ISO/IEC 27001 is a widely used international standard for information security management systems (ISMS) that encompasses information security, cybersecurity and privacy protection. Find out in this blog about the upcoming changes with the latest version of ISO 27001:2022, which further increases cyber security.
ISO/IEC 27001 helps to manage cyber risks and proactively identify and eliminate vulnerabilities. ISO 27001 is therefore a valuable tool for managing and verifying the measures for EU NIS2 Articles 20 and 21.
The upgrade to the new ISO 27001:2022 standard is a major change compared to the previous versions ISO 27001:2017 and 2013 and must be completed by October 31, 2025.
SEEBURGER has been ISO 27001 certified since 2012 and upgraded from ISO 27001:2017 to ISO 27001:2022 in 2023/2024. Our aim was to complete the transition in good time before EU NIS2 in order to be able to continue working efficiently on the basis of the newer ISO 27001:2022.
We have adapted our management documents and, above all, the policies accordingly. The changes in ISO management chapters four to 10 were minor. The guideline from ISO 27002:2022 1 describes in detail the possible catalog of measures, which is only outlined in the annex to ISO 27001:2022 (Annex A).
The Information security controls in the appendix have been completely reorganized and 11 new controls have been added. SEEBURGER uses all controls and has not deselected any controls in the Statement of Applicability (SOA).
It is interesting to see how the controls are distributed across the new policy documents. You can reference the new grid as follows:
However, the disadvantage of turning an annex 1:1 into a policy document is that annexes 5 and 8 become very large and unwieldy as policy documents. SEEBURGER has therefore decided to subdivide the policies relating to appendices 5 and 8.
New controls are colored red in the following tables.
| Appendix 5: Organizational Controls | SEEBURGER 27001:2022 Document | SEEBURGER Mapping ISO27001:2013 and ISO27001:2017 |
| 5.01 Policies for information security | ISP_A5_Organizational_Controls | A.5.1.1 A A.5.1.2 |
| 5.02 Information security roles and responsibilities | ISP_A5_Organizational_Controls | A.6.1.1 |
| 5.03 Segregation of duties | ISP_A5_Organizational_Controls | A.6.1.2 |
| 5.04 Management responsibilities | ISP_A6_People_Controls | A.7.2.1 |
| 5.05 Contact with authorities | ISP_A5_Organizational_Controls | A.6.1.3 |
| 5.06 Contact with special interest groups | ISP_A5_Organizational_Controls | A.6.1.4 |
| 5.07 Threat intelligence | ISP_A5-24etal_Security_Incident | NEW |
| 5.08 Information security in project management | ISP_A5_Organizational_Controls | A.6.1.5 |
| 5.09 Inventory of information and other associated assets | ISP_A5-09etal_InformationAssetManagement | A.8.1.1 A.8.1.2 |
| 5.10 Acceptable use of information and other associated assets | ISP_A5-09etal_InformationAssetManagement | A.8.1.3 |
| 5.11 Return on assets | ISP_A5-09etal_InformationAssetManagement | A.8.1.4 |
| 5.12 Classification of information | ISP_A5-09etal_InformationAssetManagement | A.8.2.1 |
| 5.13 Labeling of information | ISP_A5-09etal_InformationAssetManagement | A.8.2.2 |
| 5.14 Information transfer | ISP_A5-09etal_InformationAssetManagement | A.8.3.3 |
| 5.15 Access control | ISP_A5_Organizational_Controls | A.9.1.1 A.9.1.2 |
| 5.16 Identity management | ISP_A5_Organizational_Controls | A.9.2.x |
| 5.17 Authentication information | ISP_A5_Organizational_Controls | A.9.3.1 |
| 5.18 Access rights | ISP_A5_Organizational_Controls | A.9.4 |
| 5.19 Information security in supplier relationships | ISP_A5-19etal_Supplier_Relationship | A.15.1.x |
| 5.20 Addressing information security within supplier agreements | ISP_A5-19etal_Supplier_Relationship | A.15.1.2 |
| 5.21 Managing information security in the information and communication technology (ICT) supply chain | ISP_A5-19etal_Supplier_Relationship | A.15.1.3 |
