ISO 27001:2022 — Absolutely Everything You Need to Know
ISO 27001:
Absolutely Everything
You Need To Know
In this article
Using over two decades of experiance on hundreds of ISO 27001 aualts and ISO 27001 certifications | am going o show you
to transition, ave you templates, s
Ins 1S0 27001 certincation guide| show you ex
Table of contents
+ Whats ISOIIEC 27001:20227
‘+ What has changed inthe nev version of ISO/IEC 27001-20227
+ What do | need to know about the new version of ISO 27001?
‘+ What should do forthe new version of ISO 27001?
‘+ The new ISONEC 27001.2022 with changes listed
+ ISO 270012013 Verses ISO 27001:2022
‘+ The top 3 Mistakes People make wih the new ISO 27001-2022
+ 1. Assuming itis different
+ 2. Paying consultants to work out the impact
‘+ 3. Not buying and reading the standard
+ The 3 things you missed that have changed in ISO 2700-2022
+ 1. Fundamentally nothing nas changed
+ 2. The Diggest change was to ISO 27002 / Annex A
+ 3.llisa version alignment
+ ISONEC 27001-2022 Release Date
+ ISONEC 270012022 FAQ
What is ISO/IEC 27001:2022?
1 you examples and do a walkthrough.
lay bara the changes to the ISO 2700 standard that happened in 2022
nat’ now, show you how
3 what changed inthe ISO 27001 2022 update
am Stuart Barker the ISO 27001 Ninja and ths is everything you need to know about ISO 27001 2022
80 27001 isthe international standard for information security Its an Information Security Management Systems (SMS) and the output is an ISO
‘27001 Gerfcation. ISOVIEC 27001:2022 is the much anticipated 2022 update to the standard
Offical itis called: ISONEC 270
Requirements
1:2022 Infarmation securty, cybersecurity and privacy protection
information Secunty Management Systems
What has changed in the new version of ISO/IEC 27001:2022?
In oalty, vary litle has changed in ISOVIEC 27001 2022. The following is summary of the ISO 270
+ Minor
ord changes
+t new clause
+ 5 new sub clauses
+ the numbering of2 clauses has swapped
2022 changes:
What do I need to know about the new version of ISO 27001?
‘You need ta know that you do not need ta panic. This is nota ravolution. It is barely an evolution. The main focus seams fo be to align the numbering
land address the fac the date ofthe last major revision was 2013,
What should | do for the new version of ISO 27001?
The fst thing you should do forthe new version of ISO 27001 is not panic. Very litle has changed. Now the new version isi final release get yourself a
copy
Stop Spanking £10,000s on consult
and ISMS online-tools.
The new ISO/IEC 27001:2022 with changes listed
Hore we lst the summary changes to the ISO 27001 standard
Isomec 27001:2022
Changes.
ISOMEC 27001:2022 Clause 4 Context ofthe Organization
ISOMEC 27001-2022 Clause 41 Understanding the orgarisation and its
context
No Change
ISOMEC 27001:2022 Clause 4.2 Understanding the needs and
expectations of interested partes
ISOMEC 27001:2022 Clause 4.3 Determining the scope ofthe
Information secunily management system
ISOMEC 27001 2022 Clause 44 Information security management
systom
|ISOMEC 27001:2022 Clause 6 Leadership
ISOMEC 27001:2022 Clause 5.1 Leadership end commitment
There is no real change to ISO 27001 clause 4 2for the 2022 update tt
has clarified that you will now determine which of tho identified
requirements willbe addressed through the information security
‘management system rathor than implying i
Not a massive change to ISO 27001 Clause 43 in the 20:
2 update as
the only thing it does is remove the word ‘and from 43 6. Great isn't i
‘Wall toy now refer through the standard to this ‘document rather than
0 replace the words infemational standard
with the word ‘document
They have added into the sentence the term ~ including the processes
needed and their interactions to be absolutely crystal
processes ere included, rather than implying
In essence, nothing has changed. Itis clarification of wording
No Change
ISOMEC 27001 2022 Clause § 2 Policy
No Change
ISOMIEC 27001:2022 Clause 5.3 Organisational roles, responsibilities
‘and autnonties
The changes to ISO 270
best. Changing the word ‘international Standard’ to the word ‘document
‘and adding claiication nat communication is winia the organssavon as
1 clause
for the 2022 update are minor at
was always implied but ne
er said out nght. Nothing material
ISOMEC 27001:2022 Clause 6 Planning
ISONIEC 27001 2022 Clause 61 Actions to address risks and
‘opportunities
No Change
ISOMEC 27001:2022 Clause 6.1.1 General
ISOMEC 270012022 Clause 64.2 Information security risk assessment
ISOMEC 27001:2022 Clause 61.3 Information security risk roatmont
ISOMEC 27001-2022 Clause 62 Information secunty abjactwes and
planning to achieve them
Brace yourself. The massive update was to remove the word ‘and’ from
eit
No Change
The changes to ISO 27001 Clause 6.1.3 ate minor but important
Changing the wording of § 1.3 cto now reteronce Annex Aas containing
2 is of possible information secunty controls. This is @ change fom it
containing a camprehansivo list of contol objective
Removing the wording that control objectives are implicity included in the
contiols chosen
‘Changing from the contol objectives isted in A
exhaustive with adtitional controls may being needed tothe wording of
nox A as being not
Information S sn Annex.
