ISO 27001 is one of the most widely recognized standards for information security management systems (ISMS). The standard provides a systematic approach to managing sensitive company information, ensuring it remains secure. In October 2022, ISO/IEC 27001 was updated to align with the revised ISO/IEC 27002:2022. This update brings significant changes that organizations must incorporate into their Statement of Applicability (SoA) templates.

The Statement of Applicability is a crucial component of an ISMS, as it details the selected security controls, riskprofs, and justifications for their inclusion or exclusion. Understanding the key changes in ISO 27001:2022 will help organizations maintain compliance and enhance their information security practices.

This article explores the major changes in ISO 27001:2022 and how they impact your SoA template.

Overview of ISO 27001-2022 Updates

The main changes in ISO 27001:2022 can be categorized into three areas:

1. Structural Changes

2. Annex A Control Revisions

3. Editorial Improvements and Terminology Updates

1. Structural Changes

ISO 27001:2022 maintains the same high-level structure (HLS) as its predecessor but includes slight modifications to improve clarity and applicability. Some of the notable structural changes include:

• Clause 4 (Context of the Organization): Updates emphasize a clearer understanding of internal and external issues affecting the ISMS.

• Clause 6 (Planning): Adjustments include risk treatment planning, which aligns with updated Annex A controls.

• Clause 9 (Performance Evaluation): Requirements for monitoring and reviewing ISMS performance have been enhanced.

These changes necessitate a review of the SoA template to ensure it reflects the modified structure and aligns with the new risk treatment approach.

2. Annex A Control Revisions

One of the most significant updates in ISO 27001:2022 is the restructuring of Annex A, which aligns with ISO 27002:2022. Key modifications include:

• The number of controls has been reduced from 114 to 93, achieved by merging, restructuring, and eliminating redundant controls.

• The controls are now grouped into four categories instead of the previous 14:

  • Organizational Controls (37 controls)

  • People Controls (8 controls)

  • Physical Controls (14 controls)

  • Technological Controls (34 controls)

• New controls have been introduced, including:

  • Threat Intelligence (5.7)

  • Information Security for Cloud Services (5.23)

  • ICT Readiness for Business Continuity (5.30)

  • Data Masking (8.11)

  • Data Leakage Prevention (8.12)

  • Web Filtering (8.28)

  • Secure Coding (8.29)

• Several controls have been merged or renamed to simplify implementation.

These modifications require organizations to update their SoA templates by:

1. Mapping Existing Controls: Identifying the old controls that correspond to the new structure.

2. Integrating New Controls: Incorporating newly introduced controls into the SoA.

3. Updating Justifications: Revising justifications for control selection and applicability.

3. Editorial Improvements and Terminology Updates

ISO 27001:2022 includes refinements in wording and terminology to enhance clarity and consistency. Some key terminology changes include:

• "Documented Information" replaces "Records and Documents."

• "Information Security Events and Incidents" are better defined for improved response planning.

• "Cybersecurity" is emphasized in multiple controls to reflect modern security threats.

These changes, while minor, require organizations to revise their SoA templates to reflect the updated terminology.

Impact on Your Statement of Applicability (SoA) Template

Given these changes, organizations need to adapt their SoA templates to remain compliant and ensure an effective ISMS. Here’s how:

1. Reassess Control Selection

With the new control structure in place, organizations should conduct a thorough reassessment of their control selection. Key steps include:

• Mapping Old Controls to New Ones: Identify where previous controls align with the updated framework.

• Assessing Gaps: Determine if new controls need to be implemented to address security risks.

• Eliminating Redundant Controls: Remove outdated or redundant controls to streamline security measures.

2. Update Control Justifications

Each control in the SoA must include a justification for its inclusion or exclusion. Organizations should:

• Update Justifications to Reflect New Risks: Consider the evolving threat landscape and incorporate justifications that address modern cybersecurity concerns.

• Align with Business Objectives: Ensure that control justifications align with organizational goals and regulatory requirements.

3. Modify Control References and Documentation

Since many controls have been merged or renamed, organizations need to update references in their SoA and other ISMS documentation.

• Ensure Consistency: Update policies, risk assessments, and other security documents to match the revised control numbering.

• Communicate Changes to Stakeholders: Train relevant personnel on the updated SoA template and its implications for compliance.

4. Enhance Risk Treatment Planning

The revised standard places greater emphasis on risk treatment. Organizations should:

• Align Risk Treatment with New Controls: Ensure that selected controls effectively mitigate identified risks.

• Improve Risk Assessment Processes: Incorporate updated risk assessment methodologies that reflect the latest security threats.

5. Integrate New Security Practices

The introduction of new controls, such as Threat Intelligence and Secure Coding, requires organizations to implement best practices aligned with these areas. This includes:

• Establishing a threat intelligence program to proactively detect security threats.

• Implementing secure coding practices to strengthen software development security.

• Enhancing cloud security measures to address the growing reliance on cloud services.

6. Ensure Continuous Monitoring and Improvement

With performance evaluation updates in ISO 27001:2022, organizations must:

• Regularly Review and Update the SoA: Conduct periodic assessments to ensure continued compliance.

• Leverage Security Metrics: Use key performance indicators (KPIs) to measure ISMS effectiveness.

• Adapt to Emerging Threats: Update controls and policies as new security risks arise.

Conclusion

ISO 27001:2022 introduces significant changes that impact how organizations approach information security. Updating your Statement of Applicability template is crucial to maintaining compliance and ensuring an effective ISMS. By reassessing control selection, updating justifications, modifying references, enhancing risk treatment planning, and integrating new security practices, organizations can align with the updated standard and strengthen their security posture.

As cyber threats evolve, staying compliant with ISO 27001:2022 will help organizations build resilience, protect sensitive information, and maintain stakeholder trust. Organizations should proactively update their SoA templates and continuously refine their security strategies to stay ahead in an increasingly digital landscape.