The information security management standard ISO 27001 and it’s companion standard ISO 27002 were updated in 2022.
One key change is that there is now more focus on how an organisation must deal with the needs and expectations of interested parties.
Also, objectives must now be documented and monitored. There is a requirement that the objectives be available as documented information, and that the organisation retain this documented information.
ISO 27001:2022 is not significantly different from ISO 27001:2013, however there are some notable changes:
Context and scope
You must now identify the “relevant” requirements of interested parties and determine which will be addressed through the ISMS (Information Security Management System).
Information security objectives must now be monitored and made “available as documented information”.
There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to your ISMS have indeed been planned.
The requirements to define who will communicate and the processes for effecting communication have been replaced by a requirement to define “how to communicate”.
The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria.
Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.
Performance and evaluation
Methods of monitoring, measuring, analysing and evaluating the effectiveness of the ISMS now need to be comparable and reproducible.
The management review must now also consider changes in the needs and expectations of interested parties.
There are also new controls in the areas of:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
There is a three-year transition period for certified organisations to revise their management system to conform to the new version of ISO 27001, so there is plenty of time for you to make the necessary changes. However, some certification bodies might stop offering certification to the 2013 iteration of the Standard before that point, so it is worth checking if you need to transition earlier.
We can assist you to ensure your organisation is compliant and adheres to all standards. Contact us to discuss the needs of your organisation.