A New Era for Information Security: Understanding the Changes in ISO 27001:2022

Companies requiring sophisticated security processes should consider ISO certification 27001:2022. ISO 27001 certification is the central foundation for information security management systems (ISMS) within the ISO 27000 series. ISMS provides the framework for policies and procedures, including all legal, technical and physical controls required by a company’s information risk management processes. In providing ISMS implementation requirements, ISO 27001 controls take an adequate and appropriate risk-based approach, allowing businesses of any size to manage security assets with ease.

ISO Certification 27001:2022: What Is Different?

The long-awaited ISO certification 27001:2022 standard has been published, bringing with it numerous modifications. While 35 controls have remained unchanged, 57 have been merged, 23 have been renamed, and 11 have been added newly. This results in a reduction of controls from 114 to 93, distributed across four categories.

Let’s examine the changes in greater depth.

ISO Certification 27001:2022

What Has Changed In ISO Certification 27001:2022 Version?

The title of the information security standard document has been changed to Information security, cyber security, and privacy protection – Information security management systems, which is the first noticeable change.

Clauses 4 to 10 have also been modified significantly.

Clause 3

The “Definitions” clause has been updated, and it now contains the links for the IEC Electropedia (containing the databases for terminology) and ISO online browsing platform. The addition of these links will make it much simpler for individuals to review terminology in order to gain clarity regarding clauses and controls.

Clause 4.2

The addition to the “Understanding the Expectations and Needs of Interested Parties” clause specifies which of the requirements the information security management system will address. This addition will necessitate greater clarity regarding the requirements of interested parties.

Clause 4.4

New points have been added to this “Information Security Management System” clause mandating the inclusion of the processes required for the maintenance and improvement of the ISMS and their interactions, as per the requirements of the document. This addition permits alignment with other ISO standards, including ISO 9001:2015 and 22301:2019.

Clause 5.3

The modification to the “Organisational Roles, Responsibilities & Authorities” clause infers that — the highest level of management must ensure that the responsibilities and authorities for information security-related roles are assigned and communicated throughout the organisation. This clarifies to whom those responsibilities should be communicated.

Clause 6.1.3

“Information Security Risk Treatment” has been changed to indicate that Annex A contains a list of potential information security controls. This emphasises the possibility of considering additional controls as part of your ISMS.

Clause 6.2

The addition of item (d) to the “Information Security Objectives & Planning” clause requires objectives to be monitored throughout the certification’s lifecycle. Previously not stated in ISO 27001:2013, this additional requirement in ISO Certification 27001:2022 ensures the monitoring of progress against objectives or the lack of it.

Clause 6.3

The “Planning of Changes” clause is entirely new, but it encompasses the pre-existing change control requirements. The introduction of this clause ensures that when a company needs to make modifications to its information security management system, the modifications must be made in a planned way.

Clause 7.4

A further amendment resulted in the removal of item (e) from the “Communication” clause, which stated the requirement to establish communication processes, indicating that the manner in which communications are conducted has little bearing on how they are received.

Clause 8.1

The updated version of the “Operational Planning and Control” clause now states that the organisation shall ensure that all relevant externally provided processes, products, and services are controlled. The revised format of this control provides greater clarity for implementing an ISMS than the original.

Clause 9.1

To be considered valid, the methods selected must produce comparable and reproducible results, according to the note added to the existing “Monitoring, Measurement Analysis & Evaluation” clause. This addition provides much-needed clarification regarding what the standard considers a “valid” result.

Clause 9.3

The restructuring of the “Management Review” clause has resulted in the addition of three subclauses.

The new addition to 9.3.2 “Management Review” in ISO Certification 27001:2022 specifies that changes to the needs and expectations of interested parties that are pertinent to the information security management system are to be reviewed.

Clause 10

The order has been reversed for the “Improvement” clause, the 10.1 subclause presently indicates “Continuous Improvement”, and the 10.2 subclause indicates “Nonconformity and Corrective Action.”

Overall, the new ISO Certification 27001:2022 provides greater clarity within Clauses 4-10 by incorporating minor amendments and taking into account more contemporary cyber security requirements, like threat intelligence. In an effort to reduce the complexity of implementing and maintaining an ISMS, the standard has merged a number of controls to reduce redundancy.

When should businesses implement the new control set?

Now that the new standard has been published, it is anticipated that there will be a three-year transition period during which the changes can be implemented. In addition, certification bodies will need time to interpret and adopt the new standard and the accompanying changes to the control set. This implies that certification bodies are unlikely to offer assessments against the updated standard for three to six months after its publication date.

What does this mean if your organisation is pursuing ISO Certification 27001:2022?

If you are currently pursuing certification, there is no need to alter your approach. We anticipate that a few technical modifications will be necessary.

We expect the changes to primarily involve:

  1. Analysing the gaps between your current ISMS and the new control set.
  2. Bringing risk treatment processes in line with new controls by way of an update.
  3. The Statement of Applicability will be updated.
  4. Modifying certain sections of existing policies and procedures to address new or modified controls

Should certification wait until Certification Bodies are prepared to assess against ISO Certification 27001:2022?

No, if you want ISO 27001 accreditation, your business doesn’t have to wait until the certification bodies begin to assess against the updated ISO Certification 27001:2022. If the certification body is able to assess you against the new ISO Certification 27001:2022 before completing certification, you may be able to modify your existing documentation in accordance with the amendments during implementation.

How Can ISO Management Consultants Help Your Business?

If you are considering obtaining ISO 27001 certification, we are here to assist you! Here at ISO Management Consultants, we promise to help you no matter where you are in the decision-making process. We offer a practical hands-on approach, simple advice and assistance in implementing ISO standards and regulations. We will be by your side, taking your business through all the required steps towards achieving full legal compliance. If you have any questions regarding ISO 27001 standards, feel free to contact us today!