After nine years, ISO 27001, the world’s leading information security standard, has been updated. The final update for the standard came on 25.10.2022, although the controls list of ISO 27002 had already been updated earlier.
This update brings only moderate changes, but it is important to understand them closely. So what has changed when comparing 2013 vs. 2022 versions and how are these updates visible on Cyberday?
The main part of the standard, i.e. clauses 4 to 10 in ISO 27001, didn't get significant changes on the revision.
ISO 27002's security controls (or Annex A, if you prefer) in turn did receive moderate changes:
The 11 totally new controls in ISO 27002 are:
In addition to this, many controls were merged together in this update. This means even more controls are beginning to be quite significant in size and demand carefully planned and pieced execution.
So in addition, smaller changes in the controls included the following:
We at Cyberday are happy about these developments. We've already previously seen, that many controls get bigger and bigger and share e.g. 50% of its contents with similar controls on other standards. That's why we have build the generic "task-level" between e.g. ISO controls and tasks in your own ISMS. Tasks tell the more detailed story of how you implement each control.
Controls in the new version are divided into 4 sections. Controls are categorized as...:
This division of security controls nicely highlights the different approaches companies can usually use to combat any kind of cyber threats - organizational, people, technical and physical actions can all be relevant and usually a combination produces the best results. In this way, the standard makes sure organizations aren't e.g. just looking at the technical ways for safeguarding data.
In addition to these 4 main sections, the new standard version provides a lot of additional categorization for the controls. These categorizations can also be used to help organizations ISMS implementation.
Controls are also categorized by:
The last categorization is relatively close to the 14 domains previously included on the 2013 revision. If you're not feeling instantly comfortable with the 4 main sections, you can look for additional support here.
These categorization also create an improved compatibility from ISO 27001 standard towards other popular information security standards, like NIST CSF, CIS 18 or CSA CCM.
We have just published the new ISO 27001:2022 framework in Cyberday. You can activate the new framework in Cyberday's framework library.
The overlap percentage in Cyberday's content is over 90%. This means, over 90% of the tasks you have worked on in the 2013 framework are also increasing your compliance towards the 2022 revision. To make the transition, you basically need to just implement the new 9% of tasks. 👍
ISO 27001:2022 framework is divided to 3 levels similarly to the 2013 version:
We've chosen to utilize the main 4 categorization sections and the operational capabilities categorization in our framework report / Statement of applicability document.
Now this main compliance report also includes the ISO 27001's mandatory requirements, so it serves as a turbocharged SoA document, demonstrating how you comply with the ISMS requirements and how have you implemented the 27002 controls.
You can best all this in action, when you try our new ISO 27001:2022 framework in your own account. If you don't have one yet, sign up for a free trial.
Q: We have worked with the 2013 version in Cyberday. Will I benefit from the work done on the new version?
Absolutely yes! The content overlap percentage in Cyberday for the 2013 vs. 2022 standard revision is over 90%. This means, over 90% of the tasks you have worked on in the 2013 framework are also increasing your compliance towards the 2022 revision. To make the transition, you basically need to just implement the new 9% of tasks. 👍
Q: We have already implemented ISO 27001. How quick do we need to react?
Companies certfied towards the 2013 revision must transition to the 2022 revision before 31.10.2025. This means there's a hefty 36-month transition period.
Q:Will the old standard version stay available in Cyberday?
Yes. During the transition period both 2013 and 2022 versions of ISO 27001 will be available on our framework library.