Search in Boards

Search the entire site bulletin board

References

Contact Us

Tel. +82 2 6749 0701

AM 9:00 ~ PM 6:00

Saturday,Sunday,Holiday :
Days Off

02.6749.0711
info@igcert.org

Publication-English

IGC 홍보자료 배너
 

ISO/IEC 27001:2022 Information Security Management System

Page Information

profile_image
Writer igc인증원
Comment 0Times Lookup 2,242psc Date Created 23-03-31 16:42

Contents

ISO/IEC 27001:2022 Information Security Management System

What is ISO/IEC 27001:2022?

ISO/IEC 27001 is an international standard for information security management system established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and the most authoritative international certification standard in the field of information security. It covers information security policy and physical security, information access control, etc.

ISO/IEC 27001 was developed to provide requirements for the establishment, implementation, maintenance, and continuous improvement of the information security management system ISMS (Information Security Management System). Also, Information security management systems are preserving the confidentiality, integrity, and availability of information by applying risk management processes and provide stakeholders with a belief that risks are properly managed.

Recently, institutions that handle important assets such as finance, education, healthcare, telecommunications, portals, and government agencies including public institutions, as well as companies that are subject to external evaluations such as IT management evaluation, credit evaluation, and accounting audit, are continuously obtaining certification. These include companies that manage or operate entrusted customer information.

ISO/IEC 27001:2022< ISO/IEC 27001:2022 >

Major revisions

ISO published ISO/IEC 27001:2022 in the second half of 2022. Companies that have previously maintained ISO/IEC 27001:2013 certification must transition by October 25, and ISO 27001:2013 will cease issuing certificates after April 2024.

The main revisions are as follows.
1. Change of standard name

The original ISO/IEC 27001:2013 was Information security, cybersecurity, and privacy protection — Information security management systems, but ISO/IEC 27001:2022 was changed to Information security, cybersecurity and privacy protection — Information security management systems.

2. Added clause and Changed Numbers

•  Adding a new clause 4.2 c) to determine the requirements of the interested parties addressed through an information security management system (ISMS).

•  Adding a new clause 6.3 - Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner.

•  The order of the sections of clause 10.1 and 10.2, which are sub-clauses of Section 10 Improvements, has been changed.

3. Term change

Changed and restructured terminology with potential ambiguity.

4. Annex A change

Compared with the old edition, the number of information security controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.

For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.

Four control items :

•  Organizational controls(37)

•  People controls(8)

•  Physical controls(14)

•  Technological controls(34)

Necessity of ISO/IEC 27001:2022

With the spread of information communication and the Internet, individual lifestyles and business methods are changing, and as the information society develops, all major tasks depend on information systems. This development has made fast and convenient life and business possible, but as a side effect of rapid informatization, leakage of personal information, leakage of customer information, and leakage of industrial secrets have increased. In preparation for ever-increasing cyber threats, companies need to respond to cyber threats on their own.

ISO/IEC 27001 is a documented set of policies, procedures, processes and systems that manages the risks of data loss from cyber-attacks, hacks, data leaks or theft. Through ISO/IEC 27001 certification, organizations can benefit like below

Necessity of ISO/IEC 27001:2022< Necessity of ISO/IEC 27001:2022 >

1. Customer satisfaction

Realization of customer trust and customer satisfaction through protection of customer information

2. Business continuity

Secure business sustainability and business stability through risk management, legal compliance and vigilance on future security issues and concerns

3. Compliance with laws

Understand how legal/regulatory requirements affect you and your customers, and how to reduce the risk of legal sanctions

4. Risk management

Reliability is secured through independent verification of recognized global industry standards

5. Proof of business reliability

Reliability is secured through independent verification of recognized global industry standards

6. Business expansion

Customers often require a certificate as a condition of delivery, so certification can help you expand your business.

Requirements of ISO/IEC 27001:2022

  • 4.  Context of the organization
  • 5.  Leadership
  • 6.  Planning
  • 7.  Support
  • 8.  Operation
  • 9.  Performance evaluation
  • 10.  Improvement
  • Annex A  Information security controls reference

Comment list

There are no registered comments.