ISO 27001:2022 — Absolutely Everything You Need to Know ISO 27001: Absolutely Everything You Need To Know In this article Using over two decades of experiance on hundreds of ISO 27001 aualts and ISO 27001 certifications | am going o show you to transition, ave you templates, s Ins 1S0 27001 certincation guide| show you ex Table of contents + Whats ISOIIEC 27001:20227 ‘+ What has changed inthe nev version of ISO/IEC 27001-20227 + What do | need to know about the new version of ISO 27001? ‘+ What should do forthe new version of ISO 27001? ‘+ The new ISONEC 27001.2022 with changes listed + ISO 270012013 Verses ISO 27001:2022 ‘+ The top 3 Mistakes People make wih the new ISO 27001-2022 + 1. Assuming itis different + 2. Paying consultants to work out the impact ‘+ 3. Not buying and reading the standard + The 3 things you missed that have changed in ISO 2700-2022 + 1. Fundamentally nothing nas changed + 2. The Diggest change was to ISO 27002 / Annex A + 3.llisa version alignment + ISONEC 27001-2022 Release Date + ISONEC 270012022 FAQ What is ISO/IEC 27001:2022? 1 you examples and do a walkthrough. lay bara the changes to the ISO 2700 standard that happened in 2022 nat’ now, show you how 3 what changed inthe ISO 27001 2022 update am Stuart Barker the ISO 27001 Ninja and ths is everything you need to know about ISO 27001 2022 80 27001 isthe international standard for information security Its an Information Security Management Systems (SMS) and the output is an ISO ‘27001 Gerfcation. ISOVIEC 27001:2022 is the much anticipated 2022 update to the standard Offical itis called: ISONEC 270 Requirements 1:2022 Infarmation securty, cybersecurity and privacy protection information Secunty Management Systems What has changed in the new version of ISO/IEC 27001:2022? In oalty, vary litle has changed in ISOVIEC 27001 2022. The following is summary of the ISO 270 + Minor ord changes +t new clause + 5 new sub clauses + the numbering of2 clauses has swapped 2022 changes: What do I need to know about the new version of ISO 27001? ‘You need ta know that you do not need ta panic. This is nota ravolution. It is barely an evolution. The main focus seams fo be to align the numbering land address the fac the date ofthe last major revision was 2013, What should | do for the new version of ISO 27001? The fst thing you should do forthe new version of ISO 27001 is not panic. Very litle has changed. Now the new version isi final release get yourself a copy Stop Spanking £10,000s on consult and ISMS online-tools. The new ISO/IEC 27001:2022 with changes listed Hore we lst the summary changes to the ISO 27001 standard Isomec 27001:2022 Changes. ISOMEC 27001:2022 Clause 4 Context ofthe Organization ISOMEC 27001-2022 Clause 41 Understanding the orgarisation and its context No Change ISOMEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested partes ISOMEC 27001:2022 Clause 4.3 Determining the scope ofthe Information secunily management system ISOMEC 27001 2022 Clause 44 Information security management systom |ISOMEC 27001:2022 Clause 6 Leadership ISOMEC 27001:2022 Clause 5.1 Leadership end commitment There is no real change to ISO 27001 clause 4 2for the 2022 update tt has clarified that you will now determine which of tho identified requirements willbe addressed through the information security ‘management system rathor than implying i Not a massive change to ISO 27001 Clause 43 in the 20: 2 update as the only thing it does is remove the word ‘and from 43 6. Great isn't i ‘Wall toy now refer through the standard to this ‘document rather than 0 replace the words infemational standard with the word ‘document They have added into the sentence the term ~ including the processes needed and their interactions to be absolutely crystal processes ere included, rather than implying In essence, nothing has changed. Itis clarification of wording No Change ISOMEC 27001 2022 Clause § 2 Policy No Change ISOMIEC 27001:2022 Clause 5.3 Organisational roles, responsibilities ‘and autnonties The changes to ISO 270 best. Changing the word ‘international Standard’ to the word ‘document ‘and adding claiication nat communication is winia the organssavon as 1 clause for the 2022 update are minor at was always implied but ne er said out nght. Nothing material ISOMEC 27001:2022 Clause 6 Planning ISONIEC 