What’s changing in ISO 27001?
ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes:
You must now identify the “relevant” requirements of interested parties and determine which will be addressed through the ISMS (information security management system).
The ISMS now explicitly includes the “processes needed and their interactions”.
Information security objectives must now be monitored and made “available as documented information”.
There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned.
The requirements to define who will communicate and the processes for
effecting communication have been replaced by a requirement to define “how to communicate”.The requirement to plan how to achieve information security objectives has been replaced by a
requirement to establish criteria for processes to implement actions identified in Clause 6, and to
control those processes in line with the criteria.
Organisations are now required to control “externally provided processes, products or services”
relevant to the ISMS rather than just processes.Methods of monitoring, measuring, analysing and evaluating the effectiveness of the ISMS
now need to be comparable and reproducible. The management review must now also consider changes in the needs and expectations of interested parties.
Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.
What’s changing in ISO 27001?
First, the phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as a reference set of information security controls.
The Standard itself is significantly longer than the previous version, and the controls have been reordered and updated. Some controls have been merged or removed, and some have been added:
In security as in life, the hardest weaknesses to pinpoint are your own. Fortunately, we have no problem thoroughly documenting all of your flaws. In fact, it’s kind of our job here at Compassrose.
And that’s a good thing: Knowing your vulnerabilities—and the ways in which attackers could exploit them—is one of the greatest insights you can get in improving your security program. With that in mind, Compassrose Penetration Testing Services team will simulate a real-world attack on your networks, applications, devices, and/or people to demonstrate the security level of your key systems and infrastructure and show you what it will take to strengthen it. Much like your mum, we don't highlight your failings because it bothers you—we do it because we care. This testing is done as part of our ISO27001 intergration into your company, so there is no need to go looking for a company. Compassrose is here for your accreditation to ISO27001 from concept to accreditation.
How will this affect organisations implementing ISO 27001?
Certification bodies are unlikely to offer certification to ISO 27001:2022 for at least six months after the Standard’s publication and ISO 27001:2013 will not be retired for another three years, so there is no need to worry that any work you have done to implement ISO 27001:2013 has been wasted.
Depending on how far your ISO 27001:2013 implementation project has progressed, you may wish to use the new Annex A controls from ISO 27001:2022 as an alternative control set, although you will still need to compare these with the 2013 Annex A controls in your Statement of Applicability.
(ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.)
Before renewing your ISO 27001 certification after three years, you will need to transition your ISMS to comply with the 2022 iteration of the Standard.
We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.
ISO 27001 Compliance and Cybersecurity
There are 2 major parts to the ISO 27000 standard family. The first part is the specifications for the ISMS and considerations of all the Annex A controls as outlined in ISO 27001.
The second part is ISO 27002, which provides guidance on how to implement the controls. Together they combine the what and how for an Information Security Management System.
Compassrose offers customised consulting programs to fit your business needs to assist you in implementing and maintaining an effective ISMS. Once you have implemented ISO 27001 with our assistance, you will be compliant to the international standard. Should you choose to continue toward certification, we can offer options for you.
Many customers that pursue ISO 27001, have or need to have ISO 9001 in place. ISO 27001 is designed to dovetail with other standards in the ISO family such as ISO 9001, ISO 14001, ISO 20000-1 (information technology) and more.
What does this mean for organisations that are already certified to ISO 27001:2013?
There is a three-year transition period for certified organisations to revise their management system to conform to the new version of ISO 27001, so there is plenty of time for you to make the necessary changes. However, some certification bodies might stop offering certification to the 2013 iteration of the Standard before that point, so it is worth checking if you need to transition earlier.
It is inadvisable to leave it till the last minute to meet your new obligations, so if you are due to renew your certification during the transition period, you could work against the new control set.
One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus your selections, which could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS easier to implement and manage.
We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.
Speak to an ISO 27001 expert
For more information about ISO 27001 and how we can help you implement an ISMS – whatever your size, budget or level of expertise – get in touch with one of our experts today.
London, Birmingham, Manchester, sheffield, Cardiff, Leicester, Newcastle, Brighton, Aberdeen, Northampton, Swindon, Dudley, York, Stockton, Bourhemouth, Norwich,Peterborough, Mansfield, Telford, Ipswich, Huddersfield, Dundee, Doncaster, Chelmsford, Slough, Burnley, Hastings, London, Gloucester, Worcester, Exeter, Scunthorpe, Guildford, Nottingham, Liverpool, Bath, Stoke, Hull, Plymouth, Glasgow, Wolverhampton, Southampton, Milton-Bradford-Luton, Slough, Preston, Edinburgh, Southend on sea, Leeds, , QMS. Cambridge, Slough, Blackburn Burnley, London,Gloucester, Worcester, Exeter, Scunthorpe, Guildford, Nottingham and Derby, Warrington to Liverpool, Bristol and Bath
