ISO 27001:2022 is released. Given the data breaches in Australia and generally poor privacy governance it comes at the right time.
October 29, 2022 |
ISO 27001 is a global specification for an information security management system (known as ISMS). It is the standard for effective information management. Properly implemented it helps organisations to avoid security breaches. An ISMS is a framework of policies and procedures relating to that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
The new ISO 27001 has just been released. It is called ISO 21001:2022. This version introduces significant changes in the way organisations manage information security. The Standard was last revised almost a decade ago.
The standard is no longer divided into 14 control categories. It is now split into four ‘themes’:
- organisational,
- people,
- physical and
- technological.
The total number of controls has decreased from 114 to 93. This is because many of its controls have been reordered and merged. Under the new ISO 27001:
- 35 controls are unchanged,
- there are 11 new requirements which are:
- threat intelligence
- information security for use of cloud services
- ICT readiness for business continuity
- physical security monitoring
- configuration management
- information deletion
- data masking
- data leakage prevention
- monitoring activities
- web filtering
- secure coding
The controls are categorised according to five types of ‘attribute’:
- control type,
- operational capabilities,
- security domains,
- cybersecurity concepts and
- information security properties.
This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.