The new Annex A of ISO/IEC 27001:2022
The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.
Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.
The former 14 clauses of Annex A are now focused on the 4 following topics:
A.5 Organizational controls (with 37 controls).
A.6 Personal controls (with 8 controls)
A.7 Physical controls (with 14 controls )
A.8 Technical controls (with 34 controls)
Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:
A.5.7 Threat Intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Deletion of information
A.8.11 Data masking
A.8.12 Data leak prevention
A.8.16 Activity monitoring
A.8.23 Web filtering
A.8.28 Secure coding
While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.
The five attributes are:
Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.
Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.
Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.
Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.
Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.