IMPLEMENTATION OF MANAGEMENT STANDARDS
0700 12 070
Home| Standards and regulations| ISO 27001 Cybersecurity and Privacy Protection
Your rating 0 from 0 votes


ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements


On October 25, 2022, ISO published the new version of ISO/IEC 27001 "Information security, cybersecurity and privacy protection – Information security management systems – Requirements".
Changes have been made to harmonize the structure of the management systems standards (Annex SL) and ISO/IEC 27002:2022. ISO/IEC 27001:2022 replaces the 2013 version.

ISO/IEC 27001 is one of the most popular information security standards. It defines the requirements for information security management, cyber security and privacy protection.
The requirements laid down in the standard are relevant to all organizations, regardless of the type, size or nature of activity. ISO/IEC 27001 is applicable to all types of organizations: commercial, non-commercial, governmental and non-governmental, and is most often applied by companies providing IT services, software developers, outsourcing companies, banks and financial institutions, government organizations, traders, consultants and others.
ISO/IEC 27001 can be conditionally divided into two parts. The first (main) part includes clauses that define the basic principles, framework and management processes to support the management of information security risk through the most effective implementation of information systems.
 
The clauses of ISO/IEC 27001:2022 are:
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
   4.1 Understanding the organization and its context
   4.2 Understanding the needs and expectations of interested parties
   4.3 Determining the scope of the information security management system
   4.4 Information security management system
5 Leadership
   5.1 Leadership and commitment
   5.2 Policy
   5.3 Organizational roles, responsibilities and authorities
6 Planning
   6.1 Actions to address risks and opportunities
         6.1.1 General
         6.1.2 Information security risk assessment
         6.1.3 Information security risk treatment
   6.2 Information security objectives and planning to achieve them
7 Support
   7.1 Resources
   7.2 Competence
   7.3 Awareness
   7.4 Communication
   7.5 Documented information
         7.5.1 Genera
         7.5.2 Creating and updating
         7.5.3 Control of documented information
8 Operation
   8.1 Operational planning and control
   8.2 Information security risk assessment
   8.3 Information security risk treatment
9 Performance evaluation
   9.1 Monitoring, measurement, analysis and evaluation
   9.2 Internal audit
         9.2.1 General
         9.2.2 Internal audit programme
   9.3 Management review
         9.3.1 General
         9.3.2 Management review inputs
         9.3.3 Management review results
10 Improvement
   10.1 Continual improvement
   10.2 Nonconformity and corrective action
 
In the second part of the standard, Annex A, contains a list of all security controls and control objectives that can be applied in the design, implementation and maintenance of information security management systems.
In the latest edition of the standard, the number of controls has been reduced from 114 to 93, the reduction being mostly from consolidating many of them.
 
The controls of ISO/IEC 27001:2022 are structured in 4 groups:
A.5 Organizational controls - contains 37 controls
A.6 People controls - contains 8 controls
A.7 Physical controls - contains 14 controls
A.8 Technological controls - contains 34 controls.
 
11 new controls are added the Annex A:
1. A.5.7 Threat intelligence
2. A.5.23 Information security for the use of cloud services
3. A.5.30 ICT readiness for business continuity
4. A.7.4 Physical security monitoring
5. A.8.9 Configuration management
6. A.8.10 Information deletion
7. A.8.11 Data masking
8. A.8.12 Data leakage prevention
9. A.8.16 Monitoring activities
10. A.8.23 Web filtering
11. A.8.28 Secure coding.
 
The ISO/IEC 27001 standard requires strict compliance with relevant legal, regulatory and contractual obligations related to information security, optimized use of available resources, as well as periodic internal audits of the system for continuous improvement.
 
The certification of the Information Security Management System, according to ISO/IEC 27001, proves that your organization guarantees the maximum security of both its own information and that of its customers.
 
The implemented and functioning Information Security Management System will also guarantee the continuity of your business in case of emergencies and crises.
 

ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements



TAGS
ISO/IEC 27001 ISO/IEC 20000 ISO 22301 ISO/IEC 27018 ISO/IEC 27701 TISAX SOC 2 NIST SP 800-53 information security cybersecurity
News
27
02.24
Amendment 1: Climate action changes
Late last week, the International Organization for Standardization (ISO) announc...
05
02.24
Differences between NIS and NIS 2 directives
The European Union's cybersecurity rules, introduced in 2016, have been upda...
Accents
10
08.23
Standards for the protection of automotive security
The automotive industry has changed rapidly in recent years with the advent ...
28
07.23
WLA Security Control Standard - security controls in the lottery industry
The WLA Security Control Standard (WLA SCS) is an information security managemen...

Implementation of management standards

CONSEJO EOOD is a consulting company formed by a team of consultants with over 15 years of experience in management systems in the field of international standards. The focus of the company is the provision of consulting services in the development and implementation of management systems that meet the requirements of international standards for quality, the environment, safe working conditions, information security, good production practices based on international standards: ISO 9001, ISO 14001, ISO 45001, ISO 22000, ISO 27001, IFS Food, HACCP and others.

The CONSEHO team has participated in the realization of projects in all branches of the economy. The projects implemented by the CONSEHO team are over 1000, in the fields of production and design, construction, trade, information and communication technologies, transport and forwarding, hotel and restaurant industry, special production, energy, design, food industry, services, etc. The company has established a strict procedure for monitoring the compliance with the agreed requirements with the clients, both the terms of the contracts and the quality of service performance. The established working style of the company consists of developing real management systems together with our customers, on the basis of conducting multiple trainings and providing full assistance in the implementation process. Through its approach to work, CONSECO ensures and guarantees trouble-free certification of the built systems in extremely short terms.

See more
Partners
https://neterra.net/
https://www.gromahold.bg/dejnosti/
https://www.oktaxi.net/
https://www.softwaregroup.com/
https://www.scorpion-shipping.net/
https://www.dundeeprecious.com/
https://www.mumnet.com/
https://www.brenntag.com/
https://www.yettel.bg/
https://www.cetinbg.bg/
https://www.dhl.com/bg-en/home.html
https://ciela.bg/
https://datecs.bg/
https://bse-sofia.bg/
https://biseroliva.bg/
https://stemo.bg/bg/
https://www.enco-vending.com/
https://toto.bg/
https://www.geotechmin.com/biznes-napravleniya/minnodobivna-deinost/elatzite-med-ad
https://multiforce.bg/
https://www.ip-arch.com/
http://www.aviationservices.bg/
https://vipsecurity.bg/
https://etemgestamp.com/
https://www.orbit.bg/bg/
https://www.devin-bg.com/
https://next-consult.com
https://rdservices.org/
https://www.unimasters.com/bg_BG/
https://vp-brands.com/
https://cashcredit.bg/
https://www.office1.bg/
https://techno-class.com/
https://sportal.bg/