ISO 27001:2022
About the new ISO 27001 2022 standard
ISO 27001 2022 is the internationally recognised standard for information security management systems (ISMS), providing a framework for organisations to protect their data and information assets from cyber threats. This new update to the standard builds on the solid foundation established by its predecessor, ISO 27001 2013, but adds some key enhancements that reflect the evolving nature of cybersecurity risks.
The benefits of ISO 27001 2022
- Avoid regulatory fines (e.g. GDPR breaches) through compliance
- Improve organisational structure and focus
- Increased customer confidence
- Continual improvement
- Competitive advantage
The benefits of ISO 27001 2022 can help your company to better safeguard its information assets and demonstrate its commitment to information security, while also leading to increased customer confidence and competitive advantages.
What is the latest version of ISO 27001? Here are the key changes
The main changes of ISO 27001 2022 are outlined above. The part of the standard which has experienced the most revision is Annex A which is aligned with the ISO/IEC 27001 updates, published earlier this year. Clauses 4 to 10 have also undergone several minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other updates include minor changes in the terminology and restructuring of sentences and clauses. The title and order of these clauses do however remain the same:
- Clause 4 Context of the organization
- Clause 5 Leadership
- Clause 6 Planning
- Clause 7 Support
- Clause 8 Operation
- Clause 9 Performance evaluation
- Clause 10 Improvement
An increased emphasis on risk management
One of the most significant changes in the ISO 27001 2022 standard is the increased emphasis on risk management. This new version places a greater focus on risk-based thinking, which means that organisations will need to take a more proactive approach to identifying, assessing, and managing their information security risks. This approach is designed to help businesses stay ahead of the constantly evolving cybersecurity landscape, by ensuring that they are continually monitoring and updating their security controls to reflect the latest threats.
To support this focus on risk management, the ISO 27001 2022 standard has introduced some new requirements that organisations will need to meet. These include a more detailed risk management process, which covers risk identification, risk analysis, risk evaluation, and risk treatment. The standard also includes new requirements for monitoring and reviewing the effectiveness of the risk management process, as well as for reporting on key risk management metrics to senior management.
Expanded scope of the standard
While the previous version of the standard focused mainly on the security of information systems, the new version takes a more holistic approach. Companies will now need to consider the security of their people, processes, and physical assets, as well as their information systems.
Organisations will also need to develop and implement controls to address these risks and to monitor and review the effectiveness of these controls.
Increased focus on communication and collaboration
The standard now requires communication and collaboration with stakeholders on all matters relating to information security. This includes regular engagement with senior management, as well as with customers, suppliers, and other external parties.
Furthermore, the ISO 27001 2022 standard includes new requirements for businesses to establish and maintain effective communication channels with their stakeholders. This includes regular reporting on the organisation’s information security performance, as well as engagement with stakeholders on matters such as security incident responses and the sharing of threat intelligence.
The certification process
Finally, the change includes some important changes to its certification process. The new version requires certification bodies to take a more rigorous approach to assess organisations’ compliance with the standard. This includes a more detailed review of risk management processes, as well as more comprehensive testing of security controls.
ISO 27001 2022 also introduces a new approach to certification, which is designed to better reflect the rapid changes in relation to cybersecurity risks. This approach is based on the concept of continuous improvement, which means that companies will need to demonstrate that they are continually reviewing and updating their security controls to reflect the latest threats.
Will the changes affect my current certificate?
The changes made will not impact your current ISO 27001 certificate. ISO 27001 2013 will exist until October 31, 2025. During this time, you will have the opportunity to understand the changes, implement them, and get certified. Once you have achieved your ISO 27001 certification, it is valid for three years. However, the information security management system (ISMS) should be managed and maintained throughout that duration.
How can I get support with the new changes?
Looking to keep up with the latest standards and ensure your business is ahead of the game? Look no further than our team of friendly experts here at Candy Management Consultants. Our consultants can help you streamline your operations and achieve UKAS accreditation, whether you’re based in the UK or operating on a global scale. We are proud to have an 100% customer satisfaction rate to date.
With our up-to-date training on the ISO 27001 2022 standard, you can rest easy knowing that we’re equipped to deliver the highest level of service to our clients. Our team brings over 55 years of collective experience in a variety of industries, and we’ve made a name for ourselves by helping businesses outshine their competition since our inception in 2017.
So, if you’re seeking support navigating the changes to the ISO 27001 standard, contact us today. Our friendly team members are always ready to answer any questions you may have.