DIY Roadmap Transition ISO 27001 - from 2013 to 2022 version
In 2022 ISO launched a new version of ISO 27001. It is a review and modernization of the previous version from 2013. This page describes what is changed and how we have organized this change in Compleye Online.
For customers who will need to prepare for ISO 27001 certification This is a page for your information, the Platform and DIY Roadmap are already compliant for the 2022 version.
For customers who are in the middle of the preparation for certification (Step 3,4 or 5) Use this page as a checklist to ensure you have covered all the new 2022 version features and use newly reviewed templates. It is also a great way to get informed about the new version, as your external auditor will discuss it during the certification process.
For customers who are certified under the 2013 version Use this page as your Gap Analysis for the new version to determine when you will change from the 2013 to the 2022 version. Your external auditor will ask you when you will do the switch, it will be on the list of topics to discuss in 2023 audit.
The moment that you will need to adopt the 2022 version is depending on the standards that you have adopted. Eg if you have only a certificate for ISO 27001, you will need to adopt the 2022 version ultimately in 2025. If you are certified for standards that are related to ISO 27001 (eg ISO27701) it is still not determined when the ultimate date is – please consult your external audit company.
The general process for adopting a new version is: the external auditor will probably charge you extra time to audit your Gap Analysis and your implementation plan. That’s something we can’t change – it’s how the industry has organized it. What we can do is make it easy to deliver all the evidence for the Gap Analysis and the Implementation evidence. This page is your starting point.
If you are going to use this wiki content as a checklist: copy the below tables in a separate document and add them to a (newly created) improvement Implementation ISO 27001:2022 version). We refer in these tables to new templates (or new versions of existing templates) you can download them in the section Policies & Procedures – Templates.
How to use the tables:
| chapter /Control | Refers to the Chapter or Control of ISO27001 Standard. |
| Identified changes | We documented the changes in content we identified. |
| deployment | What Compleye has changed/implemented to address the identified changes. You can communicate this to your external auditor. |
| New action required | Action that you need to take to Implement and create evidence for the implementation. |
| Already covered in Compleye Online | You can refer to your usual evidence for control, because there are no changes. You can check your internal audit report of previous year. |
Changes in the ISO27001: 2013 Version – CHAPTER 1-10
Only the Identified changes have been documented.
| Chapter | Identified changes | deployment | new action required | already covered in Compleye Online |
|---|---|---|---|---|
| General | Because of the identified changes, we have reviewed the template ‘mandatory topic document’, improved it and made it even more complete. change from PPT to DOC | Download, read and adopt the new template: ISMS Mandatory Topics Ch4-10 April 2023 | ||
| 4.2 Understanding the needs and expectations of Interested Parties | additional clause: c) which of these requirements will be addressed through the information security management system. | In the section Legal & Compliance, there is already a field ISMS Reference, where you can add how the needs and expectations of interested parties are addressed in your ISMS. | Yes | |
| 4.4 Information security management system | Additional sentence was included: including the processes needed and their interactions | We have created a new template “ISMS & Business Processes April 2023”. | Download, read and assess the template. Create a new control to assess this document at least on a yearly basis. | |
| 6.1.3 Information security risk treatment | Point d regarding the SOA was slightly modified, however, in terms of the requirements it remains the same. | the existing ISRA template already covers the small content change. | Yes | |
| 6.2 Information security objectives and planning to achieve them | In clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored | We have added a new security meeting topic to the standard agenda: monitor security objectives with a link to the section. | make sure you cover this topic on a regular base, to be in control of the progress of the objectives. | |
| 6.3 Planning of changes | New Clause : When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner. | We have reviewed and adjusted the “Change Management Policy April 2023”. Introduction of Change Management Checklist for specific topics. You can make use of the template checklist functionality in Compleye Online | Download, read and implement the new policy. | |
| 7.4Communication | The point e) the processes by which communication shall be effected was removed from the updated ISO norm. | No impact on the communication policy template. | Yes | |
| 8.1 Operational planning and control | The entire clause was changed and expanded. 8.1 Operational planning and control The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: — establishing criteria for the processes; — implementing control of the processes in accordance with the criteria. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, if necessary.The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. | We have made the following changes in our Platform, combined with existing features we cover all the changes: – The section Measures & Control – Controls is renamed to Operational Planning and Control (OPCs). – There is already a template ISMS Ops Planning available with an overview of all compliance activities over the year with suggested timelines. – In OPCs we have renamed the field Procedure to procedure / criteria. – With the new Change Management Policy in place we have addressed the changes and criteria during implementation. – With the new template ISMS & Business Processes in place we have addressed external business processes aligned with ISMS. | Check all your Controls (OPCs) on the topic Procedure / Criteria – check if criteria are clearly defined (how it should be performed) and if the criteria for evidence are clearly defined as well. | |
| 9.1 Monitoring, measurement, analysis and evaluation | The statement was added at the end of clause: Documented information shall be available as evidence of the results. The organization shall evaluate the information security performance and the effectiveness of the information security management system | Effectiveness check is part of the evaluation of all Controls (Operational Planning & Control) as well during the closing of Improvements. In the Management Review, a separate topic at the end of the report is included on the effectiveness of the ISMS. We have made it possible to add attachments to the management review as a new feature. And will be working on our regular project “Data-Driven Compliance” for trend analysis later this year in a new section. | Add your own trend reports to the Management Review report if needed. | Yes |
