And yes, you may have significant work to do. Read on.
Many commentators in recent months have characterised the changes to ISO 27001 as 'minor', suggesting that little time will need to be devoted to implementing the necessary changes. We do not agree.
For the vast majority of organizations, a formal Migration Project will be needed if they are to get it right at the first attempt. When auditing your organization for the first time against the new Standard it is the changes that the CB Auditors will naturally focus on. So, you'd better be prepared.
Notable Changes in ISO 27001:2022
1. Changes to the Standard's text
To begin with, the Standard has a new title to emphasize that IT security alone is not the issue. It is now called ISO/IEC 27001:2022, Information Security, cybersecurity and privacy protection — Information security management systems - Requirements.
Since the last version of the standard was published in 2013, information and communication technology (ICT) and the way we do business has changed enormously. Today we all expect instant access to information, and we have expectations of higher individual and corporate performance while we deal with more complex supply chains and operate in a global economy.
ISO 27001:2022 has been revised to take these changes into account and to address two areas of vulnerability that were often overlooked previously, especially by ICT-focused businesses. These are People Controls and Physical Controls.
Overall. the main changes in ISO/IEC 27001:2022 are:
- Annex A references to the Controls detailed in ISO/IEC 27002:2022, which includes the control title and the control;
- The note in Clause 6.1.3 c) is revised editorially, including deleting the "control objectives" and replacing "information security control" with "control";
- The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.
You may have read that the changes to the Standard text will be limited to Clause 6.1.3. Not so!
There are many small changes throughout the that will need to be carefully considered and acted upon. Let’s take two examples …
Clause 4.2 Understanding the needs and expectations of interested parties: Part c) has now been added and states – ‘c) which of these requirements will be addressed through the information security. Management system.’ Under the 2013 standard, many organizations provided a list of interested parties without further detail. This will no longer be enough as it will now be necessary under the 2022 standard to identify the needs, which will have to be specified, and then provide evidence of how the ISMS has addressed and satisfied these needs and expectations.
Clause 4.4 Information security management system: The following text has been added, ‘including the processes needed and their interactions.’ These are not the processes you may have in your ISO 9001 QMS which relate to operations and are often couched in very general terms. Here what will be required will be an analysis of the processes for the handling, storage, protection, etc., of all kinds of information used by the organization. It is doubtful if more than, say, 5% of organizations currently certified to ISO 27001 have done an adequate job here. Many will have documented IT processes but not the management of hardcopy data, premises, physical assets and the like.
2. Changes to Annex A - a radical restructuring
The description of the changes above conceals the fact that Annex A has been completely restructured, and the companion standard, ISO 27002, has been massively expanded and can no longer be ignored (if for no other reason than your Certification Body Auditor will not be ignoring it).
The most significant change is, therefore, the organization of the 93 Controls into four domains (or Chapters), namely …
- Chapter 5 - Organizational (if they do not fall under any other domain)
- Chapter 6- People (if they concern individual people)
- Chapter 7- Physical (if they concern physical objects)
- Chapter 8 - Technological (if they concern technology)
The 2013 version had 114 Controls in 14 Domains, so organizations will require a complete restructuring of their Statement of Applicability with knock-on effects to their risk assessment, risk treatment documentation, etc. Additionally, new Controls regarding People and Physical domain requirements are likely and will require time, finances and other resources.
3. A 3-year Transition Period
No surprises here. The usual idle talk of a 2-year transition has proved false.
- Certification Bodies must complete the transition to the new Standard within 36 months, that is, by the end of October 2025.
-
Certification Bodies must audit all new registrations against the new Standard within 12 months, that is, by the end of October 2023.
Currently, certified organizations can expect their Certification Body to switch to the new Standard at the end of the current 3-year certification cycle. And there’s nothing in the 2022 Standard to justify increased certification fees!
4. Free booklet - 'ISO 27001:2022 and You'
Whether your organization is certified to ISO 27001:2013 (EN ISO 27001:2017) or you’re interested in gaining certification to the revised Standard, or if you’re an internal auditor or a lead auditor wondering how and when the 2022 Standard will affect you, we’ve got some answers for you.
And finally …
There is as yet (31-Oct-22) no news as to when EN ISO/IEC 27001:2022, the EU Harmonized Standard, will be published. In recent times simultaneous publication with the international version has been the practice (thus avoiding similar if not identical standards having a different year of publication. We’ll have to wait and see but, in any case, a delay is going to have little consequence for most organizations.
Select the best ISO 27001 Course
We have eight ISO 27001 Courses to choose from, including Extension and Conversion Courses. Launch date: 04-Nov-22.
Related Articles
- Free ISO 27001 Implementation Handbook (100+ pages)
- ISO 27001 Implementation in 33 Steps
- Navigating the fifty-six ISO 27000 Series of Standards
- Information Security Standards other than ISO 27001
deGRANDSON Global is an ISO Certified Educational Organization
In
October 2021 we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.