Everything You Need To Know About The ISO 27001:2022 Update
In the digital age, protecting sensitive and confidential information has become more
critical
than
ever
before. Cyber attacks, data breaches, and other security incidents have become more
frequent,
leading to
a
loss of reputation and financial losses for businesses. To address these risks, the
International
Organization for Standardization (ISO) developed a set of standards for Information Security
Management
System (ISMS) known as ISO 27001. The latest version of the standard, ISO 27001:2022, was
published
on
25th
October 2022.
Changes Made in Mandatory Clauses
The latest version of ISO 27001 includes several changes and updates that organizations need
to
consider
for
transition of their existing ISMS to the new version. Here are some of the notable changes
in
ISO
27001:2022:
Clause Wise:
- Clause 4 – Context of the organization: In ISO 27001:2022, clause 4 has
been
expanded
to include new requirements related to the organization’s internal and external context,
risk
management, and the scope of the ISMS.
- Clause 5 – Leadership: In ISO 27001:2022, clause 5 now requires top
management
to
place
greater emphasis on the leadership’s role in establishing, implementing, maintaining,
and
continually
improving the information security management system.
- Clause 6 – Planning: In ISO 27001:2022, clause 6 has been updated to
include
new
requirements related to risk assessment and risk treatment. The updated version requires
the
organization to identify, assess, and evaluate the risks associated with the information
security
management system. The organization must develop and implement a risk treatment plan to
address
the
identified risks.
- Clause 8 – Operation: In ISO 27001:2022, clause 8 has been updated to
include
new
requirements related to supply chain security, information security incident management,
and
protection
of personal data. The standard requires the organization to assess the information
security
risks
associated with outsourcing and to establish controls to manage those risks. The
organization
must
also
ensure that its suppliers and contractors comply with the information security
requirements
of
the
organization.
- Clause 9 – Performance evaluation: In ISO 27001:2022, clause 9 has been
revised
to
include new requirements related to monitoring, measurement, analysis, and evaluation of
the
ISMS.
- Clause 10 – Improvement: In ISO 27001:2022, clause 10 has been updated
to
include
new
requirements related to continual improvement of the ISMS.
Changes in Annex A:
Annex A has changed significantly in terms of restructuring:
- The number of controls is now 93, while the earlier version had 114.
- In the 2013 version, the controls were placed in 14 sections, while in the 2022 version,
only 4
sections
have placed controls.
- The best thing is controls are merged, not deleted.
- 11 new controls are identified and added.
- Several clauses and notes make it clear that the Annex A controls are not exhaustive.
Organizations
should use them as a baseline but should look at their environments to correctly
identify
any
other
necessary controls, risks, etc.
These controls and changes have made the standard more concise and simpler to implement. Most
of
the
overlapping and repetitions have been eliminated in this updated version.
Key Benefits of Changes
The changes made to the ISO 27001 standard in its 2022 version provide several benefits to
organizations
that
adopt the new standard. Some of the key benefits are:
- Enhanced risk management: The new version of the standard places
greater
emphasis
on
the risk-based approach which ensures that organizations allocate their resources to
where
they
are
most
needed, making the information security management process more efficient and effective.
- Increased flexibility: The new standard provides greater flexibility in
how
organizations can implement the standard, allowing organizations to tailor the standard
to
their
specific needs and context.
- Improved alignment with other standards: The new version of the
standard is
more
closely aligned with other ISO management system standards, such as ISO 9001 and ISO
14001.
This
alignment makes it easier for organizations to integrate their information security
management
with
other management systems, enhancing overall organizational performance.
- Improved communication: The new standard places greater emphasis on
communication
and
collaboration, both within the organization and with external stakeholders. This
emphasis on
communication ensures that everyone involved in the information security management
process
is
on
the
same page, improving overall information security governance and reducing the risk of
information
security incidents.
- Increased emphasis on supply chain security: The new version of the
standard
places
greater emphasis on supply chain security, ensuring that organizations are aware of the
potential
information security risks associated with their supply chain partners.
Timeline for Transition Process
The new changes in ISO/IEC 27001:2022 will not affect the current ISO/IEC 27001 certificate.
Based on
the
guidelines provided by the International Accreditation Forum “Transition requirements for
ISO/IEC
27001:2022” for companies, the transition to ISO 27001:2022 needs to be completed by October
31st,
2025.
So
you have enough time to study and implement changes.
The certification body has not started certifying against new requirements yet. For
recertification,
the
best
time to start the implementation is before you go for your next internal audit. The internal
ISO
27001:2022
audit involves a detailed assessment of your organization’s ISMS to ensure that it complies
with
the
new
standard’s criteria with effective implementation of its controls. This will also check your
system
implementation based on new standard documentation, implementation, and certification
requirements.