End of October 2022, the International Organisation for Standardisation (ISO) published a new version of ISO/IEC 27001:2022, which is a moderate update from the previous version of the standard: ISO 27001:2013. They are both international standards for information security management systems (ISMS). These standards provide a set of best practices and guidelines for establishing and maintaining an ISMS, which is a framework of policies and procedures for protecting sensitive information.
The 2022 version includes several updates and improvements over the 2013 version, including new requirements and guidance on topics such as data governance, supply chain security, and the use of cloud services. I will be highlighting the significant changes and key differences between the 2013 version of the standard and the 2022 version of ISO 27001.
The mandatory clauses 4 through 10 has changed slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL:
The changes in Annex A are only moderate because most of the controls have either stayed the same (35 of them) or have only been renamed (23). Another 57 controls were merged, which has reduced the number of controls, but the requirements within those controls remained almost the same. One control was split into two separate controls, while the requirements stayed the same.
11 new controls, which were needed because of the trends in IT and security – which include:
Changes in the main part of the standard are only small and can be done rather quickly, with only slight changes in the documentation and processes. Changes in the Annex A controls are moderate and can be mostly dealt with by adding the new controls to the existing documentation.
This update does not impact existing certifications, where certification against ISO 27001:2013 are still allowed until April 30, 2024. But, companies should begin to update controls and processes, to comply with the requirements in this new revision as soon as possible.
Any company currently certified against ISO 27001:2013 has until October 31, 2025, to transition to the new revision. It is recommended to do:
Copyright © 2023 Via Resource. All Rights Reserved.