On October 25, 2022, ISO 27001 was updated to the new ISO/IEC 27001:2022 after nine years. As the world’s leading information security standard, it’s important for those in the Quality industry and IT auditors to review how the 2022 revision compares to the old 2013 revision of ISO 27001.
Summary of changes in the ISO 27001 2022 revision:
- Clauses 4 to 10 have changed slightly to better align with ISO 9001
| 4.2 c) | Interested parties – Identification of who and their needs and expectations | Added the verbiage which of these requirements will be addressed through the information security management system, ie. all of them. |
| 4.4 | Added – including the planning for processes and their interactions | Typically evidenced through a pictorial representation of the ISMS processes, ie. flow chart or swim lanes. |
| 5.3 | Added – communication ‘within the organization. | Clarify that word change in ISMS documentation. |
| 6.3 | Added — Planning of changes – Planning of organization changes | Usually already addressed in the change management control unless only focused on software and hardware changes. |
| 7.4 | Communication – removed d) and e) and replaced with ‘how to communicate’ | Procedures should already address how to communicate, in particular, for external communications. |
| 8.1 | Implementing controls for processes | Changed some wording to align with 9001 such as clause 6 reference. Updated outsourced processes to externally provided to align with 9001 terminology. |
| 9.3.2 c) | Added – changes in needs and expectations from interested parties | The most significant expectation to be addressed here would be changes from regulatory agencies (which you already identified in 4.2). |
| 10.0 | Continual Improvement | Re-arrangement of subclauses. No wording change. |
- Moderate changes in Annex A security controls
- The number of controls has decreased from 114 to 93
- Controls are placed into 4 sections, instead of the previous 14
There are now 11 new controls to promote a proactive approach to information security management:
| A.5.7 Threat intelligence |
| A.5.23 Information security for use of cloud services |
| A.5.30 ICT readiness of business continuity |
| A.7.4 Physical security monitoring |
| A.8.9 Configuration management |
| A.8.10 Information deletion |
| A.8.11 Data masking |
| A.8.12 Data leakage prevention |
| A.8.16 Monitoring activities |
| A.8.23 Web filtering |
| A.8.28 Secure coding |
How to Move Forward with These Changes for Your Organization
Changes in the main part of the standard are small and can be completed rather quickly with slight changes in your documentation and processes. Annex A control changes are moderate and can be implemented with additional new controls to existing documentation.
The final draft of this revision is due to be published by the end of 2022. Companies have until 10/31/2025 to transition. If your company needs assistance with migrating to the updated standard, IQPS can assist with our outsourced IT auditor services! Contact us to learn more.
References
- “ISO 27001 & 27002: Understanding the difference between ISO27001 and ISO27002”