objctves to controls
Changing the sentance of 61.3 dinto a Iist for ease of reading
Changing the words ‘international Standard’ tothe word ‘document
eral these are Caificaion changes and not matetal
Is0 27
changes being
M1 clause
had minor changes inthe 2022 update withthe
sssed on cry
{tintoduced that information secunty objectives should be monitored and
be available as documented information. This was always implied butis
made explicit
‘As a cesull he numbering of the sub parts shifted but ths is not material
180 27001.2022 Clause 6.3 Planning Of Changes
ISOMEC 27001:2022 Clause 7 Support
[NEW when you make changes tothe ISMS doit ina planned manner
Which you w.
2 any,
ISOMEC 27001 2022 Clause 7 1 Resources
ISOMEC 27001 2022 Clause 7.2 Competence
ISOMEC 27001-2022 Clause 7.3 Awareness
No Change
No Change
No Change
ISOMEC 27001 2022 Clause 7-4 Communication
There are minor changes to ISO 271
‘The changes can be soon as a simplification. It removes who shall
e and it completly
Clause 74 in the 2022 update
ormmunicate and replaces it with how fo communi
removes the need to sho
be effected
Lis our opinion that Keeping who and the process of ho
practice but you can, if you wish, not account frit ditecty.
the processes by which communication shall
ISOMEC 27001-2022 Clause 7 5 Documented information
No Change
ISOMEC 27001 2022 Clause 7.5.1 General
ISOMEC 27001 2022 Clause 7.52 Creating and updating
Isomec 2700120:
se 75.3 Control of dacumented information
Great news, There are no material changes to
the 2022 update
There is a general update across the standard to replace the words
is0 270
1 Clause 7 51 in
Intomational Standard’ tothe word ‘document. But ths is nat material
but refers to Now the standard refers to tel in the text
No Change
Great news. There are no changes to ISO 27001 Clause 7.5.3 n the
2022 update, Where reference was made tothe intemational Standard
in ratoronce to the decumentit has been replaced wih the word
‘document
ISOMEC 27001:2022 Clause & Operation
ISOMEC 27001'2022 Clause & 1 Operational planning and contol
|SOMEC 27001:2022 Clause 62 Information securty risk assessment
No Change
The changes to ISO 27001 Clause 8.1 in the 2022 update are
Clarification changes and nothing material
“The wording on planning and implementing and controling pr
widened fo the more general wording of meet requierme
rather than
before which was ‘meet information secuniy requirements
It mow talks to establishing citieia forthe processes and implementing
rol of processes in lina with ths
Rather than kee
information shal be available
e criteria.
documented information it
hanged to documented
3. are determined and controled ts changed
products or services that are relevant to
the information security management system are controlled
No Change
ISOMEC 27001 2022 Clause 83 Information security risk treatment
|ISOMEC 27001:2022 Clause 9 Performance evaluation
|ISOMEC 27001-2022 Clause 9.1 Monitoring, measurement, snalysis and
evaluation
No Change
“There are ciarication changes tothe ISO 27001 Clause 9.1 in the 2022
update
The words about the organisation evaluates the information sacurty
performa
been removed. They are covared toa greator or lessor dogree elsewnare
inthe clause.
18 and the eflecivaness of the management system have
8-1 b has been updated to give quidance on the methads of monitoring
‘measurement, analysis and evaluation and provides that thoy should
produce comparable resus and reproducible results to be considered
valid. This was previously & footnole so no material change.
