The new revision of ISO 27001 is finally here. It is not a fully revised edition, and it is not what was originally expected. The initial intention was that the only change was going to be a new Annex A to match the security controls listed in the updated version of ISO 27002 published early in 2022. However, for technical reasons a few additional changes have been included – they are mostly minor but a few that need thinking about.
This blog looks at the main changes that certified organisations will need to consider when transitioning from the 2013 version of ISO 27001 to the new 2022 version. Some of the changes can help improve the performance of the Information Security Management System (ISMS) and some may just be “things to do to maintain certification.” Below is a list of what I believe are the changes that are worth mentioning.
Clause 4.2 Understanding the Needs and Expectations of Interested Parties
The addition here is that as well as identifying the needs and expectations of interested parties, organisations are also now required to analyse and identify which of these needs and expectations will be addressed through the ISMS.
It is mostly understood that just because an interested party has a need and expectation with respect to information security, that did not mean that the ISMS had to deal with it. This new requirement asks organisations to be clear about which ones will be addressed.
Clause 4.4 Information Security Management System
A phrase has been added requiring planning for processes and their interactions as part of the ISMS.
Clause 5.3 Organisational Roles, Responsibilities and Authorities
A phrase has been added to clarify that the communication of roles relevant to information security is done internally within the organisation. It is reasonable to think that organisations are already doing this as part of the requirement for clause 7.4 Communication.
Clause 6.1.3 Information Security Risk Treatment
Annex A is no longer described as a comprehensive list of control objectives and controls. It is now described as a list of possible information security controls. This is a more reasonable description of Annex A but organisations do not need to change anything in the ISMS because of this change in wording.
Clause 6.2 Information Security Objectives and Planning to Achieve Them
There is now an additional requirement to clarify how information security objectives are monitored. This is sensible enough and organisations will need to update the documentation on the objectives to make it clear how they are going to “monitor” them.
Clause 6.3 Planning of Changes
There is a new requirement: “When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”
Organisations are most likely doing this already as it was also partially covered in requirement 8.1. I.e., organisations do a bit of thinking and planning when making changes to anything to do with the ISMS.
Clause 7.4 Communication
The requirement has been slightly reworded so that instead of saying “who shall communicate” it now says, “how to communicate.” Also, the requirement “the processes by which communication shall be effected” has been removed. Organisations will need to pay some attention to this and revise any documentation relating to communication to show “how.”
Clause 8.1 Operational Planning and Control
This is one of the more significant changes. New requirements have been added for:
— “establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria.”
This is vague as it does not say what processes (which implies all of them) and does not say what sort of criteria organisations should define. A logical interpretation may be that it is the criteria related to the successful management of the processes. In other words, these criteria could be “success criteria” and/or “critical success factors,” "key performance indicators" etc.
In this clause, the requirement to "implement plans to achieve information security objectives" has been removed.
Another change in clause 8.1 is that instead of organisations ensuring that outsourced processes are determined and controlled, it has been reworded as “The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.”
Clause 9.2 Internal Audit
A minor change whereby this clause has been divided into two sub-sections – 9.2.1 – General and, 9.2.2 - Internal audit programme.
Clause 9.3 Management Review
A new mandatory item 9.3.2 c) has been added for the management review:
“Changes in needs and expectations of interested parties that are relevant to the information security management system;” top management in the organisation will need to ensure that this is covered at the management reviews.
Clause 10 Improvement
The change is that the subclauses have switched places, so the first is now Continual improvement (10.1), and the second is Nonconformity and corrective action (10.2), nothing in the text has changed.
Annex A
Annex A has been updated to align it with ISO 27002:2022, the Annex A controls are discussed here.
Transition Period
According to the IAF Mandatory document “Transition requirements for ISO/IEC 27001:2022” from the International Accreditation Forum, for organisations that are already certified against ISO 27001:2013, there is a three years (36 months) transition period to revise their ISMS to conform to the new version of ISO 27001, so there is adequate time to make the required changes.
If your organisation has already implemented the old 2013 revision of the standard and wants to make a transition to the 2022 revision of ISO 27001, Bridewell has everything to support you during your ISMS transition. Our accredited ISO 27001 consultants can provide guidance where required on how to quickly and easily change your existing ISO 27001 implementation to an ISO 27001-compliant ISMS that meets the requirements relating to Annex A of the new version of ISO 27001 published in 2022 and maintain your certificate.
Author
Daniel Ityokyaa
Senior Cyber Security Consultant
Joining Bridewell in September 2021, Daniel has significant experience with ISO27001 consultancy and internal audit, cyber and information security management, cloud computing, and virtualisation technology service. In his role at Bridewell, Daniel leads and supports a wide range of public- and private-sector clients in the UK. He is a trusted adviser, providing pragmatic, practical consultancy advice and support.
Blogs