The much-anticipated 2022 update to the ISO 27001 Standard is here! Its official name – ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems.
So, what’s changed in the update?
Let’s start with the key changes.
- The management system of 27001:2022 will be aligned to the latest Annex SL structure (this is the same structure as ISO 9001, ISO 14001 and other ISO management standards).
- Changes to Annex A of ISO 27001 which is aligned to ISO 27002 the code of practice and provides guidance on applying the security controls.
Let’s have a look at the changes in more detail…
Changes to the management system
- Under Context of organisation – new additions and changes to 4.2 and 4.4
- Leadership – no change
- Planning – no change
6.1.3 Risk treatments – Information security risk treatments has a few minor changes throughout
6.2 Objectives – two new additions
6.3 Change management – a new clause to this Standard which has been brought in as part of the improvements – it’s all about planning for change!
- Support – no change
7.4 Communication – one new update to the communication requirement
8.1 Operation – some improvements to the descriptions of these categories and clauses. The addition of ‘products and services’ has also been brought into consideration
9.1 Performance evaluation – two amendments regarding the methods for monitoring, measurement and evaluation of results and the way in which documentation is provided as evidence
9.2 Internal audit section – now split into two subclauses for enhanced clarity referred to as General and Internal Audit Programme
9.3 Management system review – split into three subclauses – again to enhance clarity
10.1 Continual improvement – changed places with Nonconformity and corrective action but there are no other changes to note
10.2 Nonconformities and corrective actions – no change except to the way documentation is made available as evidence
Changes to Annex A controls
Both the controls and their classifications will change for ISO 27002.
Previously, there were 114 controls of Annex A divided into 14 sections A5 to A18, organised into control objectives and underlying control activities.
The 2022 version has been restructured, and there are now 93 controls consolidated into four clauses, referred to as ‘Themes’.
Clause 5 – Organisational (37 controls)
Clause 6 – People (8 controls)
Clause 7 – Physical (14 controls)
Clause 8 – Technological (34 controls)
Some controls have been merged with similar controls, others updated, and some are brand-new. So even though the number of controls has reduced from 114 to 93, no controls have been excluded.
Among the 93 controls, there will be 11 new controls that reflect the changing technical and threat landscapes:
5.7 Threat intelligence
5.23 Information security for the use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
What do these changes mean for my ISO 27001 certification?
Even though the new Standard has been published by the ISO we are still waiting for its official release within the UK, before we can begin helping clients to adopt its new content. Following its official release, it’s expected that organisations will have the usual three years window to complete the transition to the new Standard. So, if you’re an existing QMS client certified to ISO 27001:13 don’t worry, we’ll reach out to you when we are in a position to discuss the upgrade of your management system or discuss it with you at your next external annual audit.
Or if you’re looking to gain ISO 27001 certification, just get in touch with us 0333 344 3646 or use our fee calculator to get a quick quote.