| 9.2.2 Internal audit programme | The Clause was amended and simplified. The whole section included in the old standards was removed ( REMOVED: The organization shall: c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; d) define the audit criteria and scope for each audit; e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; f) ensure that the results of the audits are reported to relevant management; and g) retain documented information as evidence of the audit programme(s) and the audit results.) | The process of the Internal Audit will not change, however, the template of the internal audit with criteria is adjusted. Use the new Internal Audit Template April 2023. | Use the new Internal Audit template for your next Internal Audit. | |
| 9.3.3 Management review results | In clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS. | The new item (and new numbering) is adjusted in the Management Review Reporting section and in the Improvement (evaluation part). No additional action is required as it will appear automatically in the Management Review report. | Yes |
Changes in the Annex A Information security controls reference
The organization of this part has completely changed. In the 2013 version, it was organized by clauses A5 – A18; from high-level objectives to details requirements and a total of 114 controls.
Now in the 2022 version, it is organized along 4 clauses (topics) in total with in total 93 controls – high level described:
A5 – Organizational Controls. (37)
A6 – People Controls (8)
A7 – Physical Controls (14)
A8 – Technology Controls (34)
A more detailed description with suggestions and advice on how to implement the controls can be found in the ISO 27002 standard. Or combine your team’s’ knowledge and experience with the Compleye Wiki and Templates and workshops for implementation.
We have cross-referenced all the new controls with the old controls and below in the table, below an overview of all the changes.
Chapter 4-10 : only the Identified changes have been documented.
Annex A: all the controls are listed with Identified changes .
For both:
Implementation = What Compleye has changed/implemented to address the identified changes. You can communicate this to your external auditor.
New action required = Action that you need to take to Implement and create evidence for the implementation. If you copy this table and use it as evidence for an improvement – add the link to Compleye Online section for evidence.
Already covered in Compleye Online = you can refer to your usual evidence for control, because there are no changes. The internal audit report will deliver the evidence.
| Control | Identified changes | deployment | New action required | already covered in Compleye Online |
|---|---|---|---|---|
| General | Statement of Applicability (SoA) | We have adjusted the SoA Section according to the newly organized list (4 topics and 93 controls). No additional action is needed, if you create a new SoA, the new list will appear. The old versions of SoA will stay available. | Yes | |
| 5. Organizational Controls | ||||
| 5.1 policies for information security | Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur | The wording was slightly amended, however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.2 Information security roles and responsibilities | Information security roles and responsibilities shall be defined and allocated according to the organization’s needs | The wording was slightly amended, however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.3 segregation of duties | Conflicting duties and conflicting areas of responsibility shall be segregated. | The wording was slightly amended, however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.4 Management responsibilities | Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. | The wording was slightly amended, however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.5 Contact with Authorities and 5.6 Contact with Special Interest Groups | The wording was slightly amended, however, the content remains the same. | To mature your ISMS you can make use of a new template “Authorities & External Feeds and Resources April 2023”. In this Template, you can create an overview of all authorities you are in contact with and how you will keep yourself informed on updates, trends and news of relevant topics. | Download the Authorities& External Feeds and Resources document. Upload the final version in the Policies & Procedures section | |
| Information relating to information security threats shall be collected and analyzed to produce threat intelligence. | This is a brand new topic on the agenda. We have created a template ‘Threat Intelligence Policy April 2023’ where we describe how we address this topic. Summary: – topic in security meetings – formal policy and a wiki page to check – assign improvements or define control with a label threat intelligence – yearly review during Information Security Risk Assessment | Download and use the template. Upload the final version in the Policies & Procedures section. Make sure you address this topic regularly during security meetings. | ||
| 5.8 Information security in project management | Information security shall be integrated into project management | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.9 Inventory of information and other associated asset | An inventory of information and other associated assets, including owners shall be developed and maintained. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.10 Acceptable use of information and other associated assets | Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.11 Return of asset | Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.12 Classification of information | Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.13 Labeling of information | An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.14 Information transfer | Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.15 Access control | Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.16 Identity management | The full life cycle of identities shall be managed. | We have adjusted the Access Management Policy and replaced it with a new template “Identity and Access Management Policy April 2023”. Major difference: you will need to identify if – next to human identities – you will need to keep track and control of Devices or IT Assets. | Download and use the Access Management Policy template. Upload the final version in the Policies & Procedures section. | |
