Simple guide to the new changes
The new ISO 27001: 2022 was released on the 25th October 2022, replacing the version from 2013. we have compiled this FAQ to help you in how the changes can impact your current or upcoming ISO 27001 certification.
What's new?
The management system of ISO 27001:2022 had a few minor changes, aligning it to Annex SL.
These changes are as follows:
Refinement of 4.2 Interested parties
Refinement of 4.4 ISMS
Refinement of 6.1.3 Risk treatment
Refinement of 6.2 Objectives
Addition of 6.3 Change management
Refinement of 7.4 Communication
Rewrite of 8.1 Operational planning
Refinement of 9.1 Monitoring
Splitting 9.2 into 9.2.1 General and 9.2.2 Audit program
Splitting 9.3 into 9.3.1 General, 9.3.2 Input 9.3.3 Output (An extra topic was added)
10.1 Improvement and 10.2 Nonconformities have switched clause numbers
Changes/ Updates to Annex A Controls
The 2022 version now contains 93 controls, divided over 4 sections:
5. Organizational - 37 controls
6. People - 8 controls
7. Physical - 14 controls
8. Technological - 34 controls
Some controls appear to have been merged while other controls look new and might require some tweaking of your existing implementation:
New ISO 27001: 2022 | ISO 27001:2013 equivalent |
|---|---|
A.5.7 Threat intelligence | A.6.1.4 Contact with special interest groups |
A.5.16 Identity management | A.9.2.1 User registration and de-registration |
A.5.23 Information security for use of cloud services | A.15 Supplier relationships |
A.5.29 Information security during disruption | A.17.1 Information security continuity |
A.5.30 ICT readiness for business continuity | A.17.1.3 Verify, review and evaluate information security continuity |
A.7.4 Physical security monitoring | A.9.2.5 Review of user access rights |
A.8.9 Configuration management | A.14.2.5 Secure system engineering principles |
A.8.10 Information deletion | A.18.1.3 Protection of records |
A.8.11 Data masking | A.14.3.1 Protection of test data |
A.8.12 Data leakage prevention | A.12.6.1 Management of technical vulnerabilities |
A.8.16 Monitoring activities | A.12.4 Logging and monitoring |
A.8.23 Web filtering | A.13.1.2 Security of network services |
A.8.28 Secure coding | A.14.2.1 Secure development policy |
When do you need to update your ISMS to the new ISO 27001: 2022?
According to the International Accreditation Forum (IAF), starting from the publication of ISO 27001:2022, certified organizations have 36 months to complete the transition, in this case no later than October 31 of 2025.
Σχόλια