Management of enterprise cyber security: A review of ISO/IEC 27001:2022

The ISO/IEC 27001 standard is one of the most widely used and accepted standards for information security worldwide. On 25 October 2022, the third edition of the standard was published as ISO/IEC 27001:2022 to address global cybersecurity challenges and improve digital trust. This paper sought to compare and contrast the ISO/IEC 27001:2022 and ISO/IEC 27001:2013 through the lens of the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CF) for critical infrastructure protection, version 1.1. This is because the security controls referenced in Annex A of the ISO/IEC 27001 standard are prominently referenced in each of NIST CF’s five Functions - Identify; Protect; Detect; Respond; Recover - for its implementation. The author sought to establish whether and how the ISO/IEC 27001:2022 has been improved for enterprise systems security. Descriptive statistics were utilised to determine the frequency distribution of each ISO/IEC 27001:2022 security control for each NIST CF Function. It was found that the NIST CF’s Protect Function has a higher frequency distribution of security controls than the other four Functions. Interestingly, the distribution was at 52% for both the ISO/IEC 27001:2022 and ISO/IEC 27001:2013. It was concluded that the ISO/IEC 27001:2022 is a slight improvement to the ISO/IEC 27001:2013 as it also introduced eleven new security controls one of which addresses the protection of cloud computing services, which have increasingly been adopted by many businesses.