27001 2022 Clause 61 Actions to address risks and ‘opportunities No Change ISOMEC 27001:2022 Clause 6.1.1 General ISOMEC 270012022 Clause 64.2 Information security risk assessment ISOMEC 27001:2022 Clause 61.3 Information security risk roatmont ISOMEC 27001-2022 Clause 62 Information secunty abjactwes and planning to achieve them Brace yourself. The massive update was to remove the word ‘and’ from eit No Change The changes to ISO 27001 Clause 6.1.3 ate minor but important Changing the wording of § 1.3 cto now reteronce Annex Aas containing 2 is of possible information secunty controls. This is @ change fom it containing a camprehansivo list of contol objective Removing the wording that control objectives are implicity included in the contiols chosen ‘Changing from the contol objectives isted in A exhaustive with adtitional controls may being needed tothe wording of nox A as being not Information S sn Annex. objctves to controls Changing the sentance of 61.3 dinto a Iist for ease of reading Changing the words ‘international Standard’ tothe word ‘document eral these are Caificaion changes and not matetal Is0 27 changes being M1 clause had minor changes inthe 2022 update withthe sssed on cry {tintoduced that information secunty objectives should be monitored and be available as documented information. This was always implied butis made explicit ‘As a cesull he numbering of the sub parts shifted but ths is not material 180 27001.2022 Clause 6.3 Planning Of Changes ISOMEC 27001:2022 Clause 7 Support [NEW when you make changes tothe ISMS doit ina planned manner Which you w. 2 any, ISOMEC 27001 2022 Clause 7 1 Resources ISOMEC 27001 2022 Clause 7.2 Competence ISOMEC 27001-2022 Clause 7.3 Awareness No Change No Change No Change ISOMEC 27001 2022 Clause 7-4 Communication There are minor changes to ISO 271 ‘The changes can be soon as a simplification. It removes who shall e and it completly Clause 74 in the 2022 update ormmunicate and replaces it with how fo communi removes the need to sho be effected Lis our opinion that Keeping who and the process of ho practice but you can, if you wish, not account frit ditecty. the processes by which communication shall ISOMEC 27001-2022 Clause 7 5 Documented information No Change ISOMEC 27001 2022 Clause 7.5.1 General ISOMEC 27001 2022 Clause 7.52 Creating and updating Isomec 2700120: se 75.3 Control of dacumented information Great news, There are no material changes to the 2022 update There is a general update across the standard to replace the words is0 270 1 Clause 7 51 in Intomational Standard’ tothe word ‘document. But ths is nat material but refers to Now the standard refers to tel in the text No Change Great news. There are no changes to ISO 27001 Clause 7.5.3 n the 2022 update, Where reference was made tothe intemational Standard in ratoronce to the decumentit has been replaced wih the word ‘document ISOMEC 27001:2022 Clause & Operation ISOMEC 27001'2022 Clause & 1 Operational planning and contol |SOMEC 27001:2022 Clause 62 Information securty risk assessment No Change The changes to ISO 27001 Clause 8.1 in the 2022 update are Clarification changes and nothing material “The wording on planning and implementing and controling pr widened fo the more general wording of meet requierme rather than before which was ‘meet information secuniy requirements It mow talks to establishing citieia forthe processes and implementing rol of processes in lina with ths Rather than kee information shal be available e criteria. documented information it hanged to documented 3. are determined and controled ts changed products or services that are relevant to the information security management system are controlled No Change ISOMEC 27001 2022 Clause 83 Information security risk treatment |ISOMEC 27001:2022 Clause 9 Performance evaluation |ISOMEC 27001-2022 Clause 9.1 Monitoring, measurement, snalysis and evaluation No Change “There are ciarication changes tothe ISO 27001 Clause 9.1 in the 2022 update The words about the organisation evaluates the information sacurty performa been removed. They are covared toa greator or lessor dogree elsewnare inthe clause. 18 and the eflecivaness of the management system have 8-1 b has been updated to give quidance on the methads of monitoring ‘measurement, analysis and evaluation and provides that thoy should produce comparable resus and reproducible results to be considered valid. This was previously & footnole so no material change. 