| 5.22 Monitoring, review and change management of supplier services | ISP_A5-19etal_Supplier_Relationship | A.15.2.x |
| 5.23 Information security for use of cloud services | ISP_A5-19etal_Supplier_Relationship | NEW |
| 5.24 Information security incident management planning and preparation | ISP_A5-24etal_Security_Incident | A.16.1.1 |
| 5.25 Assessment and decision on information security events | ISP_A5-24etal_Security_Incident | A.16.1.4 |
| 5.26 Response to information security incidents | ISP_A5-24etal_Security_Incident | A.16.1.5 |
| 5.27 Learning from information security incidents | ISP_A5-24etal_Security_Incident | A.16.1.6 |
| 5.28 Collection of evidence | ISP_A5-24etal_Security_Incident | A.16.1.7 |
| 5.29 Information security during disruption | ISP_A5-29etal_BCM | A.17.1.1, 17.1.2, 17.1.3 |
| 5.30 ICT readiness for business continuity | ISP_A5-29etal_BCM | NEW |
| 5.31 Legal, statutory, regulatory and contractual requirements | ISP_A5-31etal_Compliance | A.18.1.1 |
| 5.32 Intellectual property rights | ISP_A5-31etal_Compliance | A.18.1.2 |
| 5.33 Protection of records | ISP_A5-31etal_Compliance | A.18.1.3 |
| 5.34 Privacy and protection of personally identifiable information (PII) | ISP_A5-31etal_Compliance | A.18.1.4 |
| 5.35 Independent review of information security | ISP_A5-31etal_Compliance | A.18.2.1 |
| 5.36 Compliance with policies, rules and standards for information security | ISP_A5-31etal_Compliance | A.18.2.2 |
| 5.37 Documented operating procedures | ISP_A5_Organizational_Controls | A.12.1.1 |
| Appendix 6: People Controls | SEEBURGER 27001:2022 Document | SEEBURGER Mapping ISO27001:2013 and ISO27001:2017 |
| 6.01 Screening | ISP_A6_People_Controls | A.7.1.1 |
| 6.02 Terms and conditions of employment | ISP_A6_People_Controls | A.7.1.2 |
| 6.03 Information security awareness, education and training | ISP_A6_People_Controls | A.7.2.2 |
| 6.04 Disciplinary process | ISP_A6_People_Controls | A.7.2.3 |
| 6.05 Responsibilities after termination or change of employment | ISP_A6_People_Controls | A.7.3.1 |
| 6.06 Confidentiality or non-disclosure agreements | ISP_A6_People_Controls | A.13.2.4 |
| 6.07 Remote working | ISP_A6_People_Controls | A.6.2.2 |
| 6.08 Information security event reporting | ISP_A5-24etal_Security_Incident | A.16.1.2 |
| Appendix 7: Physical Controls | SEEBURGER 27001:2022 Document | SEEBURGER Mapping ISO27001:2013 and ISO27001:2017 |
| 7.01 Physical security perimeters | ISP_A7_Physical_Controls | A.11.1.1 |
| 7.02 Physical entry | ISP_A7_Physical_Controls | A.11.1.2 |
| 7.03 Securing offices, rooms and facilities | ISP_A7_Physical_Controls | A.11.1.3 |
| 7.04 Physical security monitoring | ISP_A7_Physical_Controls | NEW |
| 7.05 Protecting against physical and environmental threats | ISP_A7_Physical_Controls | A.11.1.4 |
| 7.06 Working in secure areas | ISP_A7_Physical_Controls | A.11.1.5 |
| 7.07 Clear desk and clear screen | ISP_A7_Physical_Controls | A.11.2.9 |
| 7.08 Equipment siting and protection | ISP_A7_Physical_Controls | A.11.2.1 |
| 7.09 Security of assets off-premises | ISP_A7_Physical_Controls | A.11.2.6 |
| 7.10 Storage media | ISP_A7_Physical_Controls | A.8.3.x A.11.2.7 |
| 7.11 Supporting utilities | ISP_A7_Physical_Controls | A.11.2.2 |
| 7.12 Cabling security | ISP_A7_Physical_Controls | A.11.2.3 |
| 7.13 Equipment maintenance | ISP_A7_Physical_Controls | A.11.2.4 |
| 7.14 Secure disposal or re-use of equipment | ISP_A7_Physical_Controls | A.11.2.7 |
| Appendix 8 Technological Controls | SEEBURGER 27001:2022 Document | SEEBURGER Mapping ISO27001:2013 and ISO27001:2017 |
| 8.01 User end point devices | ISP_A8_Tech_Controls_Data_Rights | A.6.2.1 |
| 8.02 Privileged access rights | ISP_A8_Tech_Controls_Data_Rights | A.9.2.3 |
| 8.03 Information access restriction | ISP_A8_Tech_Controls_Data_Rights | A.9.1.2 |
