The new Information Security Management System ISO27001 Standard edition 2022

02 Nov 2022 07:00 AM By Davide Micheli

Reading time: ~ 3 min.

The ISMS requirements set by the updated ISO27001 standard

In the last few days, the International Organization for Standardization (ISO) released its last updated 2022 version of the ISO/IEC 27001 standard on the Information Security Management Systems requirements.

Just in case you don't remember it, this update follows the first release (2005) and the revised version (2013) of one of the best known ISMS standard in the industry. What makes this updated ISO 27001:2022 version different from the previous ones?

First of all, the new standard is based on the High Level Structure(HLS) which is common to every System Management Standard set by ISO (as described on ISO Annex SL section). This a new (standardized) way to ensure the development of future MSS that are able to support each other.

The ISO 27001:2022 standard also brings to the table an interesting update on this matter. ISO aligned it with its standard ISO/IEC 27002:2022 (on Information Security, Cybersecurity and Privacy Protection - Information Security Controls).

Let's take a look at the details of this relevant change decided by the standards developer.

The Information Security Management System ISO27001:2022 and the alignment with ISO 27002

In the age of the rising concerns on privacy and data protection related matters, ISO took advantage of its HSL strategy on the update of its Information Security Management System standard (ISO 27001) aligning it to its 27002:2022 standard.

The Information Security, Cybersecurity and Privacy Protection - Information Security Controls standard (ISO 27002) identifies 4 large groups (clauses or themes) of operational controls:

  • organizational controls (organizational aspects);
  • people controls (single individual);
  • physical controls (physical & environmental objects and aspects);
  • technological controls (technological aspects).

I guess we probably can better figure out this approach with the help of this infographic:

by Andrea Leonardi (VP of Minerva Group Service, MP of Alpemi Consulting & itSMF Swizerland board member).

The ISO 27002 2022: focus on the control 5.34

If we take a look in particular to the Technological Controls section, we notice that the «5.34 Privacy and Protection of Personal Identifiable Information (PII)» of the ISO 27002:2022 Standard clearly definies what the approach of the organization on the matter is supposed to be:

«The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements»

Therefore the standard establishes a direct correlation between the management of compliance and the requirements set by the law according to the jurisdiction.

In the Swiss legal system, it is the Federal Act on Data Protection (known as LPD in Italian/French and DSG in German). In the European Union (EU) countries, it is the General Data Protection Regulation (commonly known as GDPR).

The ISO 27002:2022 and the final focus on the controls

At the final stage of our overview on the new Information Security Management System (ISO 27001) update and alignment with ISO 27002, we want to focus on how this last one standard identifies 5 attributes for each single control.

These attributes are different ways of looking at the single control. In particular, the standard defines 5 different views which represent different categorizations of the controls seen from different perspectives:

  • Control type (perspective of when and how control changes risk);
  • Information security properties (integrity, availability and confidentiality perspective);
  • Cybersecurity concepts (perspective of the association of controls to information security);
  • Operational capabilities (perspective of operations for information security);
  • Security domains (perspective of governance, protection, defense and resilience).

If you don't want to miss our next updates on Information Security Management System, requirements, ISO standards and compliance related matters, don't forget to follow us on our Linkedin Page or subscribe to our newsletter.


Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
Get the benefits of Membership Program

Davide Micheli