ISO/IEC 27001:2022 Transition Course
2 Day Course
On 15 February 2022, the ISO 27002 Standard (which provides guidelines on selecting, implementing and managing information security controls) was updated, providing some significant changes from the ISO 27002:2013 Standard. On 25 October 2022, ISO 27001:2022 was published with its Annex A incorporating all the 27002 Controls. There were also a number of changes to the main management system clauses aimed at making some requirements more explicit and also aligning more closely with other annex SL standards, such as ISO 9001 and ISO 22301.
By attending this 2-day online course, you will not only learn what the key changes are to the Annex A controls and management system clauses, but more importantly, how to transition from ISO 27001:2013 to ISO 27001:2022. On day 1 you will be introduced to the key changes to ISO 27002:2022 including the 4 new themes, the new/merged and updated controls, along with the new ‘attributes’ feature. On day 2, having addressed the changes to the management system clauses, the primary focus will be on how to update your risk assessment and Statement of Applicability, along with the different approaches you can take to transitioning to the new control set. You will also learn how to use, link and present the new attributes.
Day 1
You will learn:
- The key changes between ISO 27001:2013 and ISO 27001:2022 and why they have been introduced
- How ISO 27002 has changed including:
o The replacement of 14 domains with 4 themes
o The new control structure
o The merging of controls
o The updating of controls
o The new controls and their objectives - Why attributes have been introduced and their purpose including:
o Different types of attributes
o Understanding attributes
o Mapping attributes - Potential challenges in implementing some of the new controls
- High-level process for transitioning to ISO 27001:2022
Day 2
You will learn:
- Changes to the management system clauses including:
o Clause 4 Context of the Organisation, Clause 6.3 Planning of Changes and Clause 9.3 Management Review - How to successfully transition to ISO 27001:2022 including:
o Updating your risk assessment and Statement of Applicability
Assets – Do you need to review your information and information assets and their value?
Threats – Are there different threats you should be considering?
o Approaches to considering the new control set
Reset – Consider a new control maturity assessment
Migrate – Maintain the current control maturity (lowest maturity is maintained for combined controls) and assess the new controls only
Bespoke – A combination of both?
o Attributes, how to use, link and present them
o Consequences of updating your risk assessment, e.g., reviewing your metrics and audit schedule
o Updating your ISMS
How best to update your ISMS to include the changed clause requirements - How do you know when you are transition ready?