The changes in the 2022 version of ISO27001

The changes in the 2022 version of ISO27001

The new version of ISO27001 has been published. It is not a major revision and it is not quite what was originally expected. The original intention was that the only change was going to be a new Annex A to match the controls listed in new version of ISO27002 published early in 2022. However, for technical reasons a few other changes were included – mostly minor but a few that need thinking about.

This article looks at the main changes that organisations will need to consider when transitioning from the 2013 version of ISO27001 to this new version. This article does not discuss all of the changes – just ones I think that are worth highlighting. My view is that if I have not mentioned a change in this article then you can probably ignore it.

Some of the changes may help to improve the performance of your Information Security Management System (ISMS) and some will just be “things we have to do so we can keep our certificate”.

Below is a list of what I view as the changes that are worth noting, ?roughly in order of what I think are the most significant in terms of effort to implement although of course this is likely to vary for several reasons.

8.1 Operational planning and control - criteria

This is potentially one of the more significant changes. The requirement is:

“The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:

establishing criteria for the processes;

— implementing control of the processes in accordance with the criteria.”

The highlighting in bold (by me) indicates the changes.

This is actually pretty vague as it does not say which processes (although it implies all of them) and does not say what sort of criteria you should define. A reasonable interpretation might be that it is the criteria related to the successful operation of the processes. I.e. what is it that it is important to the successful operation of the processes (notably the clauses and controls). In management speak some of these criteria might be “success criteria” and/or “critical success factors”.

This does not mean all these criteria need to be documented but you will need to be able to answer the questions:

? “Have you established criteria for the processes?”.

? “What are the criteria for the processes?”

? “Are the controls implemented in accordance with the criteria?”

In practice you are probably already doing “criteria” for processes and if asked “what is needed to ensure that process X operates OK” you will almost certainly be able to answer even if you have to think about it for a bit. What this new requirement in ISO27001 asks you to do is to do your “thinking about it” in advance and be a bit more formal about all of this. Probably not a bad idea.

I will publish an article soon with some thoughts on how to approach this.

Annex A

There is a completely new Annex A.

The changes to Annex A look significant but if your ISMS is operating OK and meeting its objectives now then in principle this new Annex A should not make any difference to the performance of your ISMS. In that sense it is unlikely to mean that you will be managing your information security risks any better because of this new Annex A.

There are two main possible approaches to transitioning to the new Annex A depending on your circumstances and how you want to do this.

The first approach is the easiest and quickest. Its key attribute is that you do not have to change your risk assessment or your risk treatment plan. For most organisations the only change is to the Statement of Applicability (SOA) plus some evidence of doing the comparison with the new Annex A. However, you will need to be brave. This article describes the principles of this approach. https://www.dhirubhai.net/pulse/how-quickly-transition-annex-version-iso270012022-chris-hall/

The main alternative approach is to make all the changes necessary to your ISMS to take out all the references to the old Annex A. This is a lot of work and is not recommended. However, this article outlines a possible approach to this https://www.dhirubhai.net/pulse/slow-approach-transitioning-new-annex-iso270012022-chris-hall/

Note that the ISO committees do not recommend transition approaches as such but they have issued a document that has been sent to the accreditation and certification bodies that covers transition to the new version of ISO27001. This document includes the statement “the impact of ISO/IEC 27001:2022 on the related entities affected need not be significant.” (Their highlighting – not mine).

6.3 Planning of changes

There is a new requirement:

“When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”

You are probably doing this already as this is a reasonable thing to do and it was also partly covered in requirement 8.1. I.e. that you do a bit of thinking and planning when you make changes to anything to do with your ISMS – i.e. how the clauses or controls work. It isn't reasonable to expect that this would cover all changes to the ISMS - for example fixing a typo in a document. What you should do though is think about and "plan" changes that might have some sort of reasonable effect on the ISMS and how it operates - including the controls. You will probably need to keep some evidence of doing this. This might, for example be proposals, emails, minutes of meetings, project plans, etc showing that changes were planned and did not “just happen”.

6.2 Information security objectives and planning to achieve them

There is an additional requirement to explain how the information security objectives will be monitored. This is reasonable enough and you will need to update the documentation you have on your objectives to make it clear how you are going to “monitor” them.

Clause 4.2 Understanding the needs and expectations of interested parties

The change here is that as well as identifying the needs and expectations of interested parties you are also now required to identify which of these needs and expectations will be addressed by your ISMS.

