March 7, 2023

Last Updated on January 15, 2024

Will Implementing the New ISO 27001:2022 Control Set Improve Your ISMS?

The new ISO 27001:2022 cybersecurity standard defines 21 fewer controls versus ISO 27001:2013, down from 114 to 93. But the new version also introduces 11 “net new” controls from the 2013 version.

What is ISO’s intent with the new control set? And could moving to ISO 27001:2022 and implementing these new controls improve your security posture?

To explore and explain ISO 27001:2022, a recent episode of The Virtual CISO Podcast features Ryan Mackie and Danny Manimbo, principals at Schellman. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

More focus on cloud
While ISO 27017 (controls for cloud services) isn’t “going away,” ISO 27001:2022 includes more cloud-specific guidance—including a cloud-specific control (5.23).

“I think part of the idea behind the update was a modernization of the controls and more representation of the fact that so many people are in the cloud,” Danny observes. “There were a lot of obsolete references in the 2013 standard.”

 

More “contextualized”

Besides cloud, the new ISO 27001 adds controls around data loss prevention, configuration management, secure coding, and more.

“All of those things I don’t think should be foreign concepts to a lot of organizations,” says Danny. “If your information security management system (ISMS) has been staying up to date with technology trends, you should be well positioned to meet [ISO 27001:2022].”

Indeed, the name of the standard has been updated to “Information security, cybersecurity and privacy protection—information security management systems—Requirements.” The full title of the 2013 version was “Information technology—Security techniques—Information security management systems—Requirements.”

“What they’re trying to do with some of those new controls is really make sure that the ISMS is not specifically just within the boundaries of the organization,” relates Ryan. “So, you’re looking at things that are more cybersecurity and privacy related. So again, this is not new. Organizations hopefully should already have controls in place.”

“I think the guidance around cloud, privacy and [software] development has been better contextualized to the technologies, infrastructure, and processes of today,” adds John. “I think it helps you look at risk and how your controls should be architected in a little bit sharper and more contextualized way. So, I think the sooner you move [to ISO 27001:2022], the better your ISMS is going to be.”

 

What’s next?

To hear this podcast episode with Danny Manimbo and Ryan Mackie from Schellman, click here.

Did you know: Microsoft Just Endorsed ISO 27001 (and ISO 27701) Over SOC 2! Here’s What It Means to You