Navigating 

ISO 27001:Upgrade to 2022

In this article we will be looking at ISO 27001

In today’s digital landscape, data security is paramount. With cyber threats evolving rapidly, organisations must stay ahead by implementing robust information security management systems (ISMS). The International Organisation for Standardisation (ISO) has long been at the forefront of defining these standards, with ISO 27001 being a cornerstone for organisations worldwide. As the digital ecosystem advances, so too must the standards that govern it. In this article, we’ll explore the transition from ISO 27001:2013 to the updated version, ISO 27001:2022.

Understanding ISO 27001:
ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. Its framework assists organisations in managing and protecting their valuable information assets, ensuring confidentiality, integrity, and availability. Since its inception, ISO 27001 has provided a structured approach to information security, helping organisations mitigate risks and adapt to changing threats

.

Transition to ISO 27001:2022:
The ISO periodically reviews and updates its standards to reflect changes in technology, security threats, and best practices. The transition from ISO 27001:2013 to ISO 27001:2022 represents an evolution in information security management. While the core principles remain consistent, there are notable updates aimed at enhancing effectiveness and relevance in today’s digital age.

Key Changes and Enhancements:

Emphasis on Risk Management: ISO 27001:2022 places greater emphasis on risk management, aligning with the ISO 31000 standard. Organisations are encouraged to adopt a proactive approach to identify, assess, and mitigate information security risks systematically.

Integration with Business Processes: The updated standard emphasizes the integration of information security management into broader business processes. This ensures that security considerations are embedded across all organizational functions, enhancing overall resilience.

Adaptability and Flexibility: ISO 27001:2022 acknowledges the dynamic nature of cybersecurity threats and encourages organizations to adopt a more flexible approach to security management. This includes considerations for emerging technologies, remote work environments, and evolving regulatory requirements.

Enhanced Controls: The updated standard introduces new controls and updates existing ones to address contemporary cybersecurity challenges. This includes measures to safeguard against emerging threats such as ransomware, supply chain attacks, and insider threats.

Preparing for Transition:
Organizations currently certified to ISO 27001:2013 will need to transition to the new standard to maintain compliance. To facilitate a smooth transition, consider the following steps:

Awareness and Training: Ensure that key stakeholders are aware of the changes introduced in ISO 27001:2022. Provide training to personnel involved in implementing and maintaining the ISMS.

Gap Analysis: Conduct a thorough gap analysis to identify areas where your current information security practices may need to be updated to align with the new standard.

Revision of Documentation: Review and update documentation, including policies, procedures, and risk assessments, to reflect the requirements of ISO 27001:2022.

Implementation of Controls: Implement new controls and enhancements as required by the updated standard. This may involve deploying additional security measures or refining existing processes.

Third-Party Audits: Schedule a third-party audit to assess compliance with ISO 27001:2022. Work closely with auditors to address any non-conformities identified during the audit process.

The transition from ISO 27001:2013 to ISO 27001:2022 represents a significant milestone in the ongoing evolution of information security management. By embracing the updated standard, organizations can strengthen their resilience against evolving cyber threats, enhance stakeholder trust, and demonstrate a commitment to safeguarding sensitive information. Through proactive preparation and strategic implementation, organizations can navigate the transition smoothly and position themselves for long-term success in an increasingly digital world.

What are the main changes in ISO/IEC 27001 2022?
35 controls remain unchanged, 57 have been merged, 23 others have been renamed and 11 new ones have been introduced. This takes the controls from 114 to 93, spread over 4 categories.

