EFS Consulting
Home / Insights / New Standards in Information Security: ISO/IEC 27001 (2022)
search-icon
Contact DE
EFS Consulting
LinkedIn Instagram Spotify Apple Podcasts Youtube
Information Security ISO
Wolfgang Walter, Engagement Manager bei EFS Consulting

Wolfgang Walter

Linked In get in touch

Florian Stracke

get in touch
10/01/2024

New Standards in Information Security: ISO/IEC 27001 (2022)

ISO/IEC 27001 at a Glance 

ISO/IEC 27001 is the key guideline for information security, setting standards for the protection of sensitive data. This globally recognized standard helps organizations systematically secure information and manage risks. With clear requirements, ISO/IEC 27001 aims to safeguard sensitive information. Certification demonstrates: Security is our top priority!   

What’s New in the Latest Version? 

ISO/IEC 27001 has been updated from its 2013 version to the 2022 edition to meet the growing demands of information security. The change is evident in the new title: Information security, cybersecurity, and privacy protection – Information security management systems – Requirements. The revision addresses modern threats and helps businesses improve their security measures. The updated standard provides organizations with the opportunity to optimize their information security strategy and strengthen their position in the market.

Why Was an Update Necessary? 

Since 2013, the digital landscape has drastically changed. Cyber threats have become more complex and numerous, while the technological means to counter such attacks have improved. Therefore, an update to ISO/IEC 27001 was necessary to address these new challenges and better protect organizations. 

What’s New in the 2022 Version? 

The requirements in ISO/IEC 27001:2022 have been made more precise. While the 2013 version allowed for more flexibility, the new version demands more specific measures: companies must now implement both technical and organizational safeguards. 

  • Additional Measures: Organizations must intensify their efforts to effectively counter cyber threats. 
  • Combined Measures: Technical and organizational measures must be implemented in parallel. 
  • Increased specificity: Less flexibility for interpreting the standards. 

New Structure of the Annex 

The number of information security controls has been reduced from 114 to 93 and divided into four main categories: organizational, people, physical, and technical measures. This improves clarity and focus. 

The 11 New Security Measures at a Glance 

Although some existing measures have been consolidated, there are 11 new measures: 

  1. Threat Intelligence: Gathering and analyzing threat data to develop appropriate protection strategies.
     
  2. Cloud Services: Secure handling of onboarding, use, management, and termination with cloud providers.
     
  3. Business Continuity (ICT Readiness): Recovery measures with a stronger focus on technical solutions.
     
  4. Physical Security Monitoring: Measures like burglar alarms and surveillance systems to prevent unauthorized access.
     
  5. Data Masking: Anonymizing and pseudonymizing sensitive data to enhance security.
     
  6. Data Leakage Prevention: Systems to monitor and detect data loss.
     
  7. Activity Monitoring: Proactive monitoring and analysis of unusual activities.
     
  8. Web Filtering: Blocking dangerous websites that contain malware or extract data unlawfully.
     
  9. Secure Coding: Developing secure code to avoid vulnerabilities.
     
  10. Configuration Management: Ensuring correct and secure configurations of IT systems.
     
  11. Information Deletion: Includes both the physical destruction of storage media and logical deletion, such as in cloud environments. 

 

Technical and Organizational Measures 

Previously, there was often a choice between technical protection measures or employee training. Now, ISO/IEC 27001:2022 predominantly requires both. Companies must secure their systems and regularly train their employees to maintain a high level of security. 

Examples:  

Topic Content
Technical Measures   

  • Implementation of advanced security technologies. 
  • Regular review and updating of security systems.
Organizational Measures   

  • Regular employee training 
  • Development of security policies and protocols


Expanded Thematic Coverage 

The updated ISO/IEC 27001:2022 now covers aspects that were previously underemphasized, such as business continuity management and data loss prevention. The goal is for companies to continue operations even during cyberattacks or other disruptions. The standard also addresses potential environmental impacts and corresponding countermeasures, considering the effects of climate change.

Examples: 

Topic Content
Business Continuity Management    

  • Integration of sustainability goals into the supply chain. 
  • Ensuring business continuity during extreme weather conditions

Data Loss Prevention		  

  • Measures to prevent data loss.
Webfiltering    

  • Targeted monitoring and blocking of web content, such as preventing access to harmful websites.


Audit Plan: Why the Old Standard Version is Still in Use 

Despite the updated requirements and measures, it may still be useful in some cases to reference the old standard. The previous version had a clear chapter sequence that offers a suitable foundation for audit plans. Thus, companies can rely on the established structure while incorporating the new content and requirements of the updated standard. 

Long-term Benefits of the New Standard Version 

Implementing the new ISO/IEC 27001:2022 brings sustainable benefits to organizations. In addition to improved protection against modern threats, the new standard significantly enhances customer trust, as the elevated security standards and the company’s commitment to data protection become evident. 

Transitioning to the New Standard: Common Challenges 

Transitioning to the new ISO/IEC 27001:2022 can present extensive challenges for companies: 

  • Implementing New Requirements: The new guidelines require comprehensive adjustments to existing systems and processes, often leading to uncertainty in correct implementation without prior experience. 
  • Reduction and Re-categorization: The reduction from 114 to 93 controls and their re-categorization into four main categories requires precise adjustments to ensure no content is lost and that new measures are also met. 
  • Awareness: The topic of awareness is becoming increasingly important. Successfully conveying content and ensuring that policies are genuinely followed proves to be an unexpected challenge for many companies. 

To ease the transition to the new ISO/IEC 27001:2022, EFS Consulting offers expertise and extensive experience in: 

  • Setting up an ISMS (Information Security Management System). 
  • Assisting with analyzing the current state and implementing required content throughout the preparation process for an upcoming audit. 
  • Supporting the preparation of necessary measures in the case of identified non-compliances during an audit. 

 

Conclusion: A Step into the Future 

ISO/IEC 27001:2022 offers businesses better protection against modern cyber threats. However, it also brings challenges during implementation. With more precise guidelines and new focuses such as business continuity and physical security, the revised standard ensures that organizations raise their security standards and prepare for future challenges. Through careful preparation, coordinated transition, and regular ISMS reviews, these challenges can be effectively managed. 

More about:
Information Security

Insights

Auf diesem Bild ist ein Auto zu sehen, das mittels Sensoren andere Verkehrsteilnehmer:innen erkennt.
UNECE R157: Specifications on assistance systems for automated driving
Whitepaper | Secure vehicles through UNECE R155 and ISO/SAE 21434
All Insights