8-1 eas had the word ‘and’ removed
‘Aroquirement for documented information to bo avalabs to evidence
results has been included making itan explicitrather than implied
requirement
th litle to no consequence
Rather than relain appropriate documentation as evidence the line has
bean replaced with the requirement to evaluats the information security
performance and effectiveness ofthe information securty management
system,
Itsays pretty much the same thing, with the same requiromont with 2
change to the wording of how it says it
ISOMEC 27001 2022 Clause 92 Internal audit
This c
‘wo new soparato sub clauses.
favse has now had the wording removed and wording shied to
Isonec 2
Clause 92.1 General
ISOMEC 27001-2022 Clause 92 2 intemal auat programme
ISOMEC 27001 2022 Clause 9:3 Management review
Isonec 2
ause 93.1 General
ISOMEC 27001:2022 Clause 9.3.2 Management review inputs
OIIEC 27001 2022 Clause 9.23 Management review results
ISOMEC 27001:2022 Clause 10 Improvement
NEW — doesr' say anytring new just separates out ine old clause for
ease of reading
NEW — doesn't say anything new just separates out the old clause for
ease of reading
This clause has now
nad the wording removed and
ing shifted to
ttvee new separate sub clauses
NEW ~ doesn't say anything new just separates out the old clause for
ease of reading
New
‘doesr't say anything new just separates out the old clause for
NEW — doesn't say anything new just separates out the old clause for
ease of reading
ISOMEC 27001:2022 Clause 10.1 Continual improvement
No Change but Swapped Numbering — why?
ISOMIEC 27001 2022 Clause 10.2 Noncontormiy and corrective action
ISOMEC 27001 2022 Clause Annex A (normative) Informs
secunty
No Change but Swapped Numbering — hy?
80 27002: 2022 new version of contol set
‘A diract comparison of SO 270012013 verses ISO 27001 2022
Isonec 27001:2022
ISO 27001:2013 Verses ISO 27001:2022
some 27001:2013
'SOMEC 27001:2022 Clause 4 Context of the Organization
ISOMEC 27001:2022 Clause 4.1 Understanding the organisation and its
‘context
OIIEC 27001 2022 Clause 42 Understanding the needs and
‘expectations of interested partes
ISONEC 271
2013 Clause 4 Context ofthe Organization
ISOJIEC 27001:2013 Clause 4.1 Understanding the organisation and its
context
ISO/IEC 27001:2019 Clause 4 2 Understanding the needs and
expectations of interested parties
ISOMEC 27001 2022 Clause 43 Determining the scope ofthe
information security management systam
ISOMEC 27001-2022 Clause 44 Information securty management
ISOIIEC 27001-2019 Clause 4 3 Determining the scog
infomation security management system
ofthe
ISO/IEC 27001:2013 Clause 44 Information securty management
systom system
!SOMEC 27001:2022 Clause 6 Leadership ISO/IEC 27001:2013 Clause 6 Leadership
ISOMEC 27001:2022 Clause 5.1 Leadership and commitment ISO/IEC 27001:2013 Clause 5.1 Leadership and commiment
ISONEC 27001 2022 Clause 52 Policy
ISOMEC 27001-2022 Clause § 3 Organizational roles, responsibilies
‘and authorities
ISOMEC 27001:2022 Clause 6 Planning
ISOMEC 27001:2022 Clause 6-1 Actions to address risks and
‘opportunities
ISOMEC 27001-2022 Clause 61.1 Ganeral
|ISOMEC 270012022 Clause 61 3 Information security risk assessment
ISOMEC 270012022 Clause 6 1.3 Information secunty risk treatment
ISOMIEC 27001 2022 Clause 62 information securty objectives and
planning to achieve them
ISO/IEC 27001:2089 Clause 5 2 Poli
ISONIEC 271
2013 Clause 53 Organizational roles, responsibiltes
and authorities
ISO/IEC 27001:2019 Clause 6 Planning
ISONEC 27
:2013 Clause 6.1 Actions to address risks and
opportunities
ISOJIEC 27001:2013 Clause 6 4.1 General
ISOIEC 27
2013 Clause 6 1.3 Information socurtyrsk assessment
SOIIEC 27001:2013 Clause 61.3 Information secunty rsk treatment
ISO/IEC 27001-2019 Clause 6 2 information security objectives and
planning to achieve them
ISONIEC 27004 2022 Clause 10.1 Continual improvement
ISONIEC 27004 2022 Clause 10.2 Nonconformiy and contectve action
|SOMEC 27001.2022 Clause Annex A (normative) Information security
controls reference
ISONEC 27001 2022 Ciause 63 Planning of Changes NEW
ISO/IEC 27001:2022 Clause 7 Support ISOVIEC 27001-2013 Clause 7 Support
ISOMEC 27001-2022 Clause 71 Resources ISOVIEC 27001-2013 Clause 7 1 Resources
