In the digital age, protecting sensitive and confidential information has become more critical than ever before. Cyber attacks, data breaches, and other security incidents have become more frequent, leading to a loss of reputation and financial losses for businesses. To address these risks, the International Organization for Standardization (ISO) developed a set of standards for Information Security Management System (ISMS) known as ISO 27001. The latest version of the standard, ISO 27001:2022, was published in 25th October 2022.
In this blog, we will explore the changes and updates in ISO 27001:2022.
The latest version of ISO 27001 includes several changes and updates that organizations need to consider for transition of their existing ISMS to the new version.
Here are some of the notable changes in ISO 27001:2022:If we go clause wise there are no major changes but most of the changes are in Annex A.
Clause 4 – Context of the organization: In ISO 27001:2022, the clause 4 has been expanded to include new requirements related to the organization’s internal and external context, risk management, and the scope of the ISMS.
Clause 5 – Leadership: In ISO 27001:2022, the clause 5 now requires top management to places greater emphasis on the leadership’s role in establishing, implementing, maintaining, and continually improving the information security management system.
Clause 6 – Planning: In ISO 27001:2022, the clause 6 has been updated to include new requirements related to risk assessment and risk treatment. The updated version requires the organization to identify, assess, and evaluate the risks associated with the information security management system. The organization must develop and implement a risk treatment plan to address the identified risks.
Clause 7 – Support: In ISO 27001:2022, the clause 7 has been revised to include new requirements related to human resources, competence, and awareness.
Clause 8 – Operation: In ISO 27001:2022, the clause 8 has been updated to include new requirements related to supply chain security, information security incident management, and protection of personal data. The standard requires the organization to assess the information security risks associated with outsourcing and to establish controls to manage those risks. The organization must also ensure that its suppliers and contractors comply with the information security requirements of the organization.
Clause 9 – Performance evaluation: In ISO 27001:2022, the clause 9 has been revised to include new requirements related to monitoring, measurement, analysis, and evaluation of the ISMS.
Clause 10 – Improvement: In ISO 27001:2022, the clause 10 has been updated to include new requirements related to continual improvement of the ISMS.
Annex A has changed a lot in terms of re-structuring:
So if we summaries as whole 35 controls are unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added, the list is here for reference with section details.
The changes made to the ISO 27001 standard in its 2022 version provide several benefits to organizations that adopt the new standard. Some of the key benefits are:
The new changes in ISO/IEC 27001:2022 will not affect the current ISO/IEC 27001 certificate.
Based on the guidelines provided by the International Accreditation Forum “Transition requirements for ISO/IEC 27001:2022” for companies, the transition to ISO 27001:2022 needs to be completed by October 31st, 2025. So you have enough time to study and impellent changes. So the certification body also has not started yet certifying against new requirements.
For recertification – The best time to start the implementation is before you go for your next internal audit.
The internal ISO 27001:2022 audit involves a detailed assessment of your organization’s ISMS to ensure that it complies with the new standard’s criteria with effective implementation of its controls. This will also check your system implementation based on new standard documentation, implementation and certification requirements.
To help your organization receive all the benefits of ISO 27001:2022, our team of certified consultants is equipped to provide you exceptional consulting as well as training. Our team of experts at 4C have helped 150+ clients gain international recognition, credibility, and trust from customers, powered by 5000+ training hours. For implementation & transition of ISO 27001 certification in your organization, Contact us now