As was expected, the updated ISO/IEC 27001:2022 standard was released with few significant updates. So do not worry about sleepless nights ahead of you to uphold certification when it comes to meeting the 59 requirements of the Information Security Management System (ISMS). Or 53, depending how you count them. The subcommittee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission behind its release has sharpened its pencils here and there. That’s kind of the gist of it.
What’s New in the ISO/ISO 27001:2022 Update?
A remarkable, yet expected change is that the name of the new 2022 edition of the ISO/IEC 27001 standard is “Information security, cybersecurity and privacy protection — Information security management systems — Requirements”. It used to only mention information security.
And, obviously, Annex A with its controls and control objectives, reflects the changes we already knew about from the earlier release of the ISO/IEC 27002:2022 standard.
Other Noteworthy Changes
- Note 1-3 of 6.1.3 Information security risk treatment provide additional guidance on how to make use the controls in Annex A. In essence the comprehensive list of controls of Annex A is to ensure that no necessary controls are overlooked. And that the controls and the control objectives of Annex A are not exhaustive and that more controls and control objectives may be needed.
- In 6.2 it now states that information security control objectives are to be monitored. And these objectives need to be available as documented information.
- 6.3 Planning of changes is an additional clause. However, in the 2013 edition of the standard this was a requirement that was somewhat implied in section 8.1 Operational planning and control. However, these changes can be of far bigger magnitude than process changes only. Think of organizational changes for example.
- In 7.4 Communication, a clean-up took place by removing a duplicate requirement about who is to communicate. And the process of communication is replaced by requiring determining how to communicate.
- Clause 8.1 Operational planning and control has become more prescriptive. To control the processes needed to meet requirements the organization is to establish criteria for these processes and implement them in accordance with these criteria.
- Furthermore, clause 8.1 not only requires outsourced processes to be controlled, but also products and services provided externally are to be controlled. Given today’s trends in (out)sourcing, this heightened attention was to be expected.
- It is interesting that in clause 9.1 regarding monitoring and measuring the performance of the ISMS, the new edition includes a “should” statement that used to be a Note in the previous version. It reads: “The methods selected should produce comparable and reproducible results to be considered valid”. Nevertheless, the list following this statement is still to be adhered to.
- In 9.2 Internal Audit, some reshuffling of requirements has taken place. But none were added or removed. The same applies to 9.3 Management Review.
- 10.1 Nonconformity and Corrective Actions and 10.2 Continual Improvement have been switched.
What Do These ISO/IEC 27001 Changes Mean?
For your existing ISMS that is compliant with the 2013 edition of the standard, you mainly need to focus on changes to references to the standard. This, because some of the clauses have been reshuffled, re-structured, or re-ordered.
Make sure to implement a practice of dealing with organizational changes (OC). Meaning, ensure a seat at the “OC table”. That way, your involvement is as early as possible in the change. This allows you to plan for any changes necessary to the ISMS.
Furthermore, tighten up your collaboration and integration with other (external) parties. Particularly your strategic partners when it comes to services, products, and (out)sourced processes you depend on. Review contracts and agreements on compliance. Ensure that for new ones, they meet the necessary requirements from the outset.
What About ISO/IEC 27001 Certification Training?
INTERPROM is an accredited training provider of APMG International. APMG has assured us that it is going to immediately make the necessary updates to its certification exams and course syllabus. Subsequently, as soon as APMG releases its updates, INTERPROM will update its courses and offer the new version of the Foundation, Information Security Officer, and Auditor certification training courses.
Also, soon we update our self-paced online Foundation course. Expect enhancements such as tutorial videos.
Following the APMG International qualification scheme, existing ISO/IEC 27001 certified individuals do not have to worry about their certified expiring. Or having to retake a course. Moreover, your existing certificate does not expire.
Next Steps
Let me repeat do not worry about sleepless nights ahead of you with this new edition of ISO/IEC 27001:2022. In all seriousness though:
- Purchase the updated edition of ISO/IEC 27001 on websites from organizations such as iso.org or ansi.org
- Revisit our website later this year for the updated (self-paced) courses and their schedules.
- Use our risk and control owner coaching service to benefit from our guidance on migrating to the new edition.
- And finally, hire one of our ISO/IEC 27001-certified auditors to conduct an internal audit to verify your level of compliance with the new editions of ISO/IEC 27001 and ISO/IEC 27002