ISO/IEC 27001:2022 Key Changes

After the release of ISO/IEC 27001:2022 on October 25, 2022, here is a high-level analysis of the significant changes introduced in the standard.

In summary, the most notable change in the standard is the comprehensive adoption of controls from ISO 27002:2022. If you are already certified to ISO 27001:2013, transitioning to the new standard should primarily focus on understanding and implementing these controls. The controls are now categorized into four themes instead of the previous 14 categories, and attributes have been introduced to allow you to assess your security posture based on different criteria. While the total number of controls has been reduced from 114 to 93, this is due to consolidation, with 11 new controls introduced and no deletions.

While there are several changes in the management system clauses, most of them aim to provide more explicit requirements and align better with other Annex SL standards, such as ISO 9001 and ISO 22301. It is crucial to familiarize yourself with these changes and ensure that your information security management system (ISMS) meets the updated requirements. Here are three significant changes:

1. Clause 4.4: The requirement to establish, implement, maintain, and continually improve your ISMS now includes the phrase "including the processes needed and their interactions." This addition emphasizes the importance of smooth transitions between different processes and the interaction and handover between them.

2. Clause 6.3 Planning of Changes: This new subclause, inspired by the 2015 introduction of ISO 9001, addresses the planning of changes. It requires considering factors such as the purpose of the change, potential consequences, impact on the ISMS, resource availability, and allocation or reallocation of responsibilities and authorities.

3. Clause 9.3.2 c): Another new requirement is to consider the "changes in needs and expectations of interested parties relevant to the ISMS." This necessitates monitoring and reviewing these needs and expectations and providing evidence of having done so.

For more detailed information on these changes and to explore related training courses, please see the options below.

ANALYSIS OF CHANGES

This video provides high-level analysis of the significant changes introduced by ISO 27001:2022.

CONSULTANCY SUPPORT

ISO 27001 consultants offer personalized consultancy support to help you understand the changes brought by ISO 27001:2022 and their impact on your specific ISMS. They can guide you in effectively implementing the necessary changes, updating your ISMS and related documentation, and conducting a tailored ISO 27001 gap analysis and risk assessment that aligns with the updated standard.

TRAINING SUPPORT

You can take advantage of migration and transition courses:

1. 1-day ISO 27002:2022 Control Migration Course. This course focuses on the key changes between ISO 27002:2013 and ISO 27002:2022. You will learn about the differences in approach, changes to controls (new, merged, deleted), and the introduction of the new 'attribute' feature.

2. 2-day ISO 27001:2022 Transition Course. This course includes the ISO 27002:2022 Control Migration Course on day 1. On day 2, it covers the changes in the management system clauses and provides guidance on updating your risk assessment to transition to ISO 27001:2022.

RISK MANAGEMENT TOOL

Also, many companies offer assistance in transitioning risk assessment with automated risk management tool like Abriska 27001. The tool has been fully updated to incorporate the new Annex A controls and allows to leverage the new attribute functionality introduced in ISO 27001:2022. To learn more about Abriska and its capabilities, your can watch the webinar recording that provides comprehensive information and insights into how Abriska can support your risk management needs.

NOT CERTIFIED?

There has never been a more opportune moment to establish an information security management system (ISMS) and obtain ISO 27001 certification if you have not done so already. Developing an ISMS and achieving certification brings numerous advantages to any organization. If you are interested in learning more about the benefits and the process involved in implementing ISO 27001 please visit this ISO 27001 FAQ page. It provides valuable information and address frequently asked questions related to ISO 27001, ensuring that you have access to the latest insights and guidance. Make sure to check the page regularly to stay informed about the most up-to-date information on ISO 27001 implementation and certification.