iso
Everything You Need To Know About The ISO 27001:2022 Update

In the digital age, protecting sensitive and confidential information has become more critical than ever before. Cyber attacks, data breaches, and other security incidents have become more frequent, leading to a loss of reputation and financial losses for businesses. To address these risks, the International Organization for Standardization (ISO) developed a set of standards for Information Security Management System (ISMS) known as ISO 27001. The latest version of the standard, ISO 27001:2022, was published in 25th October 2022.

CHANGES MADE IN MANDATORY CLAUSES

The latest version of ISO 27001 includes several changes and updates that organizations need to consider for transition of their existing ISMS to the new version. Here are some of the notable changes in ISO 27001:2022:If we go clause wise there are no major changes but most of the changes are in Annex A

...
CLAUSE WISE :
Clause 4 – Context of the organization:

In ISO 27001:2022, the clause 4 has been expanded to include new requirements related to the organization’s internal and external context, risk management, and the scope of the ISMS

Clause 5 – Leadership:

In ISO 27001:2022, the clause 5 now requires top management to places greater emphasis on the leadership’s role in establishing, implementing, maintaining, and continually improving the information security management system

Clause 6 – Planning:

In ISO 27001:2022, the clause 6 has been updated to include new requirements related to risk assessment and risk treatment. The updated version requires the organization to identify, assess, and evaluate the risks associated with the information security management system. The organization must develop and implement a risk treatment plan to address the identified risks.

Clause 8 – Operation:

In ISO 27001:2022, the clause 8 has been updated to include new requirements related to supply chain security, information security incident management, and protection of personal data. The standard requires the organization to assess the information security risks associated with outsourcing and to establish controls to manage those risks. The organization must also ensure that its suppliers and contractors comply with the information security requirements of the organization.

Clause 9 – Performance evaluation:

In ISO 27001:2022, the clause 9 has been revised to include new requirements related to monitoring, measurement, analysis, and evaluation of the ISMS.

Clause 10 – Improvement:

In ISO 27001:2022, the clause 10 has been updated to include new requirements related to continual improvement of the ISMS.

CHANGES IN ANNEX A :
Annex A has changed a lot in terms of re-structuring:
  1. The number of controls are only 93 while earliest version had 114 In 2013 version the controls were placed in 14 sections while in this 2022 version only 4 sections have placed controls.
  2. The best thing is controls are merged not deleted.
  3. New 11 controls are identified and added.
  4. Several clauses and notes make it clear that the Annex A controls are not exhaustive.
  5. You should use them as a baseline. However, all organizations should look at their environments to correctly identify any other necessary control, risks, etc.
  6. This controls and changes have made standard more concise and simple to implement.
  7. Most of the overlapping and repetitions have been eliminated in this updated version.
KEY BENEFITS OF CHANGES:

The changes made to the ISO 27001 standard in its 2022 version provide several benefits to organizations that adopt the new standard. Some of the key benefits are:

Enhanced risk management:

The new version of the standard places greater emphasis on the risk-based approach which ensures that organizations allocate their resources to where they are most needed, making the information security management process more efficient and effective.

Increased flexibility

The new standard provides greater flexibility in how organizations can implement the standard, allowing organizations to tailor the standard to their specific needs and context.

Improved alignment with other standards:

The new version of the standard is more closely aligned with other ISO management system standards, such as ISO 9001 and ISO 14001. This alignment makes it easier for organizations to integrate their information security management with other management systems, enhancing overall organizational performance.

Improved communication:

The new standard places greater emphasis on communication and collaboration, both within the organization and with external stakeholders. This emphasis on communication ensures that everyone involved in the information security management process is on the same page, improving overall information security governance and reducing the risk of information security incidents.

Increased emphasis on supply chain security:

The new version of the standard place’s greater emphasis on supply chain security, ensuring that organizations are aware of the potential information security risks associated with their supply chain partners.

TIMELINE FOR TRANSITION PROCESS:
The new changes in ISO/IEC 27001:2022

will not affect the current ISO/IEC 27001 certificate. Based on the guidelines provided by the International Accreditation Forum “Transition requirements for ISO/IEC 27001:2022” for companies, the transition to ISO 27001:2022 needs to be completed by October 31st, 2025. So you have enough time to study and impellent changes. So the certification body also has not started yet certifying against new requirements. For recertification – The best time to start the implementation is before you go for your next internal audit. The internal ISO 27001:2022 audit involves a detailed assessment of your organization’s ISMS to ensure that it complies with the new standard’s criteria with effective implementation of its controls. This will also check your system implementation based on new standard documentation, implementation and certification requirements.

Read more

Copyright Wissen Baum, All Right Reserved.