ISO 27001:2022 Update

For organisations that have already implemented the 2013 standard or are working towards being ISO 27001:2013 certified, there’s no need to panic about the update. Once awarded, your organisation’s ISO 27001 certification is valid for three years. After this point, you’ll need to either re-certify or update your ISMS policies, procedures and documentation in line with the 2022 standard, which is a quick and easy task within Hicomply’s automated platform.

Clauses

ISO 27001:2022 clauses with no changes

4.1 Understanding the organisation and its context

4.3 Determining the scope of the information security management system

5.2 Leadership - Policy

6.1.1 Actions to address risks and opportunities - General

6.1.2 Information security risk assessment

7.1 Support - Resources

7.2 Support - Competence

7.3 Support - Awareness

7.5.1 Documented information - General

7.5.2 Documented information - Creating and updating

7.5.3 Control of documented information

8.2 Information security risk assessment

8.3 Information security risk treatment

Clauses that have been reworded or clarified, no additional requirements

4.4 Information security management system

5.1 Leadership and commitment

5.3 Organisational roles, responsibilities and authorities

6.1.3 Information security risk treatment

8.1 Operational planning and control

9.1 Monitoring, measurement, analysis and evaluation

7.4 Support - Communication

Clauses that have new or additional requirements

4.2 Understanding the needs and expectations of interested parties

As well as the information outlined in ISO 27001:2013, the additional requirement for this clause is that the organisation shall determine which requirements will be addressed through the ISMS.

6.2 Information security objectives and planning to achieve them

As well as the information outlined in ISO 27001:2013, the additional requirements in this clause state that the information security objectives shall be updated as appropriate and be available as documented information.

Clauses that have notable changes

9.2 Internal audit has been split into 9.2.1 General, and 9.2.2 Internal audit programme:

9.2.1 General requires that the organisation conducts internal audits at planned intervals to provide information on whether the ISMS conforms to the organisation’s requirements for its ISMS and the requirements of the document, and is effectively implemented and maintained.

9.2.2 Internal audit programme requires that the organisation plan, establish, implement and maintain an audit programme or audit programmes. This includes the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme, the organisation should consider the importance of the processes, the results of previous audits and:

• a) define the criteria and scope for each audit
• b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process
• c) ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.

Clause 9.3 Management review has been split into 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results:

9.3.1 General requires that top management review the organisation's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

9.3.2 Management review input requires that the management review includes consideration of:

• a) the status of actions from previous management reviews
• b) changes in external and internal issues that are relevant to the ISMS
• c) changes in needs and expectations of interested parties that are relevant to the information security management system
• d) feedback on the information security performance, including trends in
  • 1) nonconformities and corrective actions
  • 2) monitoring and measurement results
  • 3) audit results
  • 4) fulfilment of information security objectives.
• e) feedback from interested parties
• f) results of risk assessment and status of risk treatment plan
• g) opportunities for continual improvement.

9.3.3 Management review results requires that the results of the management review include decisions related to continual improvement opportunities and any needs for changes to the ISMS. Documented information must be available as evidence of the results of management reviews.

In Clause 10, 10.1 nonconformity and corrective action is now clause 10.2. 10.2 Continual improvement is now 10.1.

New clauses

6.3 Planning of changes is a new clause outlining requirements of planning of changes, requiring that when the organisation determines the need for changes to the ISMS, the changes be carried out in a planned manner.

Annex A

Annex A has been restructured, changing from 114 controls under 14 categories to 93 controls under four categories. However, these controls have remained largely the same. Instead of referring to reference controls and objectives, the annex is now title information security controls reference in line with the standard’s focus on information security specifically.

Below, we’ve mapped the ISO 27001:2022 controls against their ISO 27001:2013 counterparts.

A5 Organisational Controls

A6 People Controls

A7 Physical Controls

8 Technological Controls