The long-awaited ISO 27001:2022 standard has been released and has brought with it a raft of changes.
What has changed in the new iteration of ISO 27001?
The first noticeable difference is that the information security standard document title has been simplified to the relatable “Information security, cyber security, and privacy protection – Information security management systems.”
More significantly, some adjustments have been applied to Clauses 4 to 10.
- Clause 3 “Definitions”
This section now contains links to the ISO online browsing platform and the IEC Electropedia which contain the terminology databases. The addition of these links will make it much easier for people to review terminology to gain clarity on clauses and controls.
- Clause 4.2 “Understanding the needs and expectations of interested parties”
Addition of item (c) stating “which of these requirements will be addressed through the information security management system” the impact being that more clarity will be needed regarding the requirements of interested parties.
- Clause 4.4 “Information security management system”
Additional wording has been introduced, requiring the inclusion of “the processes needed [for the maintenance and improvement of the ISMS] and their interactions, in accordance with the requirements of this document.” This addition allows for alignment to other ISO standards such as ISO 9001:2015 and 22301:2019.
- Clause 5.3 “Organisational roles, responsibilities and authorities”
Now amended and reads “Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation” adding clarity with regards to whom those roles should be communicated.
- Clause 6.1.3 “Information security risk treatment”
Update in Note 2 now reads “Annex A contains a list of possible information security controls.” rather than the original “comprehensive list of control objectives and controls.” This is emphasising the fact that there are other controls that may be considered as part of your ISMS.
- Clause 6.2 “Information security objectives and planning to achieve them”
Addition of item (d) which requires objectives to be monitored throughout the lifecycle of the certification. Previously not a defined requirement in ISO 27001:2013 but now ensures that progress against objectives, or lack of, is monitored.
- Clause 6.3 “Planning of Changes”
An entirely new clause but covering the pre-existing requirements of Change control, this clause is named “Planning of Changes.” Ensures that when the organisation needs to perform changes to the information security management system, these changes must be conducted in a planned manner.
- Clause 7.4 “Communication”
An additional amendment was made which has led to the removal of item (e), the requirement for setting up processes for communication, indicating that the way communications are effected has little impact on how they are received.
- Clause 8.1 “Operational planning and control”
Now reads “The organisation shall ensure that externally provided process, products or services that are relevant to the ISMS are controlled.” The wording of this control now provides more clarity for implementing an ISMS compared to the original “The organisation shall ensure that outsourced processes are determined and controlled.” Additionally, the requirement to implement plans for achieving objectives was deleted, this is because it is covered in Clause 6.2.
- Clause 9.1 “Monitoring, measurement analysis and evaluation”
The addition of the note from the existing standard “The methods selected should produce comparable and reproducible results to be considered valid” to the main body of text provides much-needed clarity as to what can be considered a “valid” result in the eyes of the standard.
- Clause 9.3 ”Management Review”
Restructuring of the clause has meant there are now three sub-clauses.
The addition of item (c) to 9.3.2 Management review inputs which now includes “changes and needs and expectations of interested parties that are relevant to the information security management system.”
- Clause 10 “Improvement”
The order of this clause has reversed so that 10.1 is now Continual improvement and 10.2 is now Nonconformity and corrective action.
All in all, this new version of ISO 27001 provides more clarity within Clauses 4-10 by making small amendments as well as taking into consideration more current cyber security requirements such as threat intelligence. The standard has also worked to address duplication by merging a number of controls to simplify the process of implementing and maintaining an ISMS.
When should organisations transition to the new control set?
Now that the new standard is published, it is expected that there is to be a transition period of around 3-years to allow the changes to be implemented. Not only that, but the certification bodies will also need some time to interpret and adopt the new standard and the changes the new control set brings. This means that certification bodies are not likely to be offering assessments against the updated standard for a period of 3-6 months from the date it was published.
Now that the standard has been released, we anticipate a timeline for the transition as displayed below:
On the 19th of December 2022, UKAS released a bulletin for the Transition arrangements for ISO/IEC 27001:2022 with the following dates confirmed:
25 October 2022: Publication of ISO/IEC 27001:2022
30 April 2023: UKAS ready to assess to ISO/IEC 27001:2022
31 October 2023: All UKAS transitions of CB’s completed
31 October 2023: All initial certifications by CB to be completed against ISO/IEC 27001:2022 from this date
31 October 2025: All CB transitions of clients completed
What does this mean if your organisation is currently working towards ISO 27001?
If you are currently working towards certification, you will not need to change your approach. We do not anticipate that many technical changes will be required.
We anticipate the changes will mostly involve:
- Conducting a gap analysis of your existing ISMS against the new control set
- Updating risk treatment processes, so they align with new controls
- Updating the Statement of Applicability
- Amending some sections of existing policies and procedures to reference new or changed controls
Shall we wait until Certification Bodies are ready to assess against ISO 27001:2022 to certify?
There is no need to wait for the certification bodies to be able to assess against the updated ISO 27001 standard to begin your ISO 27001 journey. You may be able to adapt your existing documentation in line with the amendments during your implementation should the certification body be able to assess you against the new requirements prior to you completing certification.
If you’re thinking of gaining ISO 27001 certification, we’re here to help wherever you are on your decision path. By acting as your external ISO 27001 consultant (find out the benefits of using an external ISO consultant) help with an initial workshop, carry out a full gap analysis (read more here on the benefits of an ISO 27001 gap analysis), support your ISO 27001 project or manage your ISMS for you. If it’s simply information you want, visit our ISO standards knowledge hub page or you can read our extensive Guide to ISO 27001.
If you’d like to understand more about our service, we’d be delighted to hear from you.