Information security is becoming increasingly important in today's digital age, and the International Standards Organization (ISO) has published the latest update to the internationally recognized information security standard, ISO 27001:2022, on October 25, 2022. This article will provide an overview of the main changes in the mandatory clauses, Annex A, and how to transition to this new ISO 27001:2022 update.

Mandatory Clauses:

The changes to the mandatory clauses are not significant, but there are a few noteworthy changes:

• Clause 4.4 Information security management system: This new clause requires the identification of processes and their interactions, similar to ISO 9001.
• Several clauses and notes make it clear that the Annex A controls are not exhaustive and should be used as a baseline. Organizations should identify any necessary additional controls, risks, etc. based on their own environment.
• Clause 6.2 Information Security objectives: Objectives must now be documented and available for all stakeholders.
• Clause 6.3 Planning of changes: All changes must now be documented and planned.
• Clause 8.1 Operational planning and control: Organizations must define criteria for operational processes.
• Clause 9 Performance evaluation: Methods to evaluate and monitor controls must produce comparable results to assess trends.
• Clause 9.2 Internal audits: Internal assessments must now cover all organizations' requirements, not just ISO 27001.

Annex A:

The biggest change in ISO 27001:2022 is the restructuring and revision of Annex A. The number of controls has been reduced from 114 to 93, and they are now divided into four sections instead of the previous 14. This change aims to make the standard more concise and easier to implement. The new sections and controls are:

• Section 5: Organizational (37 controls)
• Section 6: People (8 controls)
• Section 7: Physical (14 controls)
• Section 8: Technology (34 controls)

How Will The Update Affect Your Organization?

If you are implementing ISO 27001:

You don't need to panic, as certification entities will likely offer certification to ISO 27001:2022 just six months after its publication. Additionally, ISO 27001:2013 will still be valid for another three years, so all your work towards implementing ISO 27001:2013 will still be useful. However, you may want to use the new Annex A controls from ISO 27001:2022 as an alternative control set, depending on your progress with ISO 27001:2013 implementation.

If you are already certified to ISO 27001:2013:

You will have time to fully migrate to the new requirements, and the best time to do so is before your next internal audit. Allocating internal audit activities three months before the external assessment will allow you to identify and fix any potential nonconformities before the external assessor arrives.