Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It includes procedures or measures used to protect electronic data from unauthorised access. Information security controls are devices or software used to enforce security policies in order to protect sensitive information from unauthorised access.
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. The goal of an ISMS is to minimise the risk of data breaches and other security incidents by identifying, assessing, and treating information risks.
ISO/IEC 27001 provides a framework for organisations to manage their information security risks through an Information Security Management System (ISMS) within the context of the organisation. The new ISO/IEC 27001:2022 was published on the 25th of October 2022, with some minor changes to the clauses but major changes to Annex A. In this blog, we will review the changes and how they will affect your organisation.
In line with the High-Level Structure of the Management System Standards, some minor changes have been introduced to ISO 27001:2022.
These changes include:
The “relevant” requirements of interested parties should be identified and determined through the Information Security Management System(ISMS).
No major change
Information security objectives are now considered “documented information” and shall be monitored and made available. There is a new section on planning changes to the ISMS as “6.3 Planning of changes”
Merging 7.4.d and 7.4.e regarding how to communicate as a part of the communication plan
There is a requirement to establish criteria for processes to implement process control in accordance with the criteria. There is a requirement to control “externally provided processes, products or services” relevant to the ISMS instead of just processes.
·There is a requirement for comparability and reproducibility of the methods of monitoring, measuring, analysing, and evaluating the effectiveness of the ISMS Clause 9.2. Internal audit is now split into 9.2.1 General and 9.2.2 Audit program. Clause 9.3. Management Review is now split into 9.3.1 General, 9.3.2 Management review inputs, and 9.3.3. Management Review outputs. The changes in the needs and expectations of interested parties should be considered in the management review input
No major change
Aligned with the new revision of the ISO/IEC 27002, the guidance for implementing the Information Security Controls, updated in February 2022, Annex A of the ISO/IEC 27001 has been changed in the 2022 version of this standard. A summary of these changes to the IS 27001:2022 controls includes:
The 93 controls are categorised into the 4 categories listed below:
Here is a list of newly-added controls in Annex A of the ISO/IES 27001:2022:
Similar to other standards, there is a three-year transition period. So, as the new revision was published in October 2022, the transition to the new revision should be completed by October 2025.
To obtain an ISO 27001 certificate, organisations must undergo a certification process that includes auditing their ISMS against the requirements of ISO 27001. The certification process is conducted by third-party certification bodies that are accredited by national accreditation bodies such as JAS-ANZ.
If you have already certified for the 2013 version of this standard, your next audit can be conducted against the 2013 or 2022 version of this standard, but from the 1st of November 2023, all audits should be conducted by the certification bodies against ISO/IES 27001:2022.
If you are planning to certify your Information Security Management System, your ISMS can still be audited against either ISO/IES 27001:2023 or ISO/IES 27001:2022 by the 31st of October 2023.
We have designed our exclusive gap assessment tool against the requirements of ISO 27001:2022 which provides you not only the gaps and the area where you need to improve but also numerical and graphical analysis of your current compliance level and how you can improve that. We can also assist you with documentation and implementation of the requirements and getting ready for your ISO 27001 audit.