| 8.04 Access to source code | ISP_A8_Tech_Controls_Data_Rights | A.9.4.5 |
| 8.05 Secure authentication | ISP_A8_Tech_Controls_Data_Rights | A.9.4.2 |
| 8.06 Capacity management | ISP_A8_Tech_Controls_Management | A.12.1.3 |
| 8.07 Protection against malware | ISP_A8_Tech_Controls_Security | A.12.2.1 |
| 8.08 Management of technical vulnerabilities | ISP_A8_Tech_Controls_Security | A.12.6.1 |
| 8.09 Configuration management | ISP_A8_Tech_Controls_Management | NEW |
| 8.10 Information deletion | ISP_A8_Tech_Controls_Data_Rights | NEW |
| 8.11 Data masking | ISP_A8_Tech_Controls_Data_Rights | NEW |
| 8.12 Data leakage prevention | ISP_A8_Tech_Controls_Data_Rights | NEW |
| 8.13 Information backup | ISP_A8_Tech_Controls_Data_Rights | A.12.3.1 |
| 8.14 Redundancy of information processing facilities | ISP_A5-29etal_BCM | A.17.2.1 |
| 8.15 Logging | ISP_A8_Tech_Controls_Management | A.12.4.1 |
| 8.16 Monitoring activities | ISP_A8_Tech_Controls_Management | NEW |
| 8.17 Clock synchronization | ISP_A8_Tech_Controls_Management | A.12.4.4 |
| 8.18 Use of privileged utility programs | ISP_A8_Tech_Controls_Management | A.9.4.4 |
| 8.19 Installation of software on operational systems | ISP_A8_Tech_Controls_Management | A.12.5.1 |
| 8.20 Networks security | ISP_A8_Tech_Controls_Security | A.13.1.1 |
| 8.21 Security of network services | ISP_A8_Tech_Controls_Security | A.13.1.2 |
| 8.22 Segregation of networks | ISP_A8_Tech_Controls_Security | A.13.1.3 |
| 8.23 Web filtering | ISP_A8_Tech_Controls_Data_Rights | NEW |
| 8.24 Use of cryptography | ISP_A8_Tech_Controls_Security | A.10.1.1 A.10.1.2 |
| 8.25 Secure development life cycle | ISP_A8_Tech_Controls_Development | A.14.2.x |
| 8.26 Application security requirements | ISP_A8_Tech_Controls_Development | A.14.2.x |
| 8.27 Secure system architecture and engineering principles | ISP_A8_Tech_Controls_Development | A.14.2.x |
| 8.28 Secure coding | ISP_A8_Tech_Controls_Development | NEW |
| 8.29 Security testing in development and acceptance | ISP_A8_Tech_Controls_Development | A.14.2.8 A.14.2.9 |
| 8.30 Outsourced development | ISP_A8_Tech_Controls_Development | A.14.2.7 |
| 8.31 Separation of development, test and production environments | ISP_A8_Tech_Controls_Development | A.12.1.4 |
| 8.32 Change management | ISP_A8_Tech_Controls_Management | A.5.1.2 A.7.3.1 A.9.2.6 A.12.1.2 A.14.2.2 A.14.2.3 A.14.2.4 A.15.2.2 A.18.2.1 |
| 8.33 Test information | ISP_A8_Tech_Controls_Data_Rights | A.14.3.1 |
| 8.34 Protection of information systems during audit testing | ISP_A8_Tech_Controls_Data_Rights | A.12.7.1 |
The split can also be organized differently. One aspect is the internal audits. Ideally, for example, the section would be such that the policy documents each include an internal audit from the audit plan.
The importance of cyber security for companies remains very high, especially in light of the current cyber threats. For companies with an ISO 27001 certification, the upgrade to ISO 27001:2022 is required.
Based on ISO 27001:2022, affected companies can also prepare for EU NIS2.
From SEEBURGER’s perspective, there will be synergies between the restructured and partially new ISO 27001:2022 controls and EU NIS 2. We have presented the official EU NIS2 and our view of the implementation law in a separate blog. A self-assessment on EU NIS 2 (2022/2555) Article 20 (Governance), Article 21 (Measures) and Article 23 (Reporting deadlines) and possibly even on EU-RCE (2022/2557) Article 12 (Risk assessment) and Article 13 (Measures) can already be done today.
This may require enhancements at a later stage, after the respective implementation laws in the member states have come into effect.
We have also written a blog on the mappings ISO 27001:2022 to EU-NIS2 in SEEBURGER style.
Webcast On Demand
Protect yourself from cyber attacks with a cloud solution. Find out how to do this in our webcast on demand.
