ISO/IEC 27001:2022 Key Changes

Wayne Armstrong
|
Senior Information Security Consultant and Consultant Manager at URM
|
PUBLISHED on
28 Oct
2022

Table of Contents

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

In a nutshell

The major change to the Standard is, undoubtedly, the wholesale adoption of the controls from ISO 27002:2022.  As such, if you are already certified to ISO 27001:2013, this should be your major focus as you start to think about transitioning over to the new Standard. The controls are now grouped in 4 themes, rather than 14 categories, and attributes have been introduced to enable you to reflect your security posture considering different criteria.  With regards to the controls themselves, there are now 93 rather than the previous 114.  On first reading this, it appears as though there has been a reduction in the number of controls, however, a number have been consolidated and there are actually 11 new controls and no deletions!  (See our training courses below for more information).  

There are a number of changes to the main management system clauses, but the vast majority of these are focused on making some of the requirements more explicit and aligning better with other Annex SL standards, such as ISO 9001 and ISO 22301.  That said, it is important you understand those changes and ensure your information security management system (ISMS) meets these requirements.  We have selected 3 of the more significant changes below.

Clause 4.4: The phrase ‘including the processes needed and their interactions’ has been added to the requirement to establish, implement, maintain and continually improve your ISMS.  This inclusion reflects the need to ensure the smooth transition between different individual processes and focuses on the interaction between processes and the hand over from one to another.

Clause 6.3 Planning of Changes:  This is a brand new subclause and mirrors the introduction to ISO 9001 in 2015.  Here, you will need to consider factors such as the purpose of the change and the potential consequences, how it may impact your ISMS, the availability of resources and the allocation or reallocation of responsibilities and authorities.

Clause 9.3.2 c):  Another new requirement to consider are the ‘changes in needs and expectations of interested parties relevant to the ISMS’.  Here you will need to think how you will be able to monitor and review these needs and expectations and evidence that you have done so.

How URM can help you

Consultancy support

URM can provide 1:1 support in helping you understand the changes introduced by ISO 27001:2022, the impact it has on your particular ISMS and how to address the changes.  We can also assist you in effectively implementing the necessary changes, updating your ISMS and supporting documentation, and conducting an up-to-date tailored risk assessment.

Training support

URM is offering 2 training courses:

  • 1 day ISO 27002:2022 Control Migration Course - Where you will learn all the key changes between ISO 27002:2013 and ISO 27002:2022 including how the approach differs, how the controls have changed (new, merged, deleted) and the new ‘attribute’ feature.
  • 2 day ISO 27001:2022 Transition Course - Incorporates the above course as day 1, before addressing the management system clause changes and how to go about updating your risk assessment in order to transition to ISO 27001:2022.

Risk management tool

URM can help you transition your risk assessment with its automated risk management tool, Abriska 27001, which has been fully updated to include the new Annex A controls and enables you to take advantage of the new attribute functionality.  More information can be gained from attending URM’s Abriska webinar at 11 am on Wednesday 2 November 2022.

Not certified?

If you are not certified, now has never been a better time to develop an information security management system and achieve certification.  If you would like to understand more about the benefits and what’s involved in implementing ISO 27001, please register your interest here and we will be in touch.

More updates

Also look out for more updates on our ISO 27001 FAQ Page.

Wayne Armstrong
Senior Information Security Consultant and Consultant Manager at URM
Wayne is a Senior Information Security Consultant and Consultant Manager at URM with over 30 years’ experience in IT, information security and risk management. He has attained and maintained CISSP, CISMP, PCIRM, and CISA qualifications and is a Qualified Security Assessor (QSA) for the Payment Card Industry Data Security Standard (PCI DSS).
Read more

ISO 27002:2022 Update

If you want to learn more about ISO 27002:2022 and how to implement the new controls and the new attributes, you can attend URM’s ISO 27001:2022 Control Migration Course.
Thumbnail of the Blog Illustration
Information Security
Published on
25/5/2022
Asset identification within RA

A question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
20/7/2022
What Are the Critical Steps When Implementing an Effective Information Security Management System?

URM assisted over 350 organisations achieve ISO 27001 certification, here are the critical steps when implementing an effective information security system.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How Secure is Zoom?

Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.

Read more
It was really interesting and well delivered, thank you.
Webinar 'ISO 27001:2022 – What’s new?'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.