ISO/IEC 27001:2022 Key Changes

In a nutshell

The major change to the Standard is, undoubtedly, the wholesale adoption of the controls from ISO 27002:2022.  As such, if you are already certified to ISO 27001:2013, this should be your major focus as you start to think about transitioning over to the new Standard. The controls are now grouped in 4 themes, rather than 14 categories, and attributes have been introduced to enable you to reflect your security posture considering different criteria.  With regards to the controls themselves, there are now 93 rather than the previous 114.  On first reading this, it appears as though there has been a reduction in the number of controls, however, a number have been consolidated and there are actually 11 new controls and no deletions!  (See our training courses below for more information).  

There are a number of changes to the main management system clauses, but the vast majority of these are focused on making some of the requirements more explicit and aligning better with other Annex SL standards, such as ISO 9001 and ISO 22301.  That said, it is important you understand those changes and ensure your information security management system (ISMS) meets these requirements.  We have selected 3 of the more significant changes below.

Clause 4.4: The phrase ‘including the processes needed and their interactions’ has been added to the requirement to establish, implement, maintain and continually improve your ISMS.  This inclusion reflects the need to ensure the smooth transition between different individual processes and focuses on the interaction between processes and the hand over from one to another.

Clause 6.3 Planning of Changes:  This is a brand new subclause and mirrors the introduction to ISO 9001 in 2015.  Here, you will need to consider factors such as the purpose of the change and the potential consequences, how it may impact your ISMS, the availability of resources and the allocation or reallocation of responsibilities and authorities.

Clause 9.3.2 c):  Another new requirement to consider are the ‘changes in needs and expectations of interested parties relevant to the ISMS’.  Here you will need to think how you will be able to monitor and review these needs and expectations and evidence that you have done so.

How URM can help you

Consultancy support

URM can provide 1:1 support in helping you understand the changes introduced by ISO 27001:2022, the impact it has on your particular ISMS and how to address the changes.  We can also assist you in effectively implementing the necessary changes, updating your ISMS and supporting documentation, and conducting an up-to-date tailored risk assessment.

Training support

URM is offering 2 training courses:

• 1 day ISO 27002:2022 Control Migration Course - Where you will learn all the key changes between ISO 27002:2013 and ISO 27002:2022 including how the approach differs, how the controls have changed (new, merged, deleted) and the new ‘attribute’ feature.
• 2 day ISO 27001:2022 Transition Course - Incorporates the above course as day 1, before addressing the management system clause changes and how to go about updating your risk assessment in order to transition to ISO 27001:2022.

Risk management tool

URM can help you transition your risk assessment with its automated risk management tool, Abriska 27001, which has been fully updated to include the new Annex A controls and enables you to take advantage of the new attribute functionality.  More information can be gained from attending URM’s Abriska webinar at 11 am on Wednesday 2 November 2022.

Not certified?

If you are not certified, now has never been a better time to develop an information security management system and achieve certification.  If you would like to understand more about the benefits and what’s involved in implementing ISO 27001, please register your interest here and we will be in touch.

More updates

Also look out for more updates on our ISO 27001 FAQ Page.

‍