top of page

ISO27001:2022 - 11 New Controls

They say the only constant is change.

Well we've been waiting a long time for these changes to ISO27001!

But in the ever-evolving landscape of cybersecurity, organizations like yours are constantly seeking ways to enhance their information security posture to safeguard their sensitive data and operations. 

The ISO 27001 standard, the internationally recognized benchmark for information security management systems (ISMS), has undergone a significant update in its 2022 revision.

To get the ball rolling on a new series of blogs, articles and videos I wantg to discuss the 11 new controls that address emerging risks and strengthen overall security measures.

Ready? Ok... let's take a highlevel look at the 11 new controls.

ISO27001: Threat Intelligence

You must actively gather, analyze, and utilize threat intelligence to gain insights into emerging attack vectors, vulnerabilities, and threat actors. 

This information can be used to prioritize security efforts, implement targeted countermeasures, and enhance overall risk management.

In truth you've already been doing this, as you'll have used this approach in your risk assessment and treatment process. Threat intelligence comes in the form of strategic, tactical and operational threats and you should ensure you have mechanisms for all three levels.

ISO27001: Information Security for Use of Cloud Services

The rapid adoption of cloud computing necessitates specific controls for ensuring data security in the cloud environment. You must establish clear governance processes, conduct due diligence on cloud service providers, and effectively manage access controls and data encryption in cloud-based systems.

Cloud Services are suppliers (aka Third-parties) therefore you're probably doing this already with your supplier management processes. However this new control requires more of a focus. So dust off your Supplier Register and ensure any software platforms (like Sage, Xero, PeopleHR etc) are included.

ISO27001: ICT Readiness for Business Continuity

Business continuity is paramount in today's interconnected world. You must ensure that your ICT infrastructure and systems are resilient to disruptions, enabling them to maintain critical operations during unforeseen events such as natural disasters or cyberattacks.

In order to do this, you'll need to consider what is critical and what isn't. Carrying out a Business Impact Analysis (BIA) in a structured way will help you determine the Recovery Time and Recovery Point Objectives (RTO and RPO respectively).

This is one of the controls which has been vastly improved and is the reason why Consultants Like Us focus on other standards like ISO22301 (Business Continuity Management). If you've only ever been exposed to ISO27001 then these concepts might be alien to you.

ISO27001: Physical Security Monitoring

Physical security remains a critical aspect of overall information security. You may need to implement monitoring systems to detect and prevent unauthorised access to physical facilities, data centers, and sensitive equipment. 

This includes video surveillance, access control systems, and security personnel training. If this doesn't take place, then this is a risk that you may have to treat appropriately (depending on your business and sensitivity of data processing).

ISO27001: Configuration Management

Effective configuration management ensures that IT systems and software are deployed and maintained in a consistent and secure state. 

You should implement processes for change management, configuration baselines, and automated compliance verification to reduce the risk of vulnerabilities and misconfigurations.

This might be as simple as documenting your 'hardware hardening' process, or 'Zero-Trust' Principles.

ISO27001: Information Deletion

Secure information deletion is crucial for preventing data breaches and compliance violations.  You must establish procedures for securely deleting sensitive data from all storage media, including hard drives, cloud storage, and removable devices. This includes physical destruction or certified data sanitization methods.

Of course if you've been paying attention, the GDPR has expected you to do this since 2018, so you'll already be on top of this. Right?!

ISO27001: Data Masking

Data masking is a technique used to obscure sensitive data while preserving its functionality for testing, development, or training purposes. Controls also include things such as hiding content (such as passwords or credit card numbers) when users are entering the information on screen or on phone calls.

This helps organizations protect sensitive data without compromising the integrity of the information.

ISO27001: Data Leakage Prevention (DLP)

Data leakage prevention systems monitor and control data flows to prevent sensitive information from being accidentally or intentionally transferred outside the organization's approved channels. 

This control includes identifying sensitive data, tracking data movements, and implementing encryption and access controls.

ISO27001: Monitoring, review of Third-parties

Organizations that rely on third-party service providers and vendors must assess their security posture to ensure they do not introduce vulnerabilities or compliance risks to the organization's ISMS. This includes due diligence on third-party providers, contractual agreements for data security requirements, and regular monitoring of their security practices.

This really isn't a significant change on the current supplier review you should be conducting anyway, so the changes here aren't radical.

ISO27001: Web Filtering

You must filter access to external websites to reduce the risk of users or systems accessing malicious sites. You'll need to be clear about what sites people can and cannot access, and this can be included within your Acceptable Use Policies (AUP).

You'll need to agree which kinds of sites to block, and this is something that should be discussed at your management review meeting.

ISO27001: Secure Coding

If you are a development house, then you'll most likely already have a secure coding process in place, and this control simply places more focus on you to ensure secure coding principles are applied.

These principles could be technical in nature or more focused on the people coding. Therefore secure coding principles could include ensuring the development infrastructure is secure, through to verifying the qualifications and training the developers have had.

Again, nothing here is new. If ISO27001 has been done well, secure coding principles will already be followed by your team.


In conclusion, things are changing and you need to get on board sooner rather than later.

The 11 new controls introduced in ISO 27001:2022 represent a significant step forward in addressing the evolving cybersecurity landscape and enhancing your overall organizational security posture.  However, they are built on what was (mostly) there before.

Remember that by implementing these controls, organizations can significantly reduce their risk of data breaches, compliance violations, and reputational damage.

These changes are long overdue, so don't delay - get started today.

If you're struggling to know where to start, simply get in touch for a FREE consultation and one of our team can help you know where to get started.

20 views0 comments


bottom of page