The number of U.S. companies obtaining ISO certification increases each year. While not legally mandated in many instances, customers generally prefer to engage with organizations that prioritize data security, including safeguarding their own information.
With 2022’s significant ISO 27001 updates set to take effect October 25, 2025, organizations can yet again gain a competitive advantage over their peers. It’s a fact: Your ISO 27001 certification tells prospects your information security management system (ISMS) has been judged against strict and impartial standards by a validated third party.
Being ISO 27001:2022 certified not only means better security for you, but it also means better security for your customers and can be key to retaining their business.
What Is ISO 27001?
It’s been more than 50 years since the introduction of ISO standards. Currently, there are over 25,000 in place, covering everything from weights and measures to emissions of gas and radiation. In October 2022, ISO 27001:2022, “the world’s best-known standard for information security management systems,” was unveiled providing organizations with standardizing guidance on creating, running, maintaining, and improving an ISMS.
Recognized globally across numerous industries, ISO 27001 defines the requirements an organization must meet to prove they run a strong ISMS (and ISO 27001 certification can prove it). It differs from the previous release, ISO 27001:2013, in numerous ways (but more on that later).
The Benefits of ISO 27001
Obtaining ISO 27001 certification indicates your ISMS adheres to industry-high standards. In a world where data breaches and privacy scandals are becoming increasingly common, strengthening your security could be a game-changer — not only protecting your current operations but also unlocking new business opportunities for the future.
Deciding whether to pursue ISO 27001 certification must be made strategically, particularly for small businesses. When everyone on a team is already pulling their weight, there may be hesitation to push ahead on a complex certification process that appears to be riddled with “red tape.”
On the other hand, becoming a trusted part of the supply chain for a major (and lucrative) player can be a strong incentive to push through the process. Getting ISO 27001 certified tells potential partners or customers you adhere to industry standards and run an internal operation free of unnecessary ISMS security risks.
By extension, this commitment to data security not only improves your overall security culture but speaks volumes to your integrity and conscientiousness as a potential business partner.
What is ISO 27002?
Also known as the “Code of Practice for Information Security Controls,” ISO 27002 was released just months after ISO 27001 and supports the original standard, specifically providing clarification and depth on how the information security controls (within an ISMS) can be implemented.
As stated by TechTarget, “ISO 27001 doesn’t provide detailed guidelines on how to implement the controls but relies on the information provided by ISO 27002 as a source of information security best practices.” Upon its release, organizations had a three-year grace period to comply with the new regulations. On October 25, 2025, those three years will be up, and the new standard will be in full effect.
To clarify: ISO 27002 is not a certification. You can only gain ISO 27001 certification, but following ISO 27002 guidelines can simplify the security implementation process.
ISO 27001:2022 vs. ISO 27001:2013 | What’s New?
Here’s what to watch for to maintain or achieve ISO 27001 compliance by next October. If you’re only compliant with ISO 27001:2013 – and plan on taking continuing advantage of your ISO certification status by re-upping next year – note these changes and incorporate them into your 2025 security strategy.
General differences
Some significant changes in ISO 27001:2022 include:
- A more user-friendly format
- Changes to the ISMS clauses and Annex A controls (aka ISO 27002:2022)
- Instead of 14 domains, there are four categories: Organizational, People, Technological, Physical
- Increased focus on cloud security, physical security, data protection, and third parties/outsourcing
- Fewer overall controls (from 114 to 113), and 11 new controls
11 new controls
Understanding the new controls is crucial for any organization aiming to continue its ISO certification after October 2025. They include:
- 7 Threat intelligence: Organizations must take relevant data from the current threat landscape, analyze it, and use it to prepare for and respond to security events. They are encouraged to leverage external sources such as conferences and information-sharing groups.
- 23 Information security for use of cloud services: Organizations need to take responsibility for cloud security despite using cloud services (that may already provide some security features). This includes defining policies for the transfer, retention, and deletion of data; access controls; maintenance; and more.
- 30 ICT readiness for business continuity: Business impact analysis (BIA) requirements should be translated into Information and Communications Technology (ICT) continuity strategies in preparation for events compromising an organization’s data availability.
- 4 Physical security monitoring: Where confidential information is being processed on the premises, surveillance systems should be put in place.
- 9 Configuration management: Managed configuration processes should be implemented across a company’s hardware, software, and services.
- 10 Information deletion: Data deletion processes should be in place relevant to the sensitivity of the data, and in line with any applicable data governance laws and regulations.
- 11 Data masking: Data masking controls must be implemented to protect all instances of sensitive data. In addition to data masking, techniques also include pseudonymization and anonymization.
- 12 Data leakage prevention: A three-step approach is proposed to prevent data leakage: data classification, data flow monitoring, and taking action to prevent the unauthorized disclosure of information.
- 16 Monitoring activities: Organizations should monitor for anomalous behavior across their network, as doing so is crucial to incident response and timely action.
- 23 Web filtering: To limit exposing an organization’s assets to malicious web content, organizations are encouraged to leverage anti-malware tools, browser configurations, and employee training programs.
- 28 Secure coding: Organizations should follow principles of secure coding before, during, and after the code becomes operational.
Building a Competitive Edge with ISO 27001:2022
Numerous Fortune 500 companies currently are ISO 27001 certified, including Apple, Google, Microsoft, Verizon, and Amazon. Perhaps unsurprisingly, in 2020, there was nearly a 25% growth rate in organizations receiving the certification and over 67,000 organizations were ISO 27001 certified as of 2022.
As so many organizations having achieved ISO 27001 certification, it’s likely they will implement the new requirements by the deadline — if they haven’t done so already. Achieving this certification is a sign of security integrity where information security management systems are concerned. As supply chains will only continue to increase and the world trend further toward digitization, the importance of keeping your ISO 27001 certification – or achieving it – cannot be understated.
If you’re ready to start your journey toward maintaining your ISO 27001:2022 adherence or achieving certification for the first time, partnering with a trusted third-party resource can give you access to the technologies and expertise you’ll need. Fortra’s Alert Logic managed security services and other Fortra data classification solutions are a powerful first step toward a more resilient and secure organization.
Additional Resources:
Using Data Classification to Support ISO 27001 Compliance
