Sekuro has an extensive and proven record of accomplishment in establishing and operating useful (i.e., non-shelfware) Information Security Management Systems (ISMS) certified to the internationally recognised ISO 27001 standard. All our ISMSs are tailored to our client’s requirements, constraints, and maturity levels. The International Organisation for Standardisation (ISO) has released the new ISO/IEC 27001:2022 information security management standard in October 2022 and follows on from the published ISO/IEC 27002:2022 information security, cyber security, and privacy protection – information security controls.
Summary Of Changes Between ISO 27001:2013 And ISO 27001:2022
The new standard has been revised to reflect the current landscape and relevance of today’s information security challenges. The standard is split into two sections.
Clauses 4 – 10 The intent of the standard remains the same, with the core fundamental aspect of risk management being unchanged the requirements to undertake a risk-based approach by ensuring the protection of confidentiality, integrity and availability of your assets remain.
The mandatory requirements of the standard remain generally the same with some subtle additional enhancements and additions. Clause 4.2, 6.2 and 8.1 have been revised, language changed and updated.
- Clause 4.2. Supplementary guidance on requirements for expectations of interested parties being addressed through the information security management system
- Clause 6.2 includes a monitoring capability of information security objectives which wasn’t included in the previous incarnation
- Clause 8.1 Provides additional guidance on the requirements for operational planning and control including wording to the how the organisation shall manage process, products and services supplied externally. Additionally, the standard further enhances the maintenance of the ISMS by including a new requirement with Clause 6 planning.
- Clause 6.3 focuses on change control of your ISMS by ensuring changes are carried out in a planned manner. The main body and structure of the ISMS framework remains and ensuring you’re ready for the new changes is recommended.
Annex A has seen significant uplift and changes to the content, number of controls and how the controls are logically grouped. Annex A has changed from ‘reference control objectives and controls’ to ‘information security controls reference’.
Annex A controls have been revised down from 114 to 93 controls. Whilst controls have been reduced, no controls have been excluded, with some being merged as rationalisation and effectiveness. Gone are the 14 security control objectives which have been revised into the following 4 groups of controls:
- Organisational Controls – 37 controls
- People Controls – 8 Controls
- Physical Controls – 14 controls
- Technological Controls – 34 controls
Our more in-depth analysis of the Annex A amendments can be found here.
What Are The Consequences And Impacts To My ISO 27001 Certification?
There is no impact on your existing certification and there is a 3-year time window from the release (October 2022) to transition to the new standard. This means that you have 3 years from now to move to the latest standard. When possible, this will be done as part 3-yearly recertification audit, but it can also be arranged as part of your yearly Surveillance Visit.
If you were working towards certifications to ISO 27001:2013 and now plan to certify to ISO 27001:2022 you can do so without any loss of effort spent to date, as the updated from ISO 27001:2013 to ISO 27001:2022 requires enhancements and remapping to the new Annex A controls.
How Do I Move To ISO 27001:2022?
We recommend that you take the following steps to meet the revised version:
- Undertake a gap assessment against the new standard, ensuring alignment to the new ISO 27001:2022 requirements
- Update your Statement of Applicability (SoA) to align with the updated ISO 27001:2022 Annex A
- Review your risk and actions register to ensure alignment with the revised standard and controls.
- Review and update your documentation, including policies and procedures to meet both the update and new controls applicable your ISMS.
Matt Nicholas
Managing Consultant, Sekuro
Matt Nicholas is a Managing Consultant at Sekuro. Matt is a passionate and dynamic Security Manager, with a proven record in supporting and managing security teams and the services they support. With a career spanning more than 20 years in roles located in Australia and the UK, Matt works with clients to develop security strategies in line with business needs. Matt is a QSA for PCI, a Certified Information Security Manager (CISM), and a certified ISO 27001 Lead Auditor.
