Apart from a completely new Annex A, other ISMS requirement changes are subtle

  Already have an ISMS? perhaps we can help you create a better one!

What’s new in ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is the third edition of the ISMS standard. The principal changes are:

  • alignment of Annex A with the controls in ISO/IEC 27001:2022
  • alignment with the revised Harmonised Structure (HS) for management system standards.
Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

You are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising, showcasing and exploiting your ISMS.

The devil is in the detail

Annex A

In alignment with the controls in ISO/IEC 27002:2022, the revised Annex A now contains 93 information security controls, presented in four groups: organizational controls, people controls, physical controls, and technological controls; a categorisation referred to as themes. The previous edition contained 114 controls grouped under 14 headings, such as “Information security policies” and “Physical and environmental security”. None of these controls have been lost. They have either been transferred over to the new edition, not necessarily without modification, or merged. There are also 11 new controls, resulting in a reduced total of 93 controls.

Notwithstanding that 56 controls are carried over from Edition 2, there are subtle differences in the wording of the control text. This means that these controls are not identical to the previous edition. For example, whilst the new 5.1 is formed from merging the old A.5.1.1 and A.5.1.2, the new control text contains the phrase “and acknowledged”, which is entirely new.

The Annex A controls now refer to personnel, rather than employees, in recognition of the fact that an organisation need not be a legal entity, in which case the members of the organisation are not employees.

The notes notes in ISO/IEC 27001, Clause 6.1.3 c) that refer to Annex A have been modified to accord with the revised content and to stress that the Annex A controls are not requirements.

Harmonised structure (HS)

All management system standards must conform to the ISO directives. One of these, known as Annex SL presents the structure and requirements that is common to all management system standards. It was revised in 2020. Thus, the revised ISO/IEC 27001 conforms to the new structure, whereas other standards, such as ISO 9001 and ISO 14001 which were published some years ago, conform to the old structure. This explains some of the differences between these standards.

The principal changes are:

  • References to the ISO and IEC online terminology databases have been added to Clause 2, albeit that readers are still referred to ISO/IEC 27000 as the source for all terms and definitions.
  • A new clause has been added to Clause 4.2 (Understanding the needs and expectations of interested parties) which requires organisations to determine which interested party requirements will be addressed through the ISMS.
  • Clause 4.4 (Information security management system) now includes the phrase “including the processes needed and their interaction”.
  • A note explaining the meaning of the term “business” has been added to Clause 5.1, although the term is still omitted in the reference to “processes” in Clause 5.1 b) (the HS says “…integrated into…business processes”).
  • Clause 5.3 now includes the phrase “within the organisation”. The phrase refers to the roles, not the extent of the communications.
  • Clause 6.2 now includes a requirement to monitor the [fulfilment] of security objectives, thereby providing a link between the requirement 6.2 b) (“…be measurable (if practicable)”) and Clause 9.1 (Measurement, monitoring, analysis and evaluation).
  • Clause 6.3 (Planning of changes) is new. It requires organisations to carry out changes to the ISMS in a planned manner.
  • The Edition 2 requirements in Clause 7.4 (Communication) to determine “who shall communicate”, and “the communication process” have been replaced by “how to communicate”.
  • The scope of Clause 8.1 (Operational planning and control) now refers to the whole of Clause 6, rather than just 6.1, thus obviating the need for the Edition 2 requirement “The organization…objectives determined in 6.2”, which has been removed.
  • Also in Clause 8.1, the HS requirements for process criteria have been restored. They were not included in Edition 2 as at the time they were considered unnecessary. It is now recognised that the ISO/IEC 27001 requirements for “… at planned intervals” provide built-in examples of process criteria and the control of those processes against those criteria. Moreover, organisations will have their own examples, e.g., concerning the on-boarding and off-boarding of personnel.
  • The requirement in Clause 8.1 concerning the control of outsourced processes has been replaced with the more general requirement for the control of externally provided processes, products and services.
  • The paragraph “The organization shall evaluate …” has been restored to its original position in the HS, which is at the end of Clause 9.1. In Edition 2, it was positioned at the head of the clause.
  • Moreover, the note that was in Clause 9.1 b) (“The methods selected should … to be considered valid”) has been merged into the Clause 9.1 b) text.
  • In Clause 9.2 (Internal audit) there are some wording changes and subheadings have been introduced.
  • In Clause 9.3 (Management review), subheadings have been introduced and there is a new requirement to consider changes in the needs and expectations of interested parties.
  • The order of Clauses 10.1 and 10.2 have been reversed, to focus more attention on the objective of improvement.
  • The references in the bibliography have been updated.

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

The book explains:

  • the meaning of all the terms used in the standard
  • what is an ISMS, its purpose and benefits, the structure of the standard, relationship with other standards and certification
  • the core management system requirements (i.e., those that come from the HS) and are therefore common to other management system standards
  • the information security specific requirements (risk assessment, risk treatment, the Statement of Applicability…)

and gives:

  • implementation advice (including strategies, preparation and project planning, risk assessment methodologies, determining controls in practice…) .

Guidance, written by Dr Brewer, is also given on the BSI website, but for a price — £75. His book is cheaper.

If you have any question about ISO/IEC 27001:2022, just or use the find facility above. We will be pleased to assist.