Transitioning to ISO 27001 Update 2022 offers greater assurance to stakeholders while aligning your ISMS with current cybersecurity practices – creating a competitive edge.
Organizations will need to conduct a gap assessment and update their Statement of Applicability (SoA) accordingly in order to accommodate for these changes in the standard.
An organization becomes ISO 27001 compliant by implementing an Information Security Management System (ISMS) and being audited by an independent ISO certification body. You can click here to learn more.
Earning an ISO 27001 certificate demonstrates your company’s adherence to global data protection standards, building customer trust as they no longer have to take your word for security measures.
An ISMS should encompass all areas of business, such as systems, locations, services, applications, departments and people. This area is known as its scope. You should document this section from clauses 4.1-10 in your ISMS manual. Furthermore, Annex A controls are needed if risk mitigation is needed (these controls can be found between clause 5.31-5.36).
Companies that achieve an ISO 27001 certificate can mitigate the risk of data breach while increasing competitiveness by demonstrating they are trustworthy. This is especially relevant to organizations handling sensitive customer and financial data, which often includes customer personal details and financial transactions. Receiving such certification may help companies win new business as customers increasingly look for companies who can demonstrate their trustworthiness.
Changes to Annex A
The 2022 update to ISO 27001 brought many changes to Annex A of its standard that detail mandatory security controls that an ISMS must have, such as data encryption and secure coding practices for developers. You can click the link: https://en.wikipedia.org/wiki/International_Organization_for_Standardization to learn more about governing bodies. In addition, this revision decreased from 114 controls down to 93 while restructuring them into four groups or sections.
The new restructure is intended to make it easier for individuals and companies to understand and implement necessary controls more quickly and easily. To this end, 14 categories were split up into four areas – organizational, people, physical and technological. While there has been a slight reduction in overall number of controls (114 down from 147) most have remained intact with only 35 being renamed, 57 combined and 1 split into two.
Additionally, new clauses were added to address the needs for monitoring objectives and planning changes. A new Clause 6.2 requires information security management systems (ISMSs) to track their own objectives while Clause 6.3 ensures any modifications to ISMSs are conducted in a planned fashion.
Finally, Clause 7.4 adds emphasis to communicating about ISMSs by replacing requirements of who should communicate with how. While this change might seem simplistic at first glance, it remains an excellent way forward.
This update should have no direct ramifications on current certifications; however, it provides an ideal opportunity for organizations to review their ISMS and identify any updates required. If you need assistance understanding the changes or getting your ISMS ready for ISO 27001 2022 contact a professional. They can help make the process smoother and easier.
Changes to Clause 4.4
The requirements of this clause have remained relatively the same; however, an organization now needs to demonstrate they are fulfilling the expectations of interested parties in order to comply. This change provides some much-needed clarity over this area.
Another change that should be welcomed is that documented information regarding management systems has now become explicit, making the requirement clearer and easier to audit. This change makes auditable management systems even more feasible than before.
Clause 6.2 was modified slightly with minor revisions made during the 2022 update to introduce a requirement that information security objectives should be monitored, while also creating section 6.3 which requires organizations to plan changes to their ISMS in a controlled fashion. You can visit the
Also included as minor revisions was a simplification in their communications about ISMS, where previously separate requirements specified who and how should communicate about their system have been combined into one requirement that states only that communication needs be communicated about ISMS by an organization.
There have been other changes made to the standard, with various sections being separated or combined together. One such restructuring effort involved Annex A controls being combined and 11 new ones added, as well as restructuring management system clauses into four instead of fourteen sections.
Changes to Clause 6.2
The core of this standard consists of clauses 4-10 and has seen minimal modifications. A new Clause 6.3 was recently added which states that any modifications to an ISMS must be planned for. This new requirement does not necessitate specific processes being included – simply that whenever an organization decides to alter their ISMS they do so in a planned manner.
Top management must now ensure that responsibilities and authorities for roles relevant to information security are assigned and communicated, an essential change which will increase visibility of security roles as well as decrease confusion about who should implement and manage an ISMS.
An additional change involves requiring organizations to identify and document any processes necessary for an ISMS, helping reduce the chances that something important might get left out when creating one and guarantee that all required processes are covered by it.
Finally, the order of clauses 10.1 (Continual Improvement) and 10.2 (Nonconformity and Corrective Action) has been changed to emphasize prospective continuous improvement over retroactive nonconformities and corrective actions.
There have been other minor changes made to ISO 27001:2013 that don’t necessitate panic, however. Instead, organizations should obtain a copy of the revised 2022 version and review what changes need to be made before transitioning.
Changes to Clause 8.1
Although ISO 27001:2022 is more comprehensive than its predecessor, organizations still must undertake considerable work in transitioning. A gap analysis and transition plan is an integral component of that transition process – they will allow organizations to identify areas for improvement as well as guidance for making these improvements. These plans must also incorporate risk evaluation as well as new controls developed as necessary to safeguard sensitive information.
Clause 8.1 has undergone significant change, most notably with regard to operational planning and control. This includes providing additional guidance on process criteria creation as well as implementation and control. These requirements extend those found in Clause 6, adding them for externally provided processes, products and services relevant to ISMS management as well as documenting them for access and controlling them.
Clause 10 includes an important requirement to periodically evaluate and improve ISMS effectiveness and establish where needed improvements should be made. This requires organizations to assess performance of their ISMS regularly and make any required improvements where applicable.
As mentioned previously, there have been other minor modifications to the standard. For instance, Clause 7.4 (communication) now calls for all employees within and outside of an organization to receive information regarding information security responsibilities and authorities for roles related to information security roles. Previously there were two guidelines on who and how this communication will take place – these have now been combined into one subclause: how to communicate. This simplification should make communication simpler.
Changes to Clause 9.3
Though there were numerous changes to Annex A and minor updates to main ISMS clauses, overall there were comparatively few updates. While control numbers dropped from 114 to 93 and document structure changed, updating Statement of Applicability documents became easier due to moving from 14 sections in 2013 revision to four in 2022 revision – many organizations already possess most of the information updated since 2013.
One change that could impact ISMS managers is the addition of a requirement in clause 9.3. This requires organizations to consider changes to the needs and expectations of interested parties relevant to the management system, which extends on an existing requirement that demands organizations monitor and review stakeholder requirements.
Clause 6.2 underwent some minor amendments as well, with 2022’s update adding an explicit requirement that information security objectives be monitored and documented as available information – this requirement was implicit in 2013 but now more explicit. Furthermore, this new clause was modified to stipulate that methods used for monitoring, measurement, analysis, and evaluation must produce comparable and reproducible results.
In 2022’s update of ISMS clauses, some minor amendments were made to enhance clarity. Clause 4 was altered to introduce the idea of taking a process-based approach and clearly define all processes as part of an ISMS, helping managers implement this standard more easily. Clause 8.1 saw some small adjustments including adding requirements to control externally provided processes relevant to an ISMS.