ISO/IEC 27001 2022 Cause 7.2 Competence ISOEC 27001:2013 Clause 7 2 Competence
ISOVIEC 27001 2022 Clause 7 3 Awareness ISOVIEC 27001-2013 Clause 73 Aware
ISOVIEC 27001-2022 Ciause 7 4 Communication ISOIEC 27001-2013 Clause 7 4 Communication
ISO/IEC 27001 2022 Cause 7.5 Documented information ISOIEC 27001:2013 Clause 75 Documented information
ISONEC 27001 2022 Clause 75.1 General ISOEC 27001:2013 Clause 75.1 General
ISONIEC 27001-2022 Clause 75 2 Creating and updating ISO/IEC 27001-2013 Clause 7 5.2 Creating and updating
ISO/IEC 27001:2022 Clause 7.5.3 Contol of documented information | ISOVIEC-27001:2013 Clause 7.5.3 Control of documented information
'SOMEC 27001:2022 Clause & Operation ISOEC 27001:2013 Clause 8 Operation
ISOVIEC 27001-2022 Ciause 6 1 Operational planning and control ISOVIEC 27001-2013 Clause 81 Operational planning and control
ISOVIEC 27001-2022 Clause 6? Information securty sk assessment | ISOVIEC 27001-2013 Clause 8 ? Information security risk assessment
ISOVEC 27001 2022 Ciause & 3 Information secunty isk treatment ISOIEC 27001:2013 Clause 8 3 Information securty isk treatment
'SOMEC 27001:2022 Clause 9 Performance evaluation ISOIEC 27001:2013 Clause 9 Performance evaluation
ISOVIEC 27001-2022 Clause 91 Moritoing, measurement, analysis and | ISOVIEC 27001-2013 Clause 91 Monitoring, measurement, analysis and
evaluation evaluation
ISOVIEC 27001 2022 Clause 42 Internal aust ISOIEC 27001-2013 Clause 92 Internal aut
ISOVIEC 27001-2022 Clause 92 1 General NEW
ISO/IEC 27001 2022 Cause 82.2 Intemal aut programme NEW
ISOVIEC 27001 2022 Clause 9:3 Management review ISOIEC 27001-2013 Clause 93 Management review
ISOVIEC 27001 2022 Clause 93.1 General NEW
ISOMEC 27001:2022 Clause 9.3.2 Management review inputs NEW
ISOVEC 27001 2022 Ciause 9:33 Management review resus NEW
ISONEC 27001:2022 Clause 10 Improvement ISOVIEC 27001-2013 Clause 10 Improvement
ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective
action
ISO/IEC 27001:2013 Clause 10.2 Continual improvement
|S 27002: 2022 naw version of control set
The top 3 Mistakes People make with the new ISO 27001:2022
The top 3 mistakes people make withthe new ISO 27001 standard
1. Assuming it is different
‘Assuming that it's vastly diferent and panicking Worrying the organisation unduly and seeking massive budget for something that fundamentally is no
ifforont to what they have or ae already working towards.
2. Paying consultants to work out the impact
Paying consultants to tel you thal nothing has fundamentaly changed when you can buy the standard yourself and read it end around 15 minutes.
3. Not buying and reading the standard
Relying on the internet and free resources rather then geting @ copy ofthe standard and reading it yourselt
The 3 things you missed that have changed in ISO 27001:2022
4. Fundamentally nothing has changed
[SO 27001 2022 is fundementaly the same vith minor wording changes, a numbering chan
2 controls and some clarifications.
2. The biggest change was to ISO 27002 / Annex A
The biggest change has already heppened with the control set when ISO 27002 was updated fo the 2022 version
3. Itis a version alignment
‘As the standard has not changed signicently since the
‘embarrassing that people are working ta what appears tobe a 20
changed the name to 2022
ISO/IEC 27001:2022 Release Date
2 was released in October 2022
13 version, as the approach seems to be to name the standard folowed by a year i is kind of
3 version of an information securty standard soto make more relevant they have
fe] oa-ziilih
| 180 27001 being updated?
Yes. The ISO 27001 2022 version isnot really an update but yes a new version of the standard was released in October 2022
When ie 180 27001 being updated?
The 180 27001 standard has been amended and was released in October 2022
What isthe latest version of 180 270017
The latest version of SO 27001 is |SOMEC 27001 2022
Will | get audited on the new version of 1S0 27001?
Potentially. It's unlikely until the end of 2023 of 2024 that you will be audited against the new version ofthe standard
What has changed in 180 27001?
\Very litte has changed in ISO 27001. itis minor wording updates
Stop Spanking £10,000s
a change of name fo reflec the release date of 2022 end bring the versioning into