The term “International standard” has been replaced with “document” throughout
Some English phrases have been amended to allow for easier translation
There are also changes to align with the ISO harmonised approach:
Numbering re-structure
The requirement to define processes needed for implementing the ISMS and their interactions
The explicit requirement to communicate organisational roles relevant to information security within the organisation
New clause 6.3 – Planning of Changes
New requirement to ensure the organisation determines how to communicate as part of clause 7.4
New requirements to establish criteria for operational processes and implement control of the processes
The most significant modifications in this revision occur in Annex A, mirroring the alterations made in ISO/IEC 27002:2022. These include:
A restructured format consolidates the content into four main categories: Organisational, People, Physical, and Technological, a reduction from the prior 14 sections.
The quantity of controls has been trimmed down from 114 to 93.
There’s been a remix of controls – some have amalgamated, some have been eliminated, new ones have surfaced, and others have received updates.
Introduction of the attribute concept.
Aligning with the prevalent terminology within the realm of digital security, the five attributes introduced are: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains.

Changes in detail
Clause 3 “Definitions”
This segment now incorporates references to the ISO online browsing platform and the IEC Electropedia, which host the terminology databases. The inclusion of these hyperlinks significantly simplifies the process of reviewing terminology to obtain a clearer understanding of clauses and controls.

Clause 4.2 “Understanding the needs and expectations of interested parties”
The inclusion of item (c) stipulating “which of these requirements will be addressed through the information security management system” indicates that greater clarity will be required concerning the expectations of interested parties.

Clause 4.4 “Information security management system”
Supplementary wording has been added, necessitating the inclusion of “the processes required [for the maintenance and improvement of the ISMS] and their interactions, in accordance with the requirements of this document.” This adjustment facilitates alignment with other ISO standards, such as ISO 9001:2015 and ISO 22301:2019.

Clause 5.3 “Organisational roles, responsibilities and authorities”
This clause has been amended to read, “Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation,” providing clearer direction regarding who should receive these communications.

Clause 6.1.3 “Information security risk treatment”
The update to Note 2 now states “Annex A contains a list of possible information security controls,” replacing the original “comprehensive list of control objectives and controls.” This adjustment underscores the possibility of considering additional controls as part of your ISMS.

Clause 6.2 “Information security objectives and planning to achieve them”
Item (d) has been added, requiring objectives to be monitored throughout the certification lifecycle. While not previously specified in ISO 27001:2013, this requirement now ensures that progress (or lack thereof) against objectives is tracked.

Clause 6.3 “Planning of Changes”
An entirely new clause that encapsulates the prior requirements of Change Control, it’s titled “Planning of Changes.” It ensures that any changes to the information security management system required by the organisation are executed in an orderly fashion.

Clause 7.4 “Communication”
A further modification has led to the removal of item (e), the requirement for establishing communication processes, suggesting that the method of communication delivery doesn’t significantly impact its reception.

Clause 8.1 “Operational planning and control”
This now states “The organisation shall ensure that externally provided process, products or services that are relevant to the ISMS are controlled.” The revised wording of this control offers clearer guidance for implementing an ISMS compared to the original phrasing. Also, the requirement to implement plans for achieving objectives was removed, as it’s covered in Clause 6.2.

Clause 9.1 “Monitoring, measurement analysis and evaluation”
Transferring the note from the existing standard stating “The methods selected should produce comparable and reproducible results to be considered valid” to the main body of the text lends crucial clarity about what qualifies as a “valid” result according to the standard.

Clause 9.3 “Management Review”
The reorganisation of this clause has resulted in three sub-clauses. Item (c) was added to 9.3.2 Management review inputs, now including “changes and needs and expectations of interested parties that are relevant to the information security management system.”

Clause 10 “Improvement”
The arrangement of this clause has been inverted, so 10.1 is now “Continual Improvement” and 10.2 is now “Nonconformity and Corrective Action.”

Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?
First of all, don’t panic. The recent modifications in ISO/IEC 27001:2022 won’t have an impact on the existing ISO/IEC 27001 certificate. For those aspiring to obtain certification against the new standard, the British Assessment Bureau has introduced the ISO/IEC 27001 Transition training course, along with updated ISO/IEC 27001 Lead Auditor and Lead Implementer training programs.

Getting started with your health and safety management system

If you would like more information on how to get certified, we’d be happy to arrange a call to talk about your options. Alternatively, if you would like a quotation at any point just fill in our FREE quote calculator.