Full details are in “An introduction to ISO/IEC 27001:2022” by David Brewer
ISO/IEC 27001 and other management system standards
This is the first of a series of pages (use the arrows at the foot of these pages to navigate forwards and backwards) covering:
All new and revised management system standards conform to the ISO Directives concerning high level structure and identical core text. The idea is that requirements that ought to be the same for all management system standards (e.g. corrective action) ought to be identically worded – and now they are. Requirements that are peculiar to a particular discipline (e.g. quality) are incorporated in what is known as “discipline-specific text”. Full details are in David Brewer’s book: “Understanding the new ISO management system standards”. The third edition of ISO/IEC 27001 was published in October 2022.
The following figure shows the high level structure (blue text) together with the discipline-specific requirement headings for ISO/IEC 27001:2022.
A detailed explanation of ISO/IEC 27001:2022 is given in in David Brewer’s book: “An introduction to ISO/IEC 27001:2022” 4th Edition”.
ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS). In summary:
ISO/IEC 27001:2022 is the third edition of the ISMS standard. The first edition was published in 2005, and the second in 2013.
Changes from the second edition
The most important change is that the content of Annex A has been aligned with the controls in ISO/IEC 27002:2022. However, there are other changes which result from the revised Harmonised Structure.
The Harmonised Structure is part of the ISO Directives that dictate the structure and requirements that are common to all management system standards. It was revised in 2020 to add clarity. However, these changes should not affect existing ISMS that have been properly implemented.
Clause 4.2 has a new bullet point. The clause deals with understanding the needs and expectations of interested parties. The clause already required organisations to determine the interested parties that are relevant to the ISMS and their requirements. The new bullet point requires organisations to determine which of these requirements will be addressed through the ISMS.
An interested party can be a person or entity that can affect an organisation. Thus, as pointed out in ISO/IEC 27005:2022, a hacker is an interested party. Their requirements are for weak security. Notwithstanding that such requirements would be rejected by the organisation and will not become organisational requirements, they will still be addressed through the ISMS — addressed by the information security controls necessary to protect the organisation from such nefarious activities. Organisations should already be doing this.
If a client has a requirement for a service that the organisation chooses not to provide, then provided that requirement it does not become a contractual requirement, it is not relevant to the ISMS (since it does not affect the outcome of the ISMS). In this case, the requirement is not addressed by the ISMS, but then it would never have been.
Thus. the new bullet should have no effect on a properly implemented ISMS.
Other changes will be discussed in a BSI publication which is expected soon. A link will be provided when it is.
The three-year transition period has now started – 6 months for accreditation bodies to complete their preparations, 6 months for certification bodies to become accredited for the new standard and then two years for certified organisations to transition to the new standard. However, it is strongly recommended that organisations do not wait — “Since use of the revised Annex A, can discover exposure to unacceptable information security risk, early adoption of ISO/IEC 27001:2022 should be encouraged”.
Futher advice on the changes and how to transition your ISMS is given in David Brewer’s new book “An introduction to ISO/IEC 27001:2022”, which is available on Amazon.
Guidance, written by Dr Brewer, is also given on the BSI website, but for a price — £75. His book is cheaper.
There is also a free guide, written by Dr Brewer, to the ISO/IEC 27000 series of standards (numbers 1 to 7) on the BSI website and also to ISO/IEC 27005:2022.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2013-23|
|Page last updated: June 8, 2023|