8-1 eas had the word ‘and’ removed ‘Aroquirement for documented information to bo avalabs to evidence results has been included making itan explicitrather than implied requirement th litle to no consequence Rather than relain appropriate documentation as evidence the line has bean replaced with the requirement to evaluats the information security performance and effectiveness ofthe information securty management system, Itsays pretty much the same thing, with the same requiromont with 2 change to the wording of how it says it ISOMEC 27001 2022 Clause 92 Internal audit This c ‘wo new soparato sub clauses. favse has now had the wording removed and wording shied to Isonec 2 Clause 92.1 General ISOMEC 27001-2022 Clause 92 2 intemal auat programme ISOMEC 27001 2022 Clause 9:3 Management review Isonec 2 ause 93.1 General ISOMEC 27001:2022 Clause 9.3.2 Management review inputs OIIEC 27001 2022 Clause 9.23 Management review results ISOMEC 27001:2022 Clause 10 Improvement NEW — doesr' say anytring new just separates out ine old clause for ease of reading NEW — doesn't say anything new just separates out the old clause for ease of reading This clause has now nad the wording removed and ing shifted to ttvee new separate sub clauses NEW ~ doesn't say anything new just separates out the old clause for ease of reading New ‘doesr't say anything new just separates out the old clause for NEW — doesn't say anything new just separates out the old clause for ease of reading ISOMEC 27001:2022 Clause 10.1 Continual improvement No Change but Swapped Numbering — why? ISOMIEC 27001 2022 Clause 10.2 Noncontormiy and corrective action ISOMEC 27001 2022 Clause Annex A (normative) Informs secunty No Change but Swapped Numbering — hy? 80 27002: 2022 new version of contol set ‘A diract comparison of SO 270012013 verses ISO 27001 2022 Isonec 27001:2022 ISO 27001:2013 Verses ISO 27001:2022 some 27001:2013 'SOMEC 27001:2022 Clause 4 Context of the Organization ISOMEC 27001:2022 Clause 4.1 Understanding the organisation and its ‘context OIIEC 27001 2022 Clause 42 Understanding the needs and ‘expectations of interested partes ISONEC 271 2013 Clause 4 Context ofthe Organization ISOJIEC 27001:2013 Clause 4.1 Understanding the organisation and its context ISO/IEC 27001:2019 Clause 4 2 Understanding the needs and expectations of interested parties ISOMEC 27001 2022 Clause 43 Determining the scope ofthe information security management systam ISOMEC 27001-2022 Clause 44 Information securty management ISOIIEC 27001-2019 Clause 4 3 Determining the scog infomation security management system ofthe ISO/IEC 27001:2013 Clause 44 Information securty management systom system !SOMEC 27001:2022 Clause 6 Leadership ISO/IEC 27001:2013 Clause 6 Leadership ISOMEC 27001:2022 Clause 5.1 Leadership and commitment ISO/IEC 27001:2013 Clause 5.1 Leadership and commiment ISONEC 27001 2022 Clause 52 Policy ISOMEC 27001-2022 Clause § 3 Organizational roles, responsibilies ‘and authorities ISOMEC 27001:2022 Clause 6 Planning ISOMEC 27001:2022 Clause 6-1 Actions to address risks and ‘opportunities ISOMEC 27001-2022 Clause 61.1 Ganeral |ISOMEC 270012022 Clause 61 3 Information security risk assessment ISOMEC 270012022 Clause 6 1.3 Information secunty risk treatment ISOMIEC 27001 2022 Clause 62 information securty objectives and planning to achieve them ISO/IEC 27001:2089 Clause 5 2 Poli ISONIEC 271 2013 Clause 53 Organizational roles, responsibiltes and authorities ISO/IEC 27001:2019 Clause 6 Planning ISONEC 27 :2013 Clause 6.1 Actions to address risks and opportunities ISOJIEC 27001:2013 Clause 6 4.1 General ISOIEC 27 2013 Clause 6 1.3 Information socurtyrsk assessment SOIIEC 27001:2013 Clause 61.3 Information secunty rsk treatment ISO/IEC 27001-2019 Clause 6 2 information security objectives and planning to achieve them ISONIEC 27004 2022 Clause 10.1 Continual improvement ISONIEC 27004 2022 Clause 10.2 Nonconformiy and contectve action |SOMEC 27001.2022 Clause Annex A (normative) Information security controls reference ISONEC 27001 2022 Ciause 63 Planning of Changes NEW ISO/IEC 27001:2022 Clause 7 Support ISOVIEC 27001-2013 Clause 7 Support ISOMEC 27001-2022 