Understanding the ISO 27001: 2022 Updates and Changes
With the constant rise of cyber threats, businesses must ensure they have the necessary measures in place to safeguard against attacks. One of the most common measures is achieving the ISO 27001 certification, which outlines the requirements for implementing an effective information security management system. Recently, the ISO/IEC 27001 standard underwent several changes essential for business consideration. We will dive deeper into the ISO 27001: 2022 updates and changes and their significance for businesses.
Changes to the ISO 27001: 2022 Requirements Document
Unfortunately, the trade press to date has not indicated changes to the requirements document. Actually, nearly every major subclause has relevant changes. While they aren’t significant, being unaware or ignoring them before an upgrade audit from a Certification Body will likely yield undesirable outcomes. I will provide five (5) examples here, but there are many more:
· Clause 6.2 – ISMS Objectives must be “monitored”
· Clause 6.3 – Planning of Changes
· Clause 7.4 Communication – adds a subclause on how
· Clause 8 – requires “control of externally provided processes, products or services relevant to the ISMS”
· Clause 9.1 – now requires evaluation of “security performance” and the effectiveness of the ISMS
We can make a strong argument that the standard already covers these points. However, that discussion is more about it being required or a best practice.
Enhanced Emphasis on Supply Chain Security
The supply chain is on most firms’ risk register. This refers to the words the standards writers have chosen to pinpoint what part of the supply chain has been refined. We now use the word Information & Communication Technology (ICT) supply chain. These refined terms refer to cloud service providers, managed service providers, data center infrastructure, servers, routers, gateways, firewalls, wireless access points (WAP’s) and any software vendors use to manage the ISMS. This would also include vulnerability scanners, outsourced pentesters, asset management tools, password management tools, information transfer technologies and a wide range of other software tools. To address this concern, the updated standard emphasizes supply chain security. Businesses must conduct risk assessments of suppliers and take the necessary measures to secure their supply chain.
Greater Emphasis on Data Privacy
The updated standard also places great emphasis on privacy concerns. With regulations such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) in place, it’s important that businesses stay updated on the latest requirements. The standard includes new guidelines for collecting and processing personal data, promoting transparency, and protecting privacy rights.
We cannot emphasize this enough. When looking at the history of the standards, it all makes sense. The last version of ISO 27001 was published in 2013; soon thereafter, GDPR was published in 2015. Compliance was expected en masse, however, there were no requirements documents to enable this. This is how ISO 27701 came to be. It was ISO 27001 with additional, auditable requirements that cover GDPR. Thousands of global firms are now certified to ISO 27701 and must follow extensive data privacy requirements. It is not at all surprising that in the new Annex A, many controls have evolved from ISO 27701 and GDPR, such as Data Masking.
Mandatory Documentation Requirements
The new documentation requirements are other things to understand about the ISO 27001: 2022 updates and changes. Documentation is a crucial component of an effective information security management system. The updated standard requires businesses to document the justification for excluding controls and the process followed in documenting the decision.
This is the nexus of the required ISMS Scope statement and the Statement of Applicability (SoA). The new Annex introduces the term “topic specific policy.” There are no rigid expectations for how many topic-specific policies are needed. However, one could easily anticipate about 10. It’s possible to write 93 separate controls to address the 93 controls in Annex A, but that can become a challenge in sustainment of the ISMS. We suggest a topic specific policy on Access Management, and all the controls that relate are addressed in this one control, much like a chapter book. Other topic-specific policies include Asset Management, Legal & Compliance, and Physical Security.
Continual Improvement of Controls
The updated standard emphasizes the need for continual improvement. Businesses must regularly review and improve their information security management system to ensure it is up to date and effective. This approach is essential as technology progresses and new cybersecurity risks arise.
Cybersecurity threats and available technologies are changing every year, so it’s crucial to stay informed. By partnering with experts at Precision Execution, businesses can achieve cybersecurity objectives and successfully meet compliance requirements. We offer the Exemplar Global certified portfolio with modular and self-paced courses. You can take Day 1 of the 2022 ISO 27001 internal auditor course and learn about the requirements in detail.
You can take the ISO 27002: 2022 Self Paced course and learn about all 93 controls and how to implement them. We refer to that course as “Day 2” if you are taking the V/ILT. Day 3 teaches students how to Plan and Execute an audit, which is usually adequate to become and ISO 27001: 2022 Internal Auditor. Day 4, is a Team Leader course and teaches you how to take charge of an ISO 27001: 2022 audit. You can take the course all in one week.
At the end, you will be qualified to plan and conduct ISMS audits. If you seek the ISO 27001: 2022 Lead Auditor credential, this course can help you earn this very valuable market credential very quickly. If you need “upgrade training,” the Day 2 Course, which is self-paced, is available for you to take whenever you have the time!