| 5.17 Authentication information | Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.18 Access rights | Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.19 Information security in supplier relationship | Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.20 Addressing information security within supplier agreements | Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.21 Managing information security n the information and communication technology (ICT) supply chain | Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. | We have reviewed and adjusted the Supplier Management Procedure; information security requirements for ICT services and cloud providers added – to be used during the selection phase. we have redesigned the procedure to make the whole process more clear. | download Supplier Management Procedure April 2023, read and apply to your next supplier assessment. | |
| 5.22 Monitoring, review and change management of supplier services | The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.23 Information security for use of cloud services | Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements | see 5.21 – addressed in the new supplier management procedure. | see 5.21 – addressed in the new supplier management procedure. | |
| 5.24 Information security incident management planning and preparation | The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities | We have created a new Incident Management Procedure, which covers all of these topics and gives alignment with SDLC Procedure, Data Breach Procedure and Disaster Recovery Plan. | download the Incident Management Procedure April 2023, read and apply it to your operations. | |
| 5.25 Assessment and decision on information security events | The organization shall assess information security events and decide if they are to be categorized as information security incidents | See 5.24 | ||
| 5.26 Response to information security incident | Information security incidents shall be responded to in accordance with the documented procedures | See 5.24 | ||
| 5.27 Learning from information security incidents | Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls | See 5.24 | ||
| 5.28 Collection of evidence | The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events | See 5.24 | ||
| 5.29 Information security during disruption | The organization shall plan how to maintain information security at an appropriate level during disruption | We have reviewed the DRP, added new topics (RPO and RTO) and improved the alignment with Business Continuity Plan (BCP). | download the new Template DRP April 2023 and use it for your next assessment. | |
| 5.30 ICT readiness for business continuity | ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. | We reviewed and adjusted the BCP, with a better alignment with DRP. | download the new Template BCP April 2023 and use it during your next BCP Assessment. | |
| 5.31 Legal, statutory, regulatory and contractual requirements | Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.32 Intellectual property rights | The organization shall implement appropriate procedures to protect intellectual property rights. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.33 Protection of records | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.34 Privacy and protection of personal identifiable information (PII) | The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. | This is a new control, however in our Compleye Online Platform we have this already covered. (Global Impact, GDPR Assessment, DPIA and ISRA) | Yes | |
| 5.35 Independent review of information security | The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.36 Compliance with policies, rules and standards for information security | Compliance with the organization’s information security policy, top ic-specific policies, rules and standards shall be regularly reviewed. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 5.37 Documented Operating Procedures | Operating procedures for information processing facilities shall be documented and made available to personnel who need them | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes |
| Control | Identified changes | Deployment | New action required | already covered in Compleye Online |
|---|---|---|---|---|
| 6. People’s Controls | ||||
| 6.1 Screening | Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.2 Terms and conditions of employment | The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.3 Information security awareness, education and training | Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.4 Disciplinary process | A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.5 Responsibilities after termination or change of employment | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.6 Confidentiality or non-disclosure agreements | Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.7 Remote operation | Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 6.8 Information security event reporting | The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. | See 5.24 |
| Control | Identified changes | Deployment | New action required | already covered in Compleye Online |
|---|---|---|---|---|
| 7. Physical controls | ||||
| 7.1 Physical Security Perimeters | Security perimeters shall be defined and used to protect areas that contain information and other associated assets. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.2 Physical entry | Secure areas shall be protected by appropriate entry controls and access points | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.3 Securing offices, rooms and facilities | Physical security for offices, rooms and facilities shall be designed and implemented. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.4 Physical security monitoring | Premises shall be continuously monitored for unauthorized physical access | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.5 Protecting against physical and environmental threats | Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.6 Working in secure areas | Security measures for working in secure areas shall be designed and implemented. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.7 Clear desk and clear screen | Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.8 Equipment siting and protection | Equipment shall be sited securely and protected. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.9 Security of Assets Off Premises | Off-site assets shall be protected. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.10 Storage media | Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.11 Support Utilities | Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.12 Cabling security | Cables carrying power, data or supporting information services shall be protected from interception, interference or damage. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.13 Equipment maintenance | Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 7.14 Secure disposal or reuse of equipment | Items of equipment containing storage media shall be verified to and sure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| Control | Identified changes | deployment | New action required | already covered in Compleye Online |
|---|---|---|---|---|
| 8 . Technical Controls | ||||
| 8.1 User end point devices | Information stored on, processed by or accessible via user end point devices shall be protected. | Already covered in the Workspace & Equipment Policy. No impact on existing ISMS features. | Yes | |