Clause 71 Resources ISOVIEC 27001-2013 Clause 7 1 Resources ISO/IEC 27001 2022 Cause 7.2 Competence ISOEC 27001:2013 Clause 7 2 Competence ISOVIEC 27001 2022 Clause 7 3 Awareness ISOVIEC 27001-2013 Clause 73 Aware ISOVIEC 27001-2022 Ciause 7 4 Communication ISOIEC 27001-2013 Clause 7 4 Communication ISO/IEC 27001 2022 Cause 7.5 Documented information ISOIEC 27001:2013 Clause 75 Documented information ISONEC 27001 2022 Clause 75.1 General ISOEC 27001:2013 Clause 75.1 General ISONIEC 27001-2022 Clause 75 2 Creating and updating ISO/IEC 27001-2013 Clause 7 5.2 Creating and updating ISO/IEC 27001:2022 Clause 7.5.3 Contol of documented information | ISOVIEC-27001:2013 Clause 7.5.3 Control of documented information 'SOMEC 27001:2022 Clause & Operation ISOEC 27001:2013 Clause 8 Operation ISOVIEC 27001-2022 Ciause 6 1 Operational planning and control ISOVIEC 27001-2013 Clause 81 Operational planning and control ISOVIEC 27001-2022 Clause 6? Information securty sk assessment | ISOVIEC 27001-2013 Clause 8 ? Information security risk assessment ISOVEC 27001 2022 Ciause & 3 Information secunty isk treatment ISOIEC 27001:2013 Clause 8 3 Information securty isk treatment 'SOMEC 27001:2022 Clause 9 Performance evaluation ISOIEC 27001:2013 Clause 9 Performance evaluation ISOVIEC 27001-2022 Clause 91 Moritoing, measurement, analysis and | ISOVIEC 27001-2013 Clause 91 Monitoring, measurement, analysis and evaluation evaluation ISOVIEC 27001 2022 Clause 42 Internal aust ISOIEC 27001-2013 Clause 92 Internal aut ISOVIEC 27001-2022 Clause 92 1 General NEW ISO/IEC 27001 2022 Cause 82.2 Intemal aut programme NEW ISOVIEC 27001 2022 Clause 9:3 Management review ISOIEC 27001-2013 Clause 93 Management review ISOVIEC 27001 2022 Clause 93.1 General NEW ISOMEC 27001:2022 Clause 9.3.2 Management review inputs NEW ISOVEC 27001 2022 Ciause 9:33 Management review resus NEW ISONEC 27001:2022 Clause 10 Improvement ISOVIEC 27001-2013 Clause 10 Improvement ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective action ISO/IEC 27001:2013 Clause 10.2 Continual improvement |S 27002: 2022 naw version of control set The top 3 Mistakes People make with the new ISO 27001:2022 The top 3 mistakes people make withthe new ISO 27001 standard 1. Assuming it is different ‘Assuming that it's vastly diferent and panicking Worrying the organisation unduly and seeking massive budget for something that fundamentally is no ifforont to what they have or ae already working towards. 2. Paying consultants to work out the impact Paying consultants to tel you thal nothing has fundamentaly changed when you can buy the standard yourself and read it end around 15 minutes. 3. Not buying and reading the standard Relying on the internet and free resources rather then geting @ copy ofthe standard and reading it yourselt The 3 things you missed that have changed in ISO 27001:2022 4. Fundamentally nothing has changed [SO 27001 2022 is fundementaly the same vith minor wording changes, a numbering chan 2 controls and some clarifications. 2. The biggest change was to ISO 27002 / Annex A The biggest change has already heppened with the control set when ISO 27002 was updated fo the 2022 version 3. Itis a version alignment ‘As the standard has not changed signicently since the ‘embarrassing that people are working ta what appears tobe a 20 changed the name to 2022 ISO/IEC 27001:2022 Release Date 2 was released in October 2022 13 version, as the approach seems to be to name the standard folowed by a year i is kind of 3 version of an information securty standard soto make more relevant they have fe] oa-ziilih | 180 27001 being updated? Yes. The ISO 27001 2022 version isnot really an update but yes a new version of the standard was released in October 2022 When ie 180 27001 being updated? The 180 27001 standard has been amended and was released in October 2022 What isthe latest version of 180 270017 The latest version of SO 27001 is |SOMEC 27001 2022 Will | get audited on the new version of 1S0 27001? Potentially. It's unlikely until the end of 2023 of 2024 that you will be audited against the new version ofthe standard What has changed in 180 27001? \Very litte has changed in ISO 27001. itis minor wording updates Stop Spanking £10,000s a change of name fo reflec the release date of 2022 end bring the versioning into