users, access provisioning, review and removal.

  4. Advanced life cycle identity management approach and authentication tools replace controls like password management.

  5. Cryptographic applications lower the need for cryptographic and key management controls.

  6. Robust physical security perimeter approach merges controls like securing delivery and loading areas and unattended equipment.

  7. A comprehensive and holistic SSDLC approach including change management merges controls like restriction on software installation, restrictions on changes to software packages, securing application services on public networks and transactions services.

  8. Concentrated information security incident management planning and

    preparation and ICT readiness for business continuity merges several controls of incident response.


Take away 7: Organizations should adapt to new control processes and merge

into them outdated control efforts, based among other things on

implementing the ISO/IEC 27001: 2022 framework. This can also be a source of

saving in resources and people. Part of the adaptation effort can be based on

adoption of advanced control technologies and processes based, for example,

on GenAI capabilities.


Observation 8: What's new

We have observed 17 controls from the 2022 edition that either represent new

approaches or the merge of controls into a comprehensive approach. Among

them:

  1. Security of cloud services.

  2. Secured coding and configuration management.

  3. Stricter approach to supplier relationships: Direction, processes and

    procedures shall replace mainly relying on agreements, supervision and

    reporting.

  4. Threat intelligence.

  5. Physical security monitoring and not relying on the perimeter itself.

  6. Web filtering.

  7. Data security controls like DLP, deletion and masking.

  8. Comprehensive approach to monitoring.


Take away 8: Adoption of advanced controls like threat intelligence, cloud

security, secured coding, supply chain monitoring, web filtering and data

security is not only the right thing to do but now part ISO/IEC 27001: 2022

certification.


Annex: Comparison of structure of control table 

No. 

2013 edition name No. of 

2022 edition Name 

controls 

No. of 

controls

Information security 

2 Organizational controls 

policies 

37

Organization of 

7 People controls 

information security 

8

Human resource 

6 Physical controls 

security 

14

Asset management 10 Technological controls 

34

Access management 14


10 

11 

12 

13 

14 

Cryptography 2 

Physical and 

15 

environmental 

security 

Operations security 14 

Communications 

security 

System acquisition, 

13

development and 

maintenance 


15 

Supplier relationships 5


16 

7

Information security 

incident management 


17 

4

Information security 

aspects of business 

continuity 

management 


18 

Compliance 8



114 

93


1 view0 comments

Comments


bottom of page