| 8.2 Privileged access rights | The allocation and use of privileged access rights shall be restricted and managed. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.3 Information access restriction | Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.4 Access to source code | Read and write access to source code, development tools and software libraries shall be appropriately managed. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.5SecureAuthentication | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.6 Capacity management | The use of resources shall be monitored and adjusted in line with current and expected capacity requirements | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.7 Protection against malware | Protection against malware shall be implemented and supported by appropriate user awareness | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.8 Management of technical vulnerabilities | Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.9 Configuration management | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed | New Control that will need to be documented for every X-ray component. We have added a new field for this topic. If applicable you can add content to Compleye Online (section IT Infrastructure X-ray). A helper button will give a bit more context. | Check all your X-ray Components in Compleye Online – add content to this field if applicable. | |
| 8.10 Information deletion | Information stored in information systems, devices or in any other storage media shall be deleted when no longer required. | New Control that will need to be documented for every X-ray component. We have added a new field for this topic. If applicable you can add content to Compleye Online (section IT Infrastructure X-ray). A helper button will give a bit more context. | Check all your X-ray Components in Compleye Online – add content to this field if applicable. | |
| 8.11 Data masking | Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration | New Control that will need to be documented for every X-ray component. We have added a new field for this topic. If applicable you can add content to Compleye Online (section IT Infrastructure X-ray). A helper button will give a bit more context. | Check all your X-ray Components in Compleye Online – add content to this field if applicable. | |
| 8.12 Data leakage prevention | Data leakage prevention measures shall be applied to systems, net works and any other devices that process, store or transmit sensitive information. | New Control that will need to be documented for every X-ray component. We have added a new field for this topic. If applicable you can add content to Compleye Online (section IT Infrastructure X-ray). A helper button will give a bit more context. | Check all your X-ray Components in Compleye Online – add content to this field if applicable. | |
| 8.13 Information backup | Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.14 Redundancy of information processing facilitation | Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.15 Logging | Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.16 Monitoring activities | Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents | this is new control, however we have already implemented this topic in Compleye Online as part of documentation of X-ray components. | ||
| 8.17 Clock Synchronization | The clocks of information processing systems used by the organization shall be synchronized to approved time sources | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.18 Use of privileged utility programs | The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.19 Installation of software on operational system | Procedures and measures shall be implemented to securely manage software installation on operational systems. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.20 Network security | Networks and network devices shall be secured, managed and controlled to protect information in systems and applications. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.21 Security of network services | Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.22 Segregation of networks | Groups of information services, users and information systems shall be segregated in the organization’s networks. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.23 Web Filtering | Access to external websites shall be managed to reduce exposure to malicious content | New Control that will need to be documented for every X-ray component. We have added a new field for this topic. If applicable you can add content to Compleye Online (section IT Infrastructure X-ray). A helper button will give a bit more context. | Check all your X-ray Components in Compleye Online – add content to this field if applicable. | |
| 8.24 Use of Cryptography | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.25 Secure development life cycle | Rules for the secure development of software and systems shall be established and applied. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.26 Application security requirements | Information security requirements shall be identified, specified and approved when developing or acquiring applications. | This is a new control however, it is already covered in your SDLC procedure. We have a template checklist for SDLC that you used to document this topic already. | Yes | |
| 8.27 Secure system architecture and engineering principles | Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.28 Secure coding | Secure coding principles shall be applied to software development. | This is a new control however, it is already covered in your SDLC procedure. We have a template checklist for SDLC that you used to document this topic already. | Yes | |
| 8.29 Security testing in development and acceptance | Security testing processes shall be defined and implemented in the development life cycle | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.30 Outsourced development | The organization shall directly, monitor and review the activities related to outsourced system development. | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.31 Separation of development, test and production environments | Development, testing and production environments shall be separated and secured | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.32 Change management | Changes to information processing facilities and information systems shall be subject to change management procedures | The wording was slightly amended however, the content remains the same. No impact on existing ISMS features. | Yes | |
| 8.33 Test information | Test information shall be appropriately selected, protected and managed | This is a new control however, it is already covered in your SDLC procedure. We have a template checklist for SDLC that you used to document this topic already. | Yes | |
| 8.34 Protection of information systems during audit test | Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management | see 5.29 |