It was always understood that just because an interested party has a need and expectation with respect to information security that did not mean that your ISMS had to deal with it but this new requirement asks you to be clear about which ones will be addressed. This ought to be easy enough to do.

9.3 Management Review

There is now an additional mandatory item for the management review:

“Changes in needs and expectations of interested parties that are relevant to the information security management system;”

Fair enough. You will need to ensure that you cover this at your management reviews.

5.3 Organisational roles, responsibilities and authorities

The only change is that the roles have to be communicated. It is reasonable to think that you were already doing this.

7.4 Communication

The requirement has been slightly reworded so that instead of saying “who shall communicate” it now says “how to communicate”. Also, the requirement “the processes by which communication shall be effected” has been removed.

You will need to give some consideration to this and update any documentation you have relating to communication to show “how”.

6.1.3 Information security risk treatment

Annex A is no longer described as a comprehensive set of controls. It is now described as a set of possible controls. This is a more realistic description of what Annex A is but you do not need to change anything in your ISMS because of this change in wording.

4.4 Information security management system

This now includes the phrase “including the processes needed and their interactions”.

My view of this is that in order to implement the ISMS you must have already implemented the necessary processes and their interactions or your ISMS would not work and you would have already have had nonconformities raised. Note that this does not say that all the processes need to be documented.

I don't see how this will make any difference to your ISMS.

8.1 Operational planning and control – external processes

Instead of talking about the need to control and determine the outsourced processes this is now about “externally provided processes, products or services that are relevant to the information security management system are controlled.”. In theory this now includes external products and external services and not just external processes but I have not been able to think of an example of where this would make a difference to an ISMS. Perhaps I am missing something here but I can’t see how this would require any changes to your ISMS.

9.1 b) Monitoring, measurement, analysis and evaluation

The phrase “methods selected should produce comparable and reproducible results” is now not a note. In theory this now not being a note makes it mandatory but I can’t see how this would make any difference to the ISMS.

What you need to do

My summary of what I think you need to do is:

4.2 Understanding the needs and expectations of interested parties. This needs to be changed to show which ones are being met by the ISMS.

5.3 Organisational roles, responsibilities and authorities. This needs to ensure that they are communicated around the organisation.

Annex A changes. There may be changes depending on how you use Annex A.

6.1.3 Comparison of the controls in the risk assessment with new Annex A. Plus any updates to the risk assessment.

6.2 Information security objectives and planning to achieve them. This needs to show how they will be monitored.

6.3 Planning of changes. There needs to be some evidence of planning of changes to the ISMS.

7.4 Communication .This needs to show "how" to communicate.

8.1 Operational planning and control. Criteria for the processes needs to be established and there needs to be something to show that the processes are being controlled in accordance with the criteria.

9.3 Management Review. An agenda item about “changes in the needs and expectations for interested parties” needs to be added to the standard agenda and this must then be done.

Summary

The above is an overview of what I consider are the changes worth noting in this new version of ISO27001. This may or may not be a big change for you depending on a number of factors.

Chris

www.btrp.co.uk

Paul Cervenak

Method Development Specialist at Stadtwerke Leipzig | Passionate About Agile Transformation and Social Impact Solutions

2 年
回复

With regard to...8.1 Operational planning and control – external processes, can you please help? I understand that the word operation is in reference to the operations related to the ISMS which include each process included in the ISMS. This also includes the ongoing risk management, the update of the policy activities, the ISMS reporting, the activities of each information Security manger on a daily basis and so on OR? For some reason people interpret OPERATIONS as the activities that IT have to do or the technical activities that intersect with IT activities but this is not necessarily true interpretation of ISMS operations or?

回复
Irfaan Ahmed

Digital Tutor | Computer Science Teacher | Information Security Specialist

2 年

Great post and useful information. Change is never easy but, the changes made were needed.

回复
Dolf van der Haven

Governance, Risk and Compliance | Information Security, Service Management, Quality Management | Chicken farmer

2 年

Thanks for the overview. It looks like they implemented the new Harmonized Approach (HA, Annex SL) text in this update along with the new Annex A list of controls, hence the changes in the body text.

回复
Paul Sammut

Cyber Security Leader | Security & Governance | Risk & Compliance | Board Advisor | Mentor

2 年

Great post Chris